{"description": "Enterprise techniques used by ROAMINGHOUSE, ATT&CK software S9026 (v1.0)", "name": "ROAMINGHOUSE (S9026)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1140", "comment": "[ROAMINGHOUSE](https://attack.mitre.org/software/S9026) can decode and drop a malicious ZIP file prior to execution.(Citation: Trend Micro Earth Kasha Updates APR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[ROAMINGHOUSE](https://attack.mitre.org/software/S9026) can change its execution method to create a batch file in the startup folder that executes a legitimate executable if a McAfee product is detected.(Citation: Trend Micro Earth Kasha Updates APR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[ROAMINGHOUSE](https://attack.mitre.org/software/S9026) can use a legitimate EXE to sideload a malicious DLL named JSFC.dll.(Citation: Trend Micro Earth Kasha Updates APR 2025) [ROAMINGHOUSE](https://attack.mitre.org/software/S9026) has also used ScnCfg32.exe to sideload vsodscpl.dll to enable [UPPERCUT](https://attack.mitre.org/software/S0275) execution.(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[ROAMINGHOUSE](https://attack.mitre.org/software/S9026) can embed a ZIP file containing [UPPERCUT](https://attack.mitre.org/software/S0275) components into three base64 encoded parts.(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137", "showSubtechniques": true}, {"techniqueID": "T1137.001", "comment": "[ROAMINGHOUSE](https://attack.mitre.org/software/S9026) has been loaded as a Word Template file when victims opened a decoy document placed in `%APPDATA%\\Microsoft\\Templates` alongside a [ROAMINGHOUSE](https://attack.mitre.org/software/S9026) macro.(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[ROAMINGHOUSE](https://attack.mitre.org/software/S9026) has been distributed through phishing emails containing malicious OneDrive links.(Citation: Trend Micro Earth Kasha Updates APR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[ROAMINGHOUSE](https://attack.mitre.org/software/S9026) can identify McAfee applications on compromised hosts and change its execution method if one is detected.(Citation: Trend Micro Earth Kasha Updates APR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[ROAMINGHOUSE](https://attack.mitre.org/software/S9026) has been executed through luring victims into clicking links to download malicious ZIP files.(Citation: Trend Micro Earth Kasha Updates APR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "During [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) used malicious files to drop [ROAMINGHOUSE](https://attack.mitre.org/software/S9026).(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.002", "comment": "[ROAMINGHOUSE](https://attack.mitre.org/software/S9026) can check for specific mouse movements and user activity before initiating malicious activity.(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[ROAMINGHOUSE](https://attack.mitre.org/software/S9026) can use WMI to launch a legitimate executable later used to enable DLL sideloading.(Citation: Trend Micro Earth Kasha Updates APR 2025)(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ROAMINGHOUSE", "color": "#66b1ff"}]}