Firefox and Windows zero-days exploited by Russian RomCom hackers
Russian-based RomCom cybercrime group chained two zero-day vulnerabilities in recent attacks targeting Firefox and Tor Browser users across Europe and North America.
The first flaw (CVE-2024-9680) is a use-after-free bug in Firefox's animation timeline feature that allows code execution in the web browser's sandbox. Mozilla patched this vulnerability on October 9, 2024, one day after ESET reported it.
The second zero-day exploited in this campaign is a privilege escalation flaw (CVE-2024-49039) in the Windows Task Scheduler service, allowing attackers to execute code outside the Firefox and Tor Browser sandbox. Microsoft addressed this security vulnerability earlier this month, on November 12.
RomCom abused the two vulnerabilities as a zero-day chain exploit, which helped them gain remote code execution without requiring user interaction.
Their targets only had to visit an attacker-controlled and maliciously crafted website that downloaded and executed the RomCom backdoor on their system.

"The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit, and should the exploit succeed, shellcode is executed that downloads and executes the RomCom backdoor," said ESET researcher Damien Schaeffer.
"While we don't know how the link to the fake website is distributed, however, if the page is reached using a vulnerable browser, a payload is dropped and executed on the victim's computer with no user interaction required."
Once deployed on a victim's device, this malware enabled the attackers to run commands and deploy additional payloads.
While investigating this campaign, ESET found that the Russian threat actors focused their attacks on organizations in Ukraine, Europe, and North America from various industries affected, including government, defense, energy, pharmaceuticals, and insurance.
"Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction. This level of sophisEcaEon shows the threat actor's will and means to obtain or develop stealthy capabilities," ESET researchers added.
"Furthermore, successful exploitation attempts delivered the RomCom backdoor in what looks like a widespread campaign."
This isn't the first time RomCom has exploited a zero-day in its attacks. In July 2023, its operators exploited a zero-day (CVE-2023-36884) in multiple Windows and Office products to attack organizations attending the NATO Summit in Vilnius, Lithuania.
RomCom (also tracked as Storm-0978, Tropical Scorpius, or UNC2596) has been linked to financially motivated campaigns and orchestrated ransomware and extortion attacks alongside credential theft (likely aimed at supporting intelligence operations).
The threat group was also linked to the Industrial Spy ransomware operation, which has since switched to Underground ransomware.
According to ESET, more recently, RomCom has shifted to targeted espionage attacks against European and Ukrainian governments, as well as energy and defense entities in Ukraine.
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CWE-161 Improper Neutralization of Multiple Leading Special Elements
HighCWE-640 Weak Password Recovery Mechanism for Forgotten Password
CWE-72 Improper Handling of Apple HFS+ Alternate Data Stream Path
MediumCWE-401 Missing Release of Memory after Effective Lifetime
CWE-1090 Method Containing Access of a Member Element from Another Class
Free online web security scanner