███████╗██╗ ██╗██╗██╗ ███╗ ███╗██╗ ██╗████████╗███████╗██╗ ██╗ ██╔════╝██║ ██║██║██║ ████╗ ████║██║ ██║╚══██╔══╝██╔════╝╚██╗██╔╝ █████╗ ██║ ██║██║██║ ██╔████╔██║██║ ██║ ██║ █████╗ ╚███╔╝ ██╔══╝ ╚██╗ ██╔╝██║██║ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝ ██╔██╗ ███████╗ ╚████╔╝ ██║███████╗ ██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗██╔╝ ██╗ ╚══════╝ ╚═══╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝

⚠

SingleCamper

backdoor2 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:

SingleCamper

CATEGORY:

BACKDOOR

DESCRIPTION:

SingleCamper is a DLL-based RAT variant of RomCom, used by the UAT‑5647 threat group (also known as Russian‑speaking RomCom). It’s loaded from registry into memory via ShadyHammock, communicates over localhost, and prevents concurrent instances via a global mutex. It performs system recon, tunneling, and exfiltration.

ALIASES:

SingleCamperRomCom 5.0SnipBot

TAGS:

persistencewindowssingle_instancemutex_based

[MUTEX_SIGNATURES](2)

[MUTEX_01]

Global\srvmutex

ANALYST: @adhikara13 DATE: 2025‑01‑12

REFERENCES:

https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader

[MUTEX_02]

SnipMutex

ANALYST: @adhikara13 DATE: 2025-01-22

REFERENCES:

https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:

⚠UAT‑5647 (aka RomCom, Storm‑0978, Tropical Scorpius, Void Rabisu)

FIRST_OBSERVED:

2023

[SIGMA_RULE]

[STATISTICS]

MUTEX_COUNT:2

THREAT_ACTORS:1

ALIASES:3

TAGS:4

CATEGORY:BACKDOOR

Malware profile loaded successfully