The U.S. and other NATO members countries' critical infrastructure, government, and defense organizations have been targeted by Russian cyberespionage operation Nebulous Mantis, also known as Storm-0978, UNC2596, Cuba, and Tropical Scorpius, multi-stage intrusions deploying the RomCom malware since mid-2022, reports Security Affairs.
Attacks by Nebulous Mantis involve the impersonation of OneDrive and other trusted services to facilitate the download of the RomCom malware, which enables system profiling, Active Directory/domain enumeration, and credential compromise, according to an analysis from PRODAFT.
Nebulous Mantis then leverages the obtained data to subsequently spread ransomware payloads, with Team Underground having been used since July 2023 after initial utilization of Cuba ransomware beginning March 2022. Such findings were noted by researchers to suggest the sophisticated nature of Nebulous Mantis.
"Throughout the attack lifecycle, Nebulous Mantis exhibits operational discipline in minimizing their footprint, carefully balancing aggressive intelligence collection with stealth requirements, suggesting either state-sponsored backing or professional cybercriminal organization with significant resources," said PRODAFT researchers.
Attacks by Nebulous Mantis involve the impersonation of OneDrive and other trusted services to facilitate the download of the RomCom malware, which enables system profiling, Active Directory/domain enumeration, and credential compromise, according to an analysis from PRODAFT.
Nebulous Mantis then leverages the obtained data to subsequently spread ransomware payloads, with Team Underground having been used since July 2023 after initial utilization of Cuba ransomware beginning March 2022. Such findings were noted by researchers to suggest the sophisticated nature of Nebulous Mantis.
"Throughout the attack lifecycle, Nebulous Mantis exhibits operational discipline in minimizing their footprint, carefully balancing aggressive intelligence collection with stealth requirements, suggesting either state-sponsored backing or professional cybercriminal organization with significant resources," said PRODAFT researchers.



