Cybersecurity researchers are shedding light on a Russian-speaking cyberspy group called Nebulus Mantis, who has deployed a remote access trojan horse called Romcomrat since mid-2022.
ROMCOM “also employs advanced evasion techniques, including Living-The-Alland (LOTL) tactics and encrypted command and control (C2) communications, but will continue to evolve its infrastructure.
The ambiguous mantis tracked by the cybersecurity community in the names of Cigar, Cuba, Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and the invalid Ravis tribe, is known to target critical infrastructure, government agencies, political leaders, and defense organizations associated with NATO.
Attack chains attached to the group usually include the use of spear phishing emails using weaponized document links to distribute Romcom rats. The domains and command and control (C2) servers used in these campaigns are hosted on BulletProof Hosting (BPH) services such as Luxhost and Aeza. The infrastructure is managed and procured by a threat actor named Larva-290.
Threat actors have been rated active since at least mid-2019, and previous iterations of the campaign have been given the codename Hancitor by the malware loader.
The one-stage ROMCOM DLL is designed to connect to a C2 server, download additional payloads using an interplanetary file system (IPFS) hosted in an attacker-controlled domain, execute commands on the infected host, and run the final stage C++ malware.
The final variant will establish communication with the C2 server and run commands, download and run more modules that can steal web browser data.
“Threat actors run the Tzutil command to identify the configured time zone of the system,” Prodaft said. “This discovery of system information reveals the geographic and operational context that can be used to align attack activity with the victim’s working hours or to circumvent certain time-based security controls.”
In addition to working with Windows Registry to set up persistence using Com Hijacking, ROMCOM is equipped to collect entitlements, perform system reconnaissance, enumerate active directories, make horizontal movements, and collect data of interest, including files, credentials, configuration details, and Microsoft Outlook backups.
The Romcom variants and victims are managed by a dedicated C2 panel, allowing operators to view device details and remotely issue over 40 commands to perform a variety of data collection tasks.
“The ambiguous Mantis acts as a sophisticated threat group employing a multiphase intrusion methodology, gaining initial access, execution, persistence and data removal,” the company said.
“Through the attack lifecycle, ambiguous mantis minimizes footprint, carefully balanced offensive intelligence collections and stealth requirements, suggesting key resources for state-sponsored backing or professional cybercrime organisations.”
This disclosure comes weeks after Prodaft exposed a ransomware group named Ruthless Mantis (aka PTI-288), and specializes in double horror by collaborating with affiliate programs such as Ragnar Locker and Inc Ransom.
The financially motivated threat actor, led by a threat actor called the Larva-127, utilizes a set of legal and custom tools to promote every stage of the attack cycle: discovery, persistence, privilege escalation, authority harvesting, lateral movement, C2 frameworks like Blue Tratel C4, Ragnar Loader.
“The ruthless Mantis is made up of experienced core members, but will actively integrate newcomers to continuously improve the effectiveness and speed of the business.”
“The ruthless Mantis offers cutting-edge resources to significantly expand the weapons of tools and methods, streamline processes and increase operational efficiency.”
The Romcom campaign targets UK organizations
Bridewell, a UK-based cybersecurity company, said a new campaign has been discovered, organized by threat actors at ROMCOM. It used an externally facing customer feedback portal to send phishing emails to two customers, retail and hospitality, and submitted the CNI sector.
“The feedback form includes user complaints about event facilities run by target or recruitment enquiries, including links to further information to support complaints stored on Google Drive, and the impersonation domain of Microsoft Onedrive, which hosted the threat actor-controlled VPS infrastructure, was hosted by researchers Joshua Penny and Yashraj Solanki.
The campaign called CodeNeame Operation Deceptive’s lead is said to have been ongoing since 2024. Attack chains lead to the deployment of executable downloaders spoofed as PDF documents.
“The signature name further supports the hypothesis that there is technical overlap with Romcom from a tool perspective,” the researchers added.
