Skip Navigation
BlackBerry Blog

Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries

Update 12.01.22: The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on Cuba ransomware, listing this BlackBerry blog as a resource. See Advisory.


The previously unknown RomCom RAT threat actor is now targeting Ukrainian military institutions. The same threat actor is known to deploy spoofed versions of popular software "Advanced IP Scanner." After being publicly exposed, it switched to another popular application called "PDF Filler." That indicates the group behind it is actively developing new capabilities.


The initial "Advanced IP Scanner" campaign occurred on July 23, 2022. Once the victim installs a Trojanized bundle, it drops RomCom RAT to the system. On October 10, 2022, the threat actor improved evasion techniques by obfuscation of all strings, execution as a COM object, and others.

Attack Vector

Earlier versions of RomCom RAT were distributed via fake websites spoofing the legitimate "Advanced IP Scanner" application website. The Trojanized "Advanced IP Scanner" package was hosted on "advanced-ip-scaner[.]com" and "advanced-ip-scanners[.]com" domains. Both of those domains historically resolved to the same IP address of 167[.]71[.]175[.]165. The threat actor also ensured that both fake websites looked near identical to the original one - ""

Figure 1 – Fake “Advanced IP Scanner” website
Figure 2 – Legitimate “Advanced IP Scanner” website

On October 20th, the threat actor deployed a new campaign spoofing the "pdfFiller" website, dropping a Trojanized version with RomCom RAT as the final payload.


The earliest versions of RomCom RAT came in the "Advanced IP Scanner" package. The BlackBerry Research and Intelligence team has identified two versions of it – "" and "advancedipscanner.msi." The threat actor spoofed the legitimate tools named "Advanced_IP_Scanner_2.5.4594.1.exe" by adding a single letter "V" to the file's name.

Once unpacked, it contains 27 files, of which four are malicious droppers.

Figure 3 – Content of Trojanized "Advanced IP Scanner." RomCom RAT droppers are highlighted

Dropper RomCom extracts the payload from its resources and creates it in the following folder:


Main RomCom functionalities include, but are not limited to, gathering system information (disk and files information enumeration), and information about locally installed applications and memory processes. It also takes screenshots and transmits collected data to the hardcoded command-and-control (C2). If a special command is received, it supports auto-deletion from the victim's machine.

The latest version of RomCom RAT has been bundled in the "" package.

Connection with Attacks on Military Institutions in Ukraine.

On October 21, the threat actor behind the RomCom RAT targeted the military institutions of Ukraine. The initial infection vector is an email with an embedded link leading to a fake website dropping the next stage downloader. The lure is a fake document in the Ukrainian language called "Наказ_309.pdf" (translated to English as "Order_309.pdf").

Figure 4 – The original link leads with a lure in the Ukrainian language spoofing the original Ministry of Defense of Ukraine Website
That is an HTML file with a download URL of the next stage malicious Portable Executable (PE) file.
Figure 5 – Part of the HTML code from the initial "Наказ_309.pdf" lure
Dropped malicious "AcroRdrDCx642200120169_uk_UA.exe" file has a valid digital signature by Signer "Blythe Consulting sp. z o.o.".
Figure 6 – Malicious “AcroRdrDCx642200120169_uk_UA.exe” with a valid digital signature

Upon execution, it drops the following file: "C:\Users\Public\Libraries\WinApp.dll". The dropped "WinApp.dll" file contains a single export – "fwdTst". By invoking the "rundll32.exe" proce3ss, the export is run. Just like previously, the RomCom RAT final payload is extracted from the resource and saved as "C:\Users\Public\Libraries\rtmpak.dll".

A legitimate clean "pdfFiller" application uses the same signer, "Blythe Consulting sp. z o.o.". As mentioned above, the app has been abused in the latest campaigns by the RomCom RAT threat actor.

Both RomCom RAT droppers and the final RAT include local Russian language and Russian language variants:


Besides the latest campaign against military institutions from Ukraine, we have found the RomCom threat actor targeting IT companies, food brokers, and food manufacturing in the U.S., Brazil, and the Philippines.

Figure 7 – RomCom RAT threat actor targets


RomCom RAT threat actor is actively developing new techniques targeting victims worldwide. It's highly likely to expect new threat actor campaigns. At the time of publication, there is no apparent link to any attributed threat actor.

We are releasing referential IoCs from the previous and the latest campaign targeting Ukraine.

Indicators of Compromise (IoCs)

Hashes (sha-256)





















Applied Counter Measures

import "pe"
import "math"

rule targeted_RomComRat : RomCom deployed via trojanized legitimate apps
        description = "Rule detecting RomCom RAT used to attack Military Institutions from Ukraine"
        author = " The BlackBerry Research & Intelligence team"
        date = "2022-18-10"
        license = "This Yara rule is provided under the Apache License 2.0 ( and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to the BlackBerry Research & Intelligence Team"
        hash = "9f61259c966f34d89b70af92b430ae40dd5f1314ee6640d16e0b7b0f4f385738"

        $x0 = {636f6d446c6c2e646c6c}
        $x1 = {63006f006d006200610073006500330032002e0064006c006c00}         

    uint16(0) == 0x5a4d and
    pe.number_of_sections == 7 and
    pe.sections[0].name == ".text" and
    math.entropy(pe.sections[0].raw_data_offset, pe.sections[0].raw_data_size) >= 6.5 and
    pe.sections[1].name == ".rdata" and
    math.entropy(pe.sections[1].raw_data_offset, pe.sections[1].raw_data_size) >= 5.2 and
    pe.sections[2].name == ".data" and
    pe.sections[3].name == ".pdata" and
    math.entropy(pe.sections[3].raw_data_offset, pe.sections[3].raw_data_size) >= 5.5 and
    pe.sections[4].name == "_RDATA" and
    math.entropy(pe.sections[4].raw_data_offset, pe.sections[4].raw_data_size) >= 2.4 and
    pe.sections[5].name == ".rsrc" and
    math.entropy(pe.sections[5].raw_data_offset, pe.sections[5].raw_data_size) >= 2.85 and
    pe.sections[6].name == ".reloc" and
    math.entropy(pe.sections[6].raw_data_offset, pe.sections[6].raw_data_size) >= 5.3 and
    pe.number_of_resources == 2 and
    pe.exports("startFile") and
    pe.exports("startInet") and
    all of ($x*)


The BlackBerry Research & Intelligence Team

About The BlackBerry Research & Intelligence Team

The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.