Nebulous Mantis hackers have Deployed the RomCom RAT globally, Targeting organizations.

Nebulous Mantis, also known as Cuba, STORM-0978, Tropical Scorpius, and UNC2596, is a Russian-speaking cyber espionage group that has been actively deploying the RomCom remote access trojan (RAT) in targeted campaigns since mid-2019.

The group primarily focuses on critical infrastructure, government agencies, political leaders, and organizations related to NATO.

Their operations are characterized by the use of spear-phishing emails containing weaponized document links to deliver RomCom, which is leveraged for espionage, lateral movement, and data theft.

Since mid-2022, Nebulous Mantis has shifted its spear-phishing campaigns to exclusively use RomCom, abandoning previous malware like Hancitor.

The group employs advanced evasion techniques, such as living-off-the-land (LOTL) tactics and encrypted command and control (C2) communications.

Their infrastructure is highly dynamic, utilizing bulletproof hosting services like LuxHost and AEZA, with domains and C2 servers rotated monthly for persistence and stealth.

Key actors such as LARVA-290 play a critical role in acquiring and managing these ...