{
	"id": "3ef7d85f-f8c8-4f54-9f84-de1c6a1c99c8",
	"created_at": "2026-04-06T00:11:30.553185Z",
	"updated_at": "2026-04-10T03:30:34.104435Z",
	"deleted_at": null,
	"sha1_hash": "beff910973496a9157e61056f37f6c039e860cbb",
	"title": "Nebulous Mantis Targets NATO-Linked Entities with Multi-Stage Malware Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 684515,
	"plain_text": "Nebulous Mantis Targets NATO-Linked Entities with Multi-Stage\r\nMalware Attacks\r\nBy The Hacker News\r\nPublished: 2025-04-30 · Archived: 2026-04-05 19:48:59 UTC\r\nCybersecurity researchers have shed light on a Russian-speaking cyber espionage group called Nebulous Mantis\r\nthat has deployed a remote access trojan known as RomCom RAT since mid-2022.\r\nRomCom \"employs advanced evasion techniques, including living-off-the-land (LOTL) tactics and encrypted\r\ncommand and control (C2) communications, while continuously evolving its infrastructure – leveraging\r\nbulletproof hosting to maintain persistence and evade detection,\" Swiss cybersecurity company PRODAFT said in\r\na report shared with The Hacker News.\r\nNebulous Mantis, also tracked by the cybersecurity community under the names CIGAR, Cuba, Storm-0978,\r\nTropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, is known to target critical infrastructure, government\r\nagencies, political leaders, and NATO-related defense organizations.\r\nAttack chains mounted by the group typically involve the use of spear-phishing emails with weaponized document\r\nlinks to distribute RomCom RAT. The domains and command-and-control (C2) servers used in these campaigns\r\nhttps://thehackernews.com/2025/04/nebulous-mantis-targets-nato-linked.html\r\nPage 1 of 4\n\nhave been hosted on bulletproof hosting (BPH) services like LuxHost and Aeza. The infrastructure is managed\r\nand procured by a threat actor named LARVA-290.\r\nThe threat actor is assessed to be active since at least mid-2019, with earlier iterations of the campaign delivering\r\na malware loader codenamed Hancitor.\r\nThe first-stage RomCom DLL is designed to connect to a C2 server and download additional payloads using the\r\nInterPlanetary File System (IPFS) hosted on attacker-controlled domains, execute commands on the infected host,\r\nand execute the final-stage C++ malware.\r\nThe final variant also establishes communications with the C2 server to run commands, as well as download and\r\nexecute more modules that can steal web browser data.\r\n\"The threat actor executes tzutil command to identify the system's configured time zone,\" PRODAFT said. \"This\r\nsystem information discovery reveals geographic and operational context that can be used to align attack activities\r\nwith victim working hours or to evade certain time-based security controls.\"\r\nRomCom, besides manipulating Windows Registry to set up persistence using COM hijacking, is equipped to\r\nharvest credentials, perform system reconnaissance, enumerate Active Directory, conduct lateral movement, and\r\ncollect data of interest, including files, credentials, configuration details, and Microsoft Outlook backups.\r\nRomCom variants and victims are managed by means of a dedicated C2 panel, allowing the operators to view\r\ndevice details and issue over 40 commands remotely to carry out a variety of data-gathering tasks.\r\nhttps://thehackernews.com/2025/04/nebulous-mantis-targets-nato-linked.html\r\nPage 2 of 4\n\n\"Nebulous Mantis operates as a sophisticated threat group employing a multi-phase intrusion methodology to gain\r\ninitial access, execution, persistence, and data exfiltration,\" the company said.\r\n\"Throughout the attack lifecycle, Nebulous Mantis exhibits operational discipline in minimizing their footprint,\r\ncarefully balancing aggressive intelligence collection with stealth requirements, suggesting either state-sponsored\r\nbacking or professional cybercriminal organization with significant resources.\"\r\nThe disclosure comes weeks after PRODAFT exposed a ransomware group named Ruthless Mantis (aka PTI-288)\r\nthat specializes in double extortion by collaborating with affiliate programs, such as Ragnar Locker, INC Ransom,\r\nand others.\r\nLed by a threat actor dubbed LARVA-127, the financially motivated threat actor utilizes an array of legitimate and\r\ncustom tools to facilitate each and every phase of the attack cycle: discovery, persistence, privilege escalation,\r\ndefense evasion, credential harvesting, lateral movement, and C2 frameworks like Brute Ratel c4 and Ragnar\r\nLoader.\r\nhttps://thehackernews.com/2025/04/nebulous-mantis-targets-nato-linked.html\r\nPage 3 of 4\n\n\"Although Ruthless Mantis is composed of highly experienced core members, they also actively integrate\r\nnewcomers to continually enhance the effectiveness and speed of their operations,\" it said.\r\n\"Ruthless Mantis has significantly expanded its arsenal of tools and methods, providing them with state-of-the-art\r\nresources to streamline processes and boost operational efficiency.\"\r\nRomCom Campaign Targets U.K. Orgs\r\nU.K.-based cybersecurity company Bridewell said it discovered a new campaign orchestrated by the RomCom\r\nthreat actor that involved using externally facing customer feedback portals to submit phishing emails to two of its\r\ncustomers in the retail and hospitality, and CNI sectors.\r\n\"Contained within the feedback forms were user complaints pertaining to events facilities operated by the target or\r\nrecruitment enquiries, including links to further information supporting the complaints stored on Google Drive\r\nand Microsoft OneDrive impersonation domains hosted threat actor-controlled VPS infrastructure,\" researchers\r\nJoshua Penny and Yashraj Solanki said.\r\nThe campaign, codenamed Operation Deceptive Prospect, is said to have been ongoing since 2024, with the attack\r\nchain leading to the deployment of an executable downloader masquerading as a PDF document.\r\n\"The name of the signature further supports our hypothesis that there is technical overlap with RomCom from a\r\ntooling perspective as well,\" the researchers added.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2025/04/nebulous-mantis-targets-nato-linked.html\r\nhttps://thehackernews.com/2025/04/nebulous-mantis-targets-nato-linked.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://thehackernews.com/2025/04/nebulous-mantis-targets-nato-linked.html"
	],
	"report_names": [
		"nebulous-mantis-targets-nato-linked.html"
	],
	"threat_actors": [
		{
			"id": "fecc0d5a-3654-425d-9290-b6d0b4105463",
			"created_at": "2023-10-17T02:00:08.330061Z",
			"updated_at": "2026-04-10T02:00:03.37711Z",
			"deleted_at": null,
			"main_name": "Void Rabisu",
			"aliases": [
				"Tropical Scorpius"
			],
			"source_name": "MISPGALAXY:Void Rabisu",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "555e2cac-931d-4ad4-8eaa-64df6451059d",
			"created_at": "2023-01-06T13:46:39.48103Z",
			"updated_at": "2026-04-10T02:00:03.342729Z",
			"deleted_at": null,
			"main_name": "RomCom",
			"aliases": [
				"UAT-5647",
				"Storm-0978"
			],
			"source_name": "MISPGALAXY:RomCom",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d58052ba-978b-4775-985a-26ed8e64f98c",
			"created_at": "2023-09-07T02:02:48.069895Z",
			"updated_at": "2026-04-10T02:00:04.946879Z",
			"deleted_at": null,
			"main_name": "Tropical Scorpius",
			"aliases": [
				"DEV-0978",
				"RomCom",
				"Storm-0671",
				"Storm-0978",
				"TA829",
				"Tropical Scorpius",
				"UAC-0180",
				"UNC2596",
				"Void Rabisu"
			],
			"source_name": "ETDA:Tropical Scorpius",
			"tools": [
				"COLDDRAW",
				"Cuba",
				"Industrial Spy",
				"PEAPOD",
				"ROMCOM",
				"ROMCOM RAT",
				"SingleCamper",
				"SnipBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4f56bb34-098d-43f6-a0e8-99616116c3ea",
			"created_at": "2024-06-19T02:03:08.048835Z",
			"updated_at": "2026-04-10T02:00:03.870819Z",
			"deleted_at": null,
			"main_name": "GOLD FLAMINGO",
			"aliases": [
				"REF9019 ",
				"Tropical Scorpius ",
				"UAC-0132 ",
				"UAC0132 ",
				"UNC2596 ",
				"Void Rabisu "
			],
			"source_name": "Secureworks:GOLD FLAMINGO",
			"tools": [
				"Chanitor",
				"Cobalt Strike",
				"Cuba",
				"Meterpreter",
				"Mimikatz",
				"ROMCOM RAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "de5630ec-93e0-4ef5-9ac3-fe422789e03d",
			"created_at": "2024-11-01T02:00:52.730802Z",
			"updated_at": "2026-04-10T02:00:05.330644Z",
			"deleted_at": null,
			"main_name": "INC Ransom",
			"aliases": [
				"INC Ransom",
				"GOLD IONIC"
			],
			"source_name": "MITRE:INC Ransom",
			"tools": [
				"PsExec",
				"Nltest",
				"Rclone",
				"AdFind",
				"esentutl",
				"INC Ransomware"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434290,
	"ts_updated_at": 1775791834,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/beff910973496a9157e61056f37f6c039e860cbb.pdf",
		"text": "https://archive.orkl.eu/beff910973496a9157e61056f37f6c039e860cbb.txt",
		"img": "https://archive.orkl.eu/beff910973496a9157e61056f37f6c039e860cbb.jpg"
	}
}