RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu, has been targeting UK companies in the retail, hospitality, and critical national infrastructure (CNI) sectors in a recently discovered cyber espionage and profit-driven operation called “Operation Deceptive Prospect.”

Active since at least 2022, RomCom has a history of blending espionage with cybercrime, often focusing on governmental and military entities, particularly those linked to Ukrainian affairs and NATO.

Their latest campaign, uncovered by Bridewell’s Cyber Threat Intelligence (CTI) team in March 2025, showcases a cunning strategy of exploiting externally facing customer feedback portals to deliver phishing emails to customer service representatives.

These emails, crafted with convincing personas and complaints about issues like stolen luggage or substandard airport facilities, contain malicious links disguised as Google Drive or Microsoft OneDrive files, ultimately leading to the deployment of a ...