SnipBot

SnipBot is a RomCom-associated backdoor/RAT and the latest documented variant of the RomCom malware family, also referred to in the provided content as NESTPACKER and RomCom 5.0. It has been attributed to the RomCom threat group by Palo Alto Networks Unit 42, and multiple sources in the content describe it as central to RomCom espionage operations. SnipBot enables remote command execution, downloading and running additional payloads or modules, and data exfiltration. Unit 42 reported that its primary payload is a DLL named single.dll, while related components include config-pdf.dll and keyprov.dll. Observed capabilities include drive and directory enumeration, process listing, file upload/download, targeted document collection from user folders, deletion of registry keys, execution of stored DLL payloads, update functionality, and optional SOCKS proxy and SSH tunneling via auxiliary tools such as socks5.exe and plink.exe.

The malware is delivered through multi-stage infection chains. Reported vectors include email messages containing links that redirect to a signed downloader, fake cloud-storage download pages, and spearphishing archives disguised as CVs or job application materials. In 2025, ESET observed RomCom exploiting the WinRAR zero-day CVE-2025-8088 to deliver a SnipBot variant in targeted campaigns against financial, manufacturing, defense, and logistics organizations in Europe and Canada. One described chain used a malicious LNK to launch ApbxHelper.exe, a modified PuTTY CAC binary, which decrypted shellcode assessed as a SnipBot variant and downloaded an additional stage from campanole[.]com/TOfrPOseJKZ. Other reporting describes a modified PuTTY-based loader that only proceeds when specific user activity thresholds are met.

SnipBot uses multiple evasion and stealth techniques. Reported anti-analysis checks include validating the downloader’s original filename, requiring substantial RecentDocs activity (reported thresholds include at least 100 entries in some Unit 42-observed samples and approximately 69/opened-document checks in other SnipBot-related chains), and in newer versions checking Shell Bags subkeys. Unit 42 also reported heavy string encryption, dynamic API resolution, and window message-based control-flow obfuscation. Persistence and execution tradecraft includes COM hijacking and injection into explorer.exe. A malicious DLL named keyprov.dll was reported as registered as a thumbnail cache library under HKCU\SOFTWARE\Classes\CLSID, while encrypted payloads and update state were stored under HKCU\SOFTWARE\AppDataSoft\Software, including values such as trem1 and trem3. The malware also creates a mutex named SnipMutex and, in one component, listens on TCP port 1342 for commands.

The content links SnipBot to hands-on-keyboard post-compromise activity by RomCom operators, including internal network discovery and attempted exfiltration. Unit 42 reported attempted exfiltration to 91.92.250[.]104 and use of renamed legitimate tools including AD Explorer, WinRAR renamed as fsutil.exe, and PuTTY Secure Copy renamed as dsutil.exe. Reported SnipBot-related infrastructure and indicators in the content include xeontime[.]com, drvmcprotect[.]com, linedrv[.]com, drv2ms[.]com, cethernet[.]com, olminx[.]com, ilogicflow[.]com, adobe.cloudcreative[.]digital, and sample names such as Attachment_Medical report.exe, Attachment_CV_June2024.exe, atch_Medical_Report_Scan05202024.exe, and AdobeFontPackCx6416.exe. Overall, the provided content consistently characterizes SnipBot as a sophisticated, modular RomCom backdoor used for persistence, covert reconnaissance, command execution, payload delivery, and exfiltration in targeted espionage-oriented campaigns.