Skip to content

Hide Navigation Hide TOC

ROAMINGHOUSE - S9026 (251f1715-fc97-4487-b939-5c8823ef7a39)

ROAMINGHOUSE is a dropper malware used by MirrorFace to extract and execute embedded payloads including UPPERCUT components.(Citation: Trend Micro Earth Kasha Updates APR 2025)

Cluster A Galaxy A Cluster B Galaxy B Level
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern ROAMINGHOUSE - S9026 (251f1715-fc97-4487-b939-5c8823ef7a39) Malware 1
ROAMINGHOUSE - S9026 (251f1715-fc97-4487-b939-5c8823ef7a39) Malware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938) Attack Pattern ROAMINGHOUSE - S9026 (251f1715-fc97-4487-b939-5c8823ef7a39) Malware 1
ROAMINGHOUSE - S9026 (251f1715-fc97-4487-b939-5c8823ef7a39) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern ROAMINGHOUSE - S9026 (251f1715-fc97-4487-b939-5c8823ef7a39) Malware 1
ROAMINGHOUSE - S9026 (251f1715-fc97-4487-b939-5c8823ef7a39) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 1
ROAMINGHOUSE - S9026 (251f1715-fc97-4487-b939-5c8823ef7a39) Malware Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern ROAMINGHOUSE - S9026 (251f1715-fc97-4487-b939-5c8823ef7a39) Malware 1
ROAMINGHOUSE - S9026 (251f1715-fc97-4487-b939-5c8823ef7a39) Malware Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern ROAMINGHOUSE - S9026 (251f1715-fc97-4487-b939-5c8823ef7a39) Malware 1
ROAMINGHOUSE - S9026 (251f1715-fc97-4487-b939-5c8823ef7a39) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 2