Mythic Agent

Mythic Agent is a post-exploitation implant built on the Mythic C2 framework that provides remote-access capabilities including command execution, reconnaissance, file exfiltration, lateral movement, C2 communication, payload delivery, and additional plugin loading. The content links it primarily to RomCom activity in 2025, including campaigns exploiting the WinRAR zero-day CVE-2025-8088 and a separate campaign in which SocGholish fake-update infections delivered a targeted Mythic Agent loader to U.S. companies supporting Ukraine, including a U.S. civil engineering firm. RomCom is described as Russia-aligned and also tracked as Storm-0978, Tropical Scorpius, and UNC2596; Arctic Wolf assessed related targeting patterns as aligning with GRU Unit 29155. In the WinRAR exploitation chains, malicious RAR archives disguised as CVs or job applications used alternate data streams to drop LNK and DLL/EXE payloads, including a Mythic Agent chain in which Updater.lnk established persistence via COM hijacking by setting HKCU\SOFTWARE\Classes\CLSID{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\InprocServer32 to %TEMP%\msedge.dll. The msedge.dll payload decrypted embedded AES-encrypted shellcode and launched the Mythic agent; one observed C2 endpoint was https://srlaptop[.]com/s/0.7.8/clarity.js. Arctic Wolf also described a SocGholish-delivered RomCom loader disguised as msedge.dll that executed only if the victim Active Directory domain matched a hardcoded value, then decrypted shellcode identified as a Mythic dynamichttp agent; a reported C2 URL in that activity was https://imprimerie-agp[.]com/s/0.7.8/clarity.js. The malware was observed alongside other RomCom payloads such as SnipBot and RustyClaw. Separately, the content notes Mythic Agent was found on a compromised Microsoft Exchange server in a 2025 investigation involving likely Erudite Mogwai/Space Pirates activity, where it was listed among multiple co-resident malware families; in that reporting, Mythic Agent is attributed to GOFFEE.