{ "id": "f5429de8-fd74-4069-accc-3ff6b9fabfe2", "created_at": "2026-04-06T00:15:44.339692Z", "updated_at": "2026-04-10T03:36:23.206379Z", "deleted_at": null, "sha1_hash": "85211c893485c0a89d6638168239b08cc1eb75cf", "title": "Tropical Scorpius, RomCom - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59907, "plain_text": "Tropical Scorpius, RomCom - Threat Group Cards: A Threat\r\nActor Encyclopedia\r\nArchived: 2026-04-05 19:16:53 UTC\r\nHome \u003e List all groups \u003e Tropical Scorpius, RomCom\r\n APT group: Tropical Scorpius, RomCom\r\nNames\r\nTropical Scorpius (Palo Alto)\r\nRomCom (Palo Alto)\r\nVoid Rabisu (Trend Micro)\r\nDEV-0978 (Microsoft)\r\nStorm-0671 (Microsoft)\r\nStorm-0978 (Microsoft)\r\nUNC2596 (Mandiant)\r\nCIGAR (Mandiant)\r\nUAC-0180 (CERT-UA)\r\nTA829 (Proofpoint)\r\nCountry Russia\r\nMotivation Information theft and espionage, Financial gain\r\nFirst seen 2019\r\nDescription\r\n(Palo Alto) The most recent Unit 42 Ransomware Threat Report includes\r\nobservations of Cuba Ransomware impacting 33 organizations. As of July 2022,\r\nTropical Scorpius has used Cuba Ransomware to impact 27 additional organizations\r\nacross multiple vectors, such as Professional and Legal Services, State and Local\r\nGovernment, Manufacturing, Transportation and Logistics, Wholesale and Retail,\r\nReal Estate, Financial Services, Health Care, High Technology, Utilities and Energy,\r\nConstruction, and Education. A total of 60 organizations were exposed by this\r\nransomware gang on its leak site since the group first surfaced in 2019.\r\nObserved\r\nSectors: Construction, Education, Energy, Financial, Government, Healthcare, High-Tech, Manufacturing, Shipping and Logistics, Transportation.\r\nTools used Cuba, Industrial Spy, ROMCOM RAT, Underground.\r\nOperations performed Jul 2022 Unattributed RomCom Threat Actor Spoofing Popular Apps Now\r\nHits Ukrainian Militaries\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8e23fbaa-47d5-4fce-8b85-9fbb9aeecd87\r\nPage 1 of 2\n\nNov 2022\nRomCom Threat Actor Abuses KeePass and SolarWinds to Target\nUkraine and Potentially the United Kingdom\nFeb 2023\nVoid Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in\nThreat Actors’ Goals\nJun 2023\nStorm-0978 attacks reveal financial and espionage motives\nJun 2023\nVoid Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant\nJul 2023\nRomCom Threat Actor Suspected of Targeting Ukraine's NATO\nMembership Talks at the NATO Summit\nOct 2024\nRomCom exploits Firefox and Windows zero days in the wild\nInformation\nLast change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8e23fbaa-47d5-4fce-8b85-9fbb9aeecd87\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8e23fbaa-47d5-4fce-8b85-9fbb9aeecd87\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8e23fbaa-47d5-4fce-8b85-9fbb9aeecd87" ], "report_names": [ "showcard.cgi?u=8e23fbaa-47d5-4fce-8b85-9fbb9aeecd87" ], "threat_actors": [ { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1cffd968-e48d-4167-9fd3-43ca4d996984", "created_at": "2026-02-04T02:00:03.71488Z", "updated_at": "2026-04-10T02:00:03.955323Z", "deleted_at": null, "main_name": "TA829", "aliases": [], "source_name": "MISPGALAXY:TA829", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434544, "ts_updated_at": 1775792183, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/85211c893485c0a89d6638168239b08cc1eb75cf.pdf", "text": "https://archive.orkl.eu/85211c893485c0a89d6638168239b08cc1eb75cf.txt", "img": "https://archive.orkl.eu/85211c893485c0a89d6638168239b08cc1eb75cf.jpg" } }