Ddos 
A new threat intelligence report by PRODAFT details Nebulous Mantis, a Russian-speaking cyber espionage group operating under multiple aliases, including Cuba, STORM-0978, Tropical Scorpius, and UNC2596. Known for blending state-sponsored tactics with cybercriminal agility, the group’s primary weapon of choice is the RomCom remote access trojan (RAT)—a versatile tool enabling both data exfiltration and ransomware deployment.
“Nebulous Mantis operates as a sophisticated threat group employing a multi-phase intrusion methodology to gaining initial access, execution, persistence, and data exfiltration,” PRODAFT stated in the report.
Since mid-2019, Nebulous Mantis has targeted government entities, critical infrastructure, political figures, and NATO-related defense sectors. Initially relying on the Hancitor loader, the group pivoted in mid-2022 to RomCom, a more advanced RAT including stealthy execution techniques, including living-off-the-land (LOTL) methods and encrypted C2 channels.
Their operations often begin with spear-phishing emails containing malicious links or documents disguised as invitations or policy reports. One example from recent attacks involved luring victims to a fake OneDrive download page:
“The user is expected to download and run the Situation_Details_and_Evidence_April_25.pdf file… [but] they actually download the initial executable of the RomCom variant,” the report explains.
After the first-stage downloader is triggered, the malware connects to a command-and-control domain (e.g., drivedefend.com) and pulls down additional payloads, including a Keyprov.dll backdoor. The RomCom toolkit then downloads the final C++-based variant, which listens for C2 instructions while deploying supplementary tools such as:
- Plink (for SSH tunneling),
- WinRAR (for archiving),
- AD Explorer (for domain enumeration).
PRODAFT highlights RomCom’s use of decentralized infrastructure: “The RomCom variants use InterPlanetary File System (IPFS)… making it resilient to censorship and single points of failure.”
The RomCom RAT uses Component Object Model (COM) hijacking for persistence:
“It writes to the HKCU\Software\Classes\CLSID{ID}\InProcServer32 registry key… allowing execution when a COM object is instantiated.”
It further evades detection using anti-sandbox checks, time zone analysis, and file renaming. Nebulous Mantis harvests credentials with file searches (findstr “password”), runs privilege reconnaissance commands, and performs detailed network and domain discovery using tools like:
- netstat, nltest, arp, ping, and
- PowerShell-based port scans.
Once data collection is complete, Nebulous Mantis compresses user data using renamed WinRAR executables (mfc86x.exe) and stores it in predefined locations like C:\Users\Public\Music. Exfiltration is conducted via RomCom’s encrypted C2 channels.
To cover their espionage tracks, the group frequently deploys ransomware. Their ransomware arsenal evolved over time:
- Cuba ransomware (early 2020),
- Industrial Spy (from March 2022),
- Team Underground (since July 2023), which shares leak sites with previous campaigns.
An individual known as LARVA-290 plays a central role in acquiring and managing bulletproof hosting (BPH) services for the group—primarily via LuxHost and AEZA. This actor maintains the servers used for both C2 infrastructure and ransomware operations, confirming their position as a critical IT admin within the Nebulous Mantis structure.
Nebulous Mantis merges cyber espionage with modern ransomware operations, making it a hybrid threat that is difficult to attribute and harder to dismantle.
“This combination of technical innovation, operational security, and focused targeting renders RomCom a highly significant cyber threat…,” PRODAFT concludes.
Related Posts:
- DNS hijacker Roaming Mantis malware target OS, Android and Desktop users worldwide
- RomCom Group’s Underground Ransomware Exploits Microsoft Zero-Day Flaw
- New RomCom Variant “SnipBot” Unveiled: A Sophisticated Malware Targeting Enterprise Networks
- FIN7’s New Stealth Weapon: AnubisBackdoor Emerges in the Wild
Donate