RomCom exploits Firefox and Windows zero days in the wild
2025-10-21 , Europe

Last year, the Russia-aligned group RomCom used a zero-click exploit combining vulnerabilities in Mozilla and Microsoft products. This exploit allowed them to compromise computers without user interaction. The attack involved a fake website that led to the execution of RomCom's backdoor.

The first part of the exploit targeted Firefox and Tor Browser, using a bug to run code. The second part involved a Windows vulnerability that allowed RomCom to gain higher privileges and deploy their backdoor. Microsoft and Mozilla quickly patched the issues.

RomCom's use of these vulnerabilities shows their advanced capabilities. This presentation covers RomCom's tactics, the attack chain, and the technical details of the exploits, along with the fixes from Mozilla and Microsoft.


In October 2024, we discovered, in the wild, a zero-click exploit that combines two previously unknown vulnerabilities: one in Mozilla products, and the other in Microsoft Windows. We attribute the exploit to the Russia-aligned group RomCom. This is at least the second time that RomCom has been caught exploiting a significant zero-day vulnerability, after the abuse of CVE-2023-36884 in June 2023 against Microsoft Word documents related to the Ukrainian World Congress and the NATO summit.

The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit, and if successful, the latter downloads and executes the RomCom backdoor. We don’t know how the link to the fake website is distributed; however, if the page is reached using a vulnerable browser, a payload is dropped and executed on the victim’s computer with no user interaction required.

Analysis of the hosted files revealed a weaponized vulnerability for the latest versions of Firefox and Tor Browser at that time. The bug is a use-after-free vulnerability in the animation timeline, allowing arbitrary code to be executed in the context of Firefox’s sandboxed content process. While we’re not certain whether RomCom developed or bought the exploit, the code demonstrates deep knowledge of Firefox’s internals. We reported this vulnerability to the Firefox team, who acknowledged it and released a patch in an impressive 25 hours.

In the meantime, we analyzed the second stage of the exploit and discovered a sandbox escape vulnerability in Windows. An undocumented and permissive RPC endpoint allowed execution of code at the medium integrity level, regardless of the privilege level of the calling process, resulting in an elevation of privileges on the system. RomCom exploited this bug to break out of Firefox’s sandbox and download further components in order to deploy the group’s backdoor. Microsoft released a security advisory and released a patch in early November.

Studying RomCom’s arsenal highlights a high level of sophistication and the group’s ongoing effort to arm itself with powerful capabilities. The combination of the two zero-day vulnerabilities allowed this threat actor to compromise computers without any user interaction. This presentation provides a comprehensive overview of RomCom, its usual TTPs, this compromise chain, and its victimology. We also include a detailed technical analysis of the exploits and the corrective measures implemented by Mozilla and Microsoft.

Damien works as a Senior Malware Researcher at ESET, where he has specialized in targeted attack research. With a primary focus on APT, his main duties include hunting and reverse engineering of the latest threats. As a background, he holds an M.Sc. in Computer Science and previously worked in incident response, cyber threat intelligence, and malware analysis.