1. Home
  2. Software
  3. ROAMINGHOUSE

ROAMINGHOUSE

ROAMINGHOUSE is a dropper malware used by MirrorFace to extract and execute embedded payloads including UPPERCUT components.[1]

ID: S9026
Type: MALWARE
Platforms: Windows
Contributors: Dominik Breitenbacher, ESET
Version: 1.0
Created: 17 April 2026
Last Modified: 22 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

ROAMINGHOUSE can decode and drop a malicious ZIP file prior to execution.[1]
Enterprise T1480 Execution Guardrails

ROAMINGHOUSE can change its execution method to create a batch file in the startup folder that executes a legitimate executable if a McAfee product is detected.[1]
Enterprise T1574 .001 Hijack Execution Flow: DLL

ROAMINGHOUSE can use a legitimate EXE to sideload a malicious DLL named JSFC.dll.[1] ROAMINGHOUSE has also used ScnCfg32.exe to sideload vsodscpl.dll to enable UPPERCUT execution.[2]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

ROAMINGHOUSE can embed a ZIP file containing UPPERCUT components into three base64 encoded parts.[2]
Enterprise T1137 .001 Office Application Startup: Office Template Macros

ROAMINGHOUSE has been loaded as a Word Template file when victims opened a decoy document placed in %APPDATA%\Microsoft\Templates alongside a ROAMINGHOUSE macro.[2]
Enterprise T1566 .002 Phishing: Spearphishing Link

ROAMINGHOUSE has been distributed through phishing emails containing malicious OneDrive links.[1]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

ROAMINGHOUSE can identify McAfee applications on compromised hosts and change its execution method if one is detected.[1]
Enterprise T1204 .001 User Execution: Malicious Link

ROAMINGHOUSE has been executed through luring victims into clicking links to download malicious ZIP files.[1]
.002 User Execution: Malicious File

During Operation AkaiRyū, MirrorFace used malicious files to drop ROAMINGHOUSE.[2]
Enterprise T1497 .002 Virtualization/Sandbox Evasion: User Activity Based Checks

ROAMINGHOUSE can check for specific mouse movements and user activity before initiating malicious activity.[2]
Enterprise T1047 Windows Management Instrumentation

ROAMINGHOUSE can use WMI to launch a legitimate executable later used to enable DLL sideloading.[1][2]

Groups That Use This Software

ID Name References
G1054 MirrorFace

[1][2][3]

Campaigns

ID Name Description
C0060 Operation AkaiRyū

During Operation AkaiRyū, MirrorFace used ROAMINGHOUSE.[2]

References

  1. Hiroaki, H. (2025, April 30). Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan. Retrieved April 17, 2026.
  2. Hiroaki, H. (2024, November 26). Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.
  1. Dominik Breitenbacher. (2025, March 18). Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.