Malware, Threat Intelligence

Multi-stage malware attacks launched by Nebulous Mantis APT

Magnifying glass found the Russia map among computer binary code

The U.S. and other NATO members countries' critical infrastructure, government, and defense organizations have been targeted by Russian cyberespionage operation Nebulous Mantis, also known as Storm-0978, UNC2596, Cuba, and Tropical Scorpius, multi-stage intrusions deploying the RomCom malware since mid-2022, reports Security Affairs.

Attacks by Nebulous Mantis involve the impersonation of OneDrive and other trusted services to facilitate the download of the RomCom malware, which enables system profiling, Active Directory/domain enumeration, and credential compromise, according to an analysis from PRODAFT.

Nebulous Mantis then leverages the obtained data to subsequently spread ransomware payloads, with Team Underground having been used since July 2023 after initial utilization of Cuba ransomware beginning March 2022. Such findings were noted by researchers to suggest the sophisticated nature of Nebulous Mantis.

"Throughout the attack lifecycle, Nebulous Mantis exhibits operational discipline in minimizing their footprint, carefully balancing aggressive intelligence collection with stealth requirements, suggesting either state-sponsored backing or professional cybercriminal organization with significant resources," said PRODAFT researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds