Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actorsExploits 1 CVE

MeltingClaw

MeltingClaw is a downloader malware family linked to the RomCom cluster and associated with TA829 activity. Proofpoint first identified it, and multiple reports describe it as another RomCom downloader. In observed intrusion chains, a malicious LNK such as Settings.lnk launches Complaint.exe (RustyClaw), which then downloads a MeltingClaw DLL or a payload partially matching MeltingClaw from attacker-controlled infrastructure and executes additional malicious modules in the same process address space. Reported follow-on payloads delivered via RustyClaw/MeltingClaw include the ShadyHammock, DustyHammock, and SingleCamper backdoors.

MeltingClaw was observed in campaigns exploiting the WinRAR zero-day CVE-2025-8088, a path traversal issue involving Windows Alternate Data Streams. In those campaigns, spearphishing emails disguised as job applications or resumes delivered weaponized RAR archives that silently dropped malicious files, including LNK files and executables, into locations such as %LOCALAPPDATA%, %TEMP%, and the Windows Startup folder. One documented chain had Settings.lnk execute %LOCALAPPDATA%\Complaint.exe (RustyClaw), which downloaded a payload from https://melamorri[.]com/iEZGPctehTZ; ESET linked the resulting install_module_x64.dll (SHA-1 01D32FE88ECDEA2B934A00805E138034BF85BF83) to MeltingClaw activity with C2 at https://gohazeldale[.]com.

The activity is attributed with high confidence to the Russia-aligned RomCom threat group, also tracked as Storm-0978, Tropical Scorpius, UNC2596, Nebulous Mantis, and TA829. Reported targeting in the CVE-2025-8088 campaigns included financial, manufacturing, defense, and logistics organizations in Europe and Canada. High-confidence indicators directly mentioned in the content include Complaint.exe as the RustyClaw stage preceding MeltingClaw, install_module_x64.dll with SHA-1 01D32FE88ECDEA2B934A00805E138034BF85BF83, and infrastructure including melamorri[.]com and gohazeldale[.]com.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-8088WinRAR Windows ADS Path Traversal Arbitrary Code ExecutionExploited in the wild

A WinRAR zero-day vulnerability was exploited in the wild by the Russia-linked RomCom threat group... The high-severity WinRAR flaw tracked as CVE-2025-8088 has a CVSS score of 8.4 and enables attackers to misuse alternate data streams (ADSs) to achieve path traversal on Windows.

via scworldscworld.com
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
TA829

TA829's intrusions resulted in the deployment of the MeltingClaw or RustyClaw downloaders that deliver the ShadyHammock, DustyHammock, and SingleCamper backdoors.

via scworldscworld.com
RomCom

"...believed to be another RomCom downloader known as MeltingClaw, first identified by Proofpoint."

via scworldscworld.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence1
TacticInitial Access

"CVE-2025-8088 was exploited by RomCom in an email spearphishing campaign... A malicious archive, disguised as a job applicant’s curriculum vitae or resume, was attached to the emails"

Execution

1 technique
T1204.002Malicious FileEvidence1
TacticExecution

"A malicious LNK file Updater.lnk... Another LNK file runs... A third malicious LNK file executes..."

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1
TacticCommand and Control

"RustyClaw further retrieves another payload from an external server"

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
govinfosecurityNews
Aug 12, 2025
Russian Hackers Exploit WinRAR Zero-Day

MeltingClaw is a downloader malware attributed to RomCom, used as a secondary stage in infection chains to facilitate further payload delivery.

Read more
bank info securityNews
Aug 12, 2025
Russian Hackers Exploit WinRAR Zero-Day

MeltingClaw is a downloader malware attributed to RomCom, used as a secondary stage in infection chains to facilitate further payload delivery.

Read more
scworldNews
Aug 12, 2025
WinRAR zero-day exploited by RomCom threat group

A RomCom-associated downloader retrieved as a follow-on payload by RustyClaw.

Read more
register securityNews
Aug 11, 2025
Russia's RomCom among those exploiting a WinRAR 0-day in highly-targeted attacks

MeltingClaw is a downloader malware linked to RomCom, used as a secondary payload in attack chains involving RustyClaw.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.