S9026: ROAMINGHOUSE
ROAMINGHOUSE is a dropper malware used by MirrorFace to extract and execute embedded payloads including UPPERCUT components.[1]
Analyst context for executives and security teams
ROAMINGHOUSE matters because it is described as a Windows dropper used by MirrorFace to extract and run embedded payloads, including UPPERCUT components. For leaders, the defensive issue is not only the malware name; it is whether the organization can recognize a user-driven phishing entry point, hidden or encoded payload content, WMI execution, DLL abuse, Office template macro persistence, and environment-aware behavior before a dropper enables later-stage access.
Executive priority
Prioritize this as a readiness and evidence question for Windows endpoint, email, and SOC coverage. The supplied ATT&CK relationships connect ROAMINGHOUSE to spearphishing links, malicious files, Office template macros, WMI, DLL abuse, security software discovery, and execution guardrails. Executives should ask whether controls and logs can prove prevention or timely detection across those points, especially for business units exposed to targeted phishing and for environments where Office macro use, WMI administration, or DLL loading are common and noisy.
Technical view
SOC and IR teams should validate coverage around the Windows behaviors linked to this malware: user interaction through malicious links or files, Office template macro changes, WMI-based execution, deobfuscation or decoding activity, encoded or encrypted file content, DLL loading or hijacking patterns, discovery of security tooling, and checks that may indicate sandbox or user-activity-aware execution. Because ATT&CK provides no official detection text for ROAMINGHOUSE, detection should be built from the related techniques and tested against local administrative baselines rather than relying on the malware name alone.
Likely telemetry
- Email security and mail gateway events for spearphishing links and delivered files
- Web proxy, DNS, and browser telemetry for user-clicked links and downloads
- Windows endpoint process creation, command-line, parent-child process, and file write events
- Office application and macro-related telemetry, including template file modification where collected
- WMI activity logs, including local or remote command execution indicators
Detection direction
- Treat the ATT&CK technique relationships as the detection map: T1566.002, T1204.001, and T1204.002 for user-driven entry; T1137.001 for Office template macro persistence; T1047 for WMI execution; T1027.013 and T1140 for hidden and decoded payloads; T1574.001 for DLL abuse; T1518.001, T1480, and T1497.002 for environment-aware behavior.
- Tune WMI and DLL detections against known administrative tools and software deployment workflows to reduce false positives while preserving alerts on unusual parent processes, paths, users, and timing.
- Review whether Office template macro monitoring exists; many environments log document macro execution but not changes to base templates.
- Account for blind spots created by encoded payloads, guardrails, and user-activity checks, which can reduce the value of simple sandbox-only verdicts.
- Correlate email, web, endpoint, and Office telemetry so phishing delivery, user action, dropper execution, and payload extraction are visible as a sequence.
Mitigation priorities
- Harden phishing resilience first: email filtering, link inspection, attachment controls, user reporting workflows, and rapid takedown or containment procedures.
- Restrict and monitor Office macros and Office template modification, especially on Windows systems where business justification is limited.
- Limit WMI abuse through least privilege, administrative segmentation, logging, and monitoring of unusual WMI execution paths.
- Apply application control and endpoint hardening to reduce unauthorized executable, script, macro, and DLL loading behavior.
- Ensure endpoint visibility captures process, file, DLL, WMI, and Office activity needed for incident response, not only network indicators.
Analyst notes and limits
The supplied ATT&CK object identifies ROAMINGHOUSE as a Windows dropper used by MirrorFace and ties it to Operation AkaiRyū and multiple techniques spanning initial access, execution, persistence, stealth, and discovery. The most useful defensive framing is to assess coverage across the full delivery-to-execution chain rather than treating S9026 as a standalone signature problem.
ATT&CK provides no official detection guidance for this object, no aliases, and no malware-specific tactics field. The object supports Windows as the malware platform, but several related techniques list broader platforms; local prioritization should stay anchored to the organization’s actual Windows, Office, email, and endpoint telemetry. No claim is made here about current activity, customer exposure, or guaranteed detection.
ROAMINGHOUSE
ROAMINGHOUSE is a dropper malware used by MirrorFace to extract and execute embedded payloads including UPPERCUT components.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ROAMINGHOUSE can decode and drop a malicious ZIP file prior to execution.CitationTrend Micro Earth Kasha Updates APR 2025 |
| Enterprise | T1137.001 | Office Template Macros Sub-technique | ROAMINGHOUSE has been loaded as a Word Template file when victims opened a decoy document placed in `%APPDATA%\Microsoft\Templates` alongside a ROAMINGHOUSE macro.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | ROAMINGHOUSE has been distributed through phishing emails containing malicious OneDrive links.CitationTrend Micro Earth Kasha Updates APR 2025 |
| Enterprise | T1204.002 | Malicious File Sub-technique | During Operation AkaiRyū, MirrorFace used malicious files to drop ROAMINGHOUSE.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | ROAMINGHOUSE has been executed through luring victims into clicking links to download malicious ZIP files.CitationTrend Micro Earth Kasha Updates APR 2025 |
| Enterprise | T1497.002 | User Activity Based Checks Sub-technique | ROAMINGHOUSE can check for specific mouse movements and user activity before initiating malicious activity.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1480 | Execution Guardrails | ROAMINGHOUSE can change its execution method to create a batch file in the startup folder that executes a legitimate executable if a McAfee product is detected.CitationTrend Micro Earth Kasha Updates APR 2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | ROAMINGHOUSE can embed a ZIP file containing UPPERCUT components into three base64 encoded parts.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | ROAMINGHOUSE can identify McAfee applications on compromised hosts and change its execution method if one is detected.CitationTrend Micro Earth Kasha Updates APR 2025 |
| Enterprise | T1047 | Windows Management Instrumentation | ROAMINGHOUSE can use WMI to launch a legitimate executable later used to enable DLL sideloading.CitationTrend Micro Earth Kasha Updates APR 2025CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1574.001 | DLL Sub-technique | ROAMINGHOUSE can use a legitimate EXE to sideload a malicious DLL named JSFC.dll.CitationTrend Micro Earth Kasha Updates APR 2025 ROAMINGHOUSE has also used ScnCfg32.exe to sideload vsodscpl.dll to enable UPPERCUT execution.CitationTrend Micro Earth Kasha Anel NOV 2024 |
Groups, software, and campaigns
G1054: MirrorFace
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]
C0060: Operation AkaiRyū
Operation AkaiRyū (Japanese for RedDragon) was a cyberespionage spearphishing campaign conducted by MirrorFace between June and September 2024 against entities in Japan and Central Europe. Operation AkaiRyū notably included the first reported targeting of a European entity by MirrorFace, as well as their use of UPPERCUT, which was thought to be exclusive to menuPass.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9f9affbe6868… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Earth Kasha Updates APR 2025
Hiroaki, H. (2025, April 30). Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan. Retrieved April 17, 2026.
Open source URL -
[2]
mitre-attack S9026Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.