Full Report
Cyber threat intelligence firm PRODAFT detailed the Nebulous Mantis (a.k.a. Cuba, STORM-0978, Tropical Scorpius, UNC2596), a Russian-speaking cyber... The post Russian-linked Nebulous Mantis targets NATO, critical infrastructure with RomCom RAT appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Nebulous Mantis
## Attribution & Identity
**Identification:** Highly sophisticated, Russian-speaking cyber espionage group.
**Aliases:** Cuba, STORM-0978, Tropical Scorpius, UNC2596.
**Known Associations:** The individual identified as LARVA-290 plays a critical IT admin role, procuring intrusion servers primarily via LuxHost and AEZA bulletproof hosting (BPH) services for the group's operations.
## Activity Summary
Nebulous Mantis has been active since mid-2019, primarily engaged in cyber espionage, often followed by data exfiltration and subsequent ransomware deployment (double extortion).
* **Recent Campaigns:** Actively conducting **spear-phishing** in ongoing attacks, reaching over 46 critical victims in roughly one month.
* **Ransomware Evolution:** Initially used **Cuba ransomware** (started Jan 2020). This was replaced by **Industrial Spy** after March 2022, and most recently, they have been using **Team Underground ransomware** since July 2023. Data exfiltration and subsequent encryption via ransomware/double extortion are noted as a major component of their post-2020 activities.
* **Data Leak Site (DLS):** Critically infected victims are currently being shared via Team Underground’s DLS.
## Tactics, Techniques & Procedures
- **Initial Access:** Highly targeted spear-phishing emails delivering weaponized document links. They may leverage zero-day vulnerabilities during initial infection.
- **Execution & Persistence:** Delivery of the **RomCom RAT** for initial foothold, espionage, and lateral movement.
- **Post-Exploitation:** Extensive use of **Living-Off-The-Land (LOTL)** tactics.
- **Evasion:** Employs advanced evasion techniques and uses encrypted command and control (C2) communications.
- **Infrastructure Management:** Continuously evolves infrastructure, rotating domains monthly and leveraging bulletproof hosting (BPH) services.
- **Data Exfiltration:** Gathers critical information and uploads it to C2 servers before deploying ransomware.
- **Lateral Movement:** Documented use of RomCom for lateral movement.
- **MITRE ATT&CK Coverage (Inferred):** Initial Access (Spearphishing), Execution, Persistence, Lateral Movement, C2.
## Targeting
**Sectors:** Critical infrastructure, government agencies, political leaders, and NATO-related defense organizations.
**Geography:** Not explicitly detailed, but the group is identified as Russian-speaking.
**Victims:** Over 46 critical victims identified in approximately one month across ongoing campaigns.
## Tools & Infrastructure
**Malware Families Used:**
* **RAT/Backdoor:** RomCom (used since mid-2022 for espionage and ransomware activities).
* **Loader:** Hancitor.
* **Ransomware Pre-2022:** Cuba ransomware.
* **Ransomware Post-March 2022:** Industrial Spy.
* **Ransomware Current (since July 2023):** Team Underground ransomware.
**Infrastructure:**
* **C2 Communication:** HTTP-based C2 server used by RomCom, managed via a sophisticated C2 panel that collects victim details (IP, username, AV/EDR, market value).
* **Bulletproof Hosting (BPH):** LuxHost and AEZA are used for procuring C2 servers and intrusion servers.
* **RomCom Delivery Chain Example:** Redirects users to domains resembling OneDrive (e.g., drivepoint[.]pub to cloud1dv[.]com).
## Implications
Nebulous Mantis is a persistent and evolving threat focused on geopolitical espionage, increasingly monetizing access through complex, multi-stage ransomware operations (double extortion). Their reliance on sophisticated custom malware (RomCom) combined with LOTL techniques, encrypted C2, and reliable BPH services makes them difficult to detect and attribute definitively. The group’s IT administrator (LARVA-290) ensures robust infrastructure management.
## Mitigations
- Implement robust email security controls to defend against spear-phishing, particularly vetting links pointing to file-sharing or login resemblance sites.
- Monitor for LOTL execution techniques post-initial compromise.
- Enhance network monitoring for encrypted C2 traffic patterns.
- Focus detection efforts around the identified malware families (RomCom, Hancitor, Cuba/Industrial Spy/Team Underground ransomware variants).
- Be aware of infrastructure sourced from LuxHost and AEZA BPH services.