Listen to this Post

In a chilling revelation, UK cybersecurity firm Bridewell has uncovered a highly targeted campaign dubbed Operation Deceptive Prospect, orchestrated by the elusive RomCom threat group—also known as Storm-0978 and Void Rabisu. This operation specifically targeted customer feedback portals in industries vital to national security, including retail, hospitality, and critical infrastructure. What’s alarming is the attacker’s use of legitimate-looking complaint forms and AI-crafted phishing tactics to bypass traditional security defenses and distribute a powerful Remote Access Trojan (RAT).
The attack demonstrates not only RomCom’s technological evolution but also its growing mastery of psychological manipulation via social engineering. By mimicking familiar customer service channels and leveraging generative AI, the campaign marks a dangerous escalation in the sophistication of cyber threats. This report examines how Operation Deceptive Prospect was executed, the tools and methods used, and the implications for organizations across the UK and beyond.
Campaign Breakdown: How RomCom Struck Through Customer Feedback Systems
Campaign Identification: Bridewell analysts uncovered Operation Deceptive Prospect targeting UK-based organizations in retail, hospitality, and critical national infrastructure sectors.
Actors Involved: The operation is attributed to the RomCom threat group, aligned with Russian state interests and also known as Storm-0978 and Void Rabisu.
Method of Entry: The attackers submitted phishing messages through customer feedback forms. These appeared as genuine complaints or job inquiries and contained links posing as file evidence.
Fake Link Tactics: Hyperlinks were designed to mimic Google Drive or OneDrive URLs but led to attacker-controlled domains via redirection chains, often using services like Amazon S3 and URL shorteners.
Domain Tricks: Malicious domains frequently used gTLDs like .live, .online, and .pub to imitate trusted cloud storage platforms.
AI-Generated Phishing: The messages had hallmarks of being written by AI—displaying generic yet credible content, which scaled the campaign and reduced the human labor needed to deceive.
Payload Execution: Victims downloaded what they believed were PDFs, which were actually executable files disguised with PDF icons.
Certificate Abuse: These executables were signed using stolen certificates, including one from a defunct UK business, helping the malware avoid detection.
Sandbox Evasion: Minimal activity in sandbox testing, plus evasion checks such as registry key analysis (e.g., Windows RecentDocs), showed high-level anti-analysis design.
Malware Indicators: Evidence included use of Polish language locale settings and developer alias strings, pointing to both regional focus and iterative coding techniques.
RomCom’s Evolution: Active since at least 2022, RomCom has combined espionage with ransomware, previously exploiting Firefox and Windows zero-days in 2024.
Infrastructure Overlap: Similarities in domain registration and malware signatures confirm continuity with prior RomCom activity.
Strategic Shift: This attack signals RomCom’s deeper understanding of internal business workflows and its expanded use of social engineering over brute-force intrusion.
Recommendations: Bridewell advises stronger email validation, tighter control over customer-facing systems, and faster threat intelligence sharing across sectors.
Key Threat: RomCom exemplifies the modern hybrid threat actor—blending cybercrime with espionage in well-financed, state-supported campaigns.
Call to Action: Organizations must fortify digital entry points like contact forms and implement zero-trust principles at all customer interaction layers.
What Undercode Say:
RomCom’s Operation Deceptive Prospect marks a pivotal evolution in cyber warfare methodology—not because of its technical wizardry alone, but due to its psychological finesse. Rather than relying solely on brute-force intrusions or zero-day exploits, RomCom now tailors its attacks to exploit everyday business processes, turning the routine into a weaponized entry point.
This operation reflects a calculated shift from targeting system vulnerabilities to manipulating human behavior. By embedding malicious payloads in what appear to be everyday customer complaints or job applications, RomCom sidesteps firewalls and intrusion detection systems that aren’t designed to screen customer service workflows. It’s an exploitation of trust, cleverly designed to blend in with normal operations.
Furthermore, the campaign showcases the use of AI for scaling deception. The phishing messages likely leveraged large language models to create uniform, convincing content with minimal effort. This mirrors broader trends where threat actors use generative AI not just for speed but for plausible deniability, further complicating attribution and response efforts.
The abuse of code signing certificates, especially from a dissolved UK entity, introduces another layer of sophistication. It highlights RomCom’s investment in building malware that can pass as legitimate software—a direct challenge to traditional antivirus solutions that rely on signature validation.
RomCom’s ability to evade sandbox environments, utilizing tactics such as checking RecentDocs keys, shows a deep understanding of modern security protocols. These anti-analysis techniques reflect a shift toward modular, persistent threats that remain undetected for longer periods, increasing damage potential.
From an infrastructure standpoint, RomCom’s use of inexpensive and loosely regulated gTLDs allows rapid domain cycling, which is critical for maintaining uptime on malicious campaigns. The mimicry of trusted services like OneDrive and Google Drive further enhances the believability of their phishing lures.
Bridewell’s attribution aligns with previous indicators from the RomCom group, and its overlap with state-aligned Russian actors suggests a geopolitical motive that extends beyond pure financial gain. In this sense, Operation Deceptive Prospect is more than just a criminal act—it’s cyber warfare by proxy.
As RomCom grows in capability and adaptability, their campaigns will likely continue to target business processes, particularly in sectors where human interaction is high and digital hygiene is inconsistent. Organizations must therefore rethink perimeter-based security models and extend threat monitoring into customer engagement layers.
The lessons here are twofold: First, attackers no longer need to hack systems—they can now hack workflows. Second, trust, once exploited, is hard to restore. Businesses must not only protect infrastructure but also the people and processes that interact with it.
Fact Checker Results:
Bridewell’s attribution of Operation Deceptive Prospect to RomCom is consistent with technical indicators from prior campaigns. The use of AI-generated phishing, certificate abuse, and sandbox evasion tactics align with known RomCom behaviors. RomCom’s known affiliation with Russian state interests further validates the political and strategic context of the attack.
Prediction:
RomCom is likely to continue refining its hybrid threat model, focusing more on process-based infiltration and AI-driven social engineering. Expect increased attacks on sectors with high public interaction, including healthcare and finance. Meanwhile, organizations must evolve by integrating behavioral threat detection, strengthening identity verification, and deploying AI-powered defenses to match the attacker’s sophistication.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2




