GRU Unit 29155

Russia’s GRU Unit 29155 (also referenced as the GRU’s 161st Specialist Training Center; sanctioned by New Zealand and described as “Ember Bear” in that context) is assessed in the provided content as a Russian state intelligence threat actor focused since early 2022 on disrupting aid efforts to Ukraine. Arctic Wolf Labs assessed with medium-to-high confidence that Unit 29155 is leveraging the SocGholish (FAKEUPDATE) initial access framework—operated by TA569 (aka Gold Prelude, Mustard Tempest, Purple Vallhund, UNC1543)—to target victims, and stated with high confidence that Unit 29155 is utilizing SocGholish. In the described September 2025 intrusion attempt against a U.S.-based civil engineering firm with apparent Ukraine affiliation, SocGholish was delivered via compromised legitimate websites using fake update lures, malvertising, and traffic direction systems (TDS). Post-execution, operators conducted PowerShell-based reconnaissance with mild evasion, tested connectivity to Mythic C2, and staged persistence via VIPERTUNNEL (a custom Python backdoor) scheduled on the host. Roughly 10 minutes after exploitation, a RomCom (aka Storm-0978, Tropical Scorpius, UNC2596; described as Russian-aligned) Mythic agent loader (msedge.dll) was delivered; it performed target validation by checking the victim’s Active Directory domain against a hardcoded value before decrypting/executing shellcode that instantiated a Mythic “dynamichttp” agent and reached out to a RomCom-associated C2 URL (imprimerie-agp[.]com). The content also notes prior reporting that SocGholish has delivered Raspberry Robin, which FBI/CISA/NSA assessed as strongly associated with Unit 29155.