Cyber threat intelligence firm PRODAFT detailed the Nebulous Mantis (a.k.a. Cuba, STORM-0978, Tropical Scorpius, UNC2596), a Russian-speaking cyber espionage group that has actively deployed the RomCom remote access trojan (RAT) and Hancitor loader in targeted campaigns since mid-2019. Operating with geopolitical motives, the group primarily focuses on critical infrastructure, government agencies, political leaders, and NATO-related defense organizations. They use spear-phishing emails with weaponized document links to deliver RomCom for espionage, lateral movement, and data theft.
“Nebulous Mantis has been using the sophisticated RomCom since around mid-2022. This RAT is primarily employed for espionage and ransomware activities,” the researchers wrote in a post last week. “The malware employs advanced evasion techniques, including living-off-the-land (LOTL) tactics and encrypted command and control (C2) communications, while continuously evolving its infrastructure, leveraging bulletproof hosting to maintain persistence and evade detection.”
The Nebulous Mantis team, which changes the domains they use every month, obtains these spear-phishing and C2 servers from LuxHost and AEZA bulletproof hosting (BPH) services. Analysis of the team’s infrastructure shows that LARVA-290, the individual who obtained intrusion servers for and conducted numerous ransomware attacks, continues to play a critical IT admin role within the Nebulous Mantis team and in RomCom attacks.
Moreover, the Nebulous Mantis group’s attacks using RomCom involve data exfiltration from systems and system encryption using various ransomware. “We are assessing with moderate confidence that the group’s goal is to carry out espionage, despite evidence suggesting involvement in data exfiltration for ransomware and double extortion.”
Using various attack stages, the Nebulous Mantis team gathers critical information from the victim machine and uploads it to their C2 servers. “Subsequently, to provide coverage for this data theft, they deploy ransomware onto the machine, encrypting all the data and demanding a ransom. This ransomware deployment, not observed in the team’s pre-2020 attacks, began with their use of Cuba ransomware in January 2020. After March 2022, attacks using Cuba ransomware were entirely replaced by Industrial Spy, which appears to be a continuation of the former.”
Finally, the team started using Team Underground ransomware in July 2023 in a completely similar manner. In many of the group’s ongoing attacks today, numerous critically infected victims continue to be shared via Team Underground’s Data Leak Site (DLS). From their actively conducted spear-phishing attacks, the Nebulous Mantis team can reach over 46 critical victims in approximately one month.
The Nebulous Mantis team continues to utilize domains and servers managed by LARVA-290. LARVA-290 procures and operates numerous servers, including those used as C2 infrastructure for Cuba ransomware, primarily sourcing these servers through AEZA and LuxHost BPH services. Managing multiple ransomware attacks culminating in Cuba ransomware from its intrusion servers, LARVA-290 currently plays a critical IT admin role within the Nebulous Mantis team and in RomCom campaigns.
Nebulous Mantis operates as a sophisticated threat group employing a multi-phase intrusion methodology to gain initial access, execution, persistence, and data exfiltration. Their operations begin with highly targeted spear-phishing campaigns delivering weaponized documents, followed by a carefully orchestrated sequence of activities designed to establish footholds, escalate privileges, and maintain long-term access.
The group demonstrates particular skill in blending social engineering with technical exploits, often leveraging zero-day vulnerabilities during initial infection before transitioning to LOTL techniques for post-exploitation activities. Their malware arsenal features modular components with distinct functions – from initial droppers to sophisticated backdoors – all designed with evasion capabilities to bypass traditional security controls.
Additionally, the group maintains an extensive infrastructure of compromised servers and bulletproof hosting services to support their operations, frequently rotating C2 endpoints while maintaining persistent communication channels. Throughout the attack lifecycle, Nebulous Mantis exhibits operational discipline in minimizing their footprint, balances aggressive intelligence collection with stealth requirements, suggesting either state-sponsored backing or a professional cybercriminal organization with significant resources. Their tradecraft shows continuous evolution, with new TTPs emerging in each campaign.
Around mid-2022, Nebulous Mantis stopped using Hancitor in their spear-phishing attacks and started using RomCom instead. Almost all attacks the group carries start with a spear-phishing e-mail attack. In these e-mails, which the threat actors tailor to the targeted organization or individual, the websites of various applications are imitated for the victims to click and download to their devices, or files are requested to be downloaded and opened to read reports or invitations about important events.
The researchers highlighted that recent attacks involving the RomCom have targeted users by emailing a malicious link. When the victim clicks on the link, they are redirected to the domain (i.e drivepoint[dot]pub). From there, the user is taken directly to the landing page domain (i.e cloud1dv[dot]com), which features a landing page designed to resemble OneDrive.
PRODAFT noted that RomCom uses this HTTP-based C2 server to communicate in an encrypted manner with its first-stage and last-stage variants, thereby managing its activities on the victim machine.
“Through this panel, the Nebulous Mantis team can view victim connection details from their attacks, including the victim’s IP address, username, the campaign ID of the variant running on the victim device, its uptime, the connection status on the victim device, and operating system information,” according to the post. “Simultaneously, each infected machine and IP address is examined in detail, and information about the AV/EDR products used on the victim system, the victim’s domain details, and the victim’s market value is entered into the comment section.”
Through this C2 panel, Nebulous Mantis actors send various commands to the victim device while also managing functions like uploading files to and downloading files from the machine. The commands sent to each machine and the files retrieved from them remain stored on the C2.
Furthermore, the C2 panel provides operators with multiple template-based options to remotely control compromised devices. Commands can be sent to each victim device listed here through various ready-made or editable templates available on the panel. Administrators can select from pre-configured command templates or customize their own, with each function designed for specific operational purposes.
Last week, PRODAFT identified two critical OS command injection vulnerabilities in mySCADA myPRO Manager, a widely used SCADA (supervisory control and data acquisition) management system. These flaws, discovered by PRODAFT’s research team, enable remote attackers to execute arbitrary commands, posing a significant risk to industrial control networks and potentially disrupting industrial operations.