Tropical Scorpius, RomCom - Threat Group Cards: A Threat
Actor Encyclopedia
Archived: 2026-04-05 19:16:53 UTC
Home > List all groups > Tropical Scorpius, RomCom
 APT group: Tropical Scorpius, RomCom
Names
Tropical Scorpius (Palo Alto)
RomCom (Palo Alto)
Void Rabisu (Trend Micro)
DEV-0978 (Microsoft)
Storm-0671 (Microsoft)
Storm-0978 (Microsoft)
UNC2596 (Mandiant)
CIGAR (Mandiant)
UAC-0180 (CERT-UA)
TA829 (Proofpoint)
Country Russia
Motivation Information theft and espionage, Financial gain
First seen 2019
Description
(Palo Alto) The most recent Unit 42 Ransomware Threat Report includes
observations of Cuba Ransomware impacting 33 organizations. As of July 2022,
Tropical Scorpius has used Cuba Ransomware to impact 27 additional organizations
across multiple vectors, such as Professional and Legal Services, State and Local
Government, Manufacturing, Transportation and Logistics, Wholesale and Retail,
Real Estate, Financial Services, Health Care, High Technology, Utilities and Energy,
Construction, and Education. A total of 60 organizations were exposed by this
ransomware gang on its leak site since the group first surfaced in 2019.
Observed
Sectors: Construction, Education, Energy, Financial, Government, Healthcare, High-Tech, Manufacturing, Shipping and Logistics, Transportation.
Tools used Cuba, Industrial Spy, ROMCOM RAT, Underground.
Operations performed Jul 2022 Unattributed RomCom Threat Actor Spoofing Popular Apps Now
Hits Ukrainian Militaries
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8e23fbaa-47d5-4fce-8b85-9fbb9aeecd87
Page 1 of 2

Nov 2022
RomCom Threat Actor Abuses KeePass and SolarWinds to Target
Ukraine and Potentially the United Kingdom
Feb 2023
Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in
Threat Actors’ Goals
Jun 2023
Storm-0978 attacks reveal financial and espionage motives
Jun 2023
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
Jul 2023
RomCom Threat Actor Suspected of Targeting Ukraine's NATO
Membership Talks at the NATO Summit
Oct 2024
RomCom exploits Firefox and Windows zero days in the wild
Information
Last change to this card: 16 August 2025
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8e23fbaa-47d5-4fce-8b85-9fbb9aeecd87
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8e23fbaa-47d5-4fce-8b85-9fbb9aeecd87
Page 2 of 2