Nebulous Mantis, also known as Cuba, STORM-0978, Tropical Scorpius, and UNC2596, is a Russian-speaking cyber espionage group that has been actively deploying the RomCom remote access trojan (RAT) in targeted campaigns since mid-2019.
The group primarily focuses on critical infrastructure, government agencies, political leaders, and organizations related to NATO.
Their operations are characterized by the use of spear-phishing emails containing weaponized document links to deliver RomCom, which is leveraged for espionage, lateral movement, and data theft.
.png
)
Since mid-2022, Nebulous Mantis has shifted its spear-phishing campaigns to exclusively use RomCom, abandoning previous malware like Hancitor.
The group employs advanced evasion techniques, such as living-off-the-land (LOTL) tactics and encrypted command and control (C2) communications.
Their infrastructure is highly dynamic, utilizing bulletproof hosting services like LuxHost and AEZA, with domains and C2 servers rotated monthly for persistence and stealth.
Key actors such as LARVA-290 play a critical role in acquiring and managing these servers, supporting both espionage and ransomware operations.
Multi-Phase Attack Methodology
The attack chain begins with highly targeted spear-phishing emails, tailored to specific organizations or individuals.
These emails direct victims to fake websites mimicking legitimate services, such as OneDrive, where users are prompted to download malicious files.
Upon execution, the initial RomCom variant acts as a downloader, triggering subsequent infection stages that establish persistence and enable further exploitation.
RomCom employs several anti-analysis techniques, including filename and registry key checks, to evade sandbox and antivirus detection. If these checks pass, the downloader connects to designated C2 domains to retrieve additional payloads, including the first-stage RomCom DLL and decoy documents.
The malware then loads itself into system processes, establishes encrypted C2 communications, and downloads further modules for espionage and data theft. Notably, RomCom leverages decentralized technologies such as the InterPlanetary File System (IPFS) to host and distribute payloads, increasing resilience against takedown efforts.
Once active, RomCom deploys a range of tools, including Plink, WinRAR, and AD Explorer, to facilitate lateral movement, data collection, and persistence.
The malware uses COM hijacking via registry manipulation for persistence, and executes commands for credential harvesting, system reconnaissance, Active Directory enumeration, and network discovery.
Data is staged, archived, and exfiltrated through the C2 infrastructure, with ransomware often deployed as a final step to encrypt victim data and demand payment.
Command and Control, Impact, and Defense
RomCom’s C2 framework is managed through a dedicated panel that allows operators to control infected devices, execute commands, and upload or download files.
The panel supports multiple user roles with varying permissions, enabling efficient management of large-scale operations.
Commands include system enumeration, process management, screenshot capture, credential harvesting, and deployment of additional modules such as stealers and crypto grabbers.
After exfiltrating sensitive data, Nebulous Mantis often deploys ransomware to encrypt files and extort victims. The group has used several ransomware strains over time, including Cuba, Industrial Spy, and Team Underground, with data leaks published on dedicated sites.
Their operations demonstrate a high degree of operational discipline, balancing intelligence collection with stealth and persistence.
The Nebulous Mantis group’s sophisticated tradecraft, use of decentralized infrastructure, and continuous evolution of tactics make RomCom a significant threat to governmental, military, and critical infrastructure organizations worldwide.
Their activities underscore the need for advanced defense strategies, including robust email filtering, endpoint detection, regular patching, and network monitoring to identify and mitigate such advanced persistent threats.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
