A covert Russian-speaking cyber espionage group, dubbed Nebulous Mantis, is stepping up its game by targeting NATO-affiliated organizations with a complex, multi-stage malware campaign powered by the RomCom remote access trojan (RAT). Active since at least mid-2019, the group has evolved its toolkit and infrastructure to evade detection and maximize impact.
According to a new report from Swiss cybersecurity firm PRODAFT, the RomCom RAT has been in active use since mid-2022. This malware isn’t just your typical trojan—it employs stealthy living-off-the-land (LOTL) techniques, encrypted communications, and infrastructure built to resist takedown efforts, including bulletproof hosting.
The group, also tracked under aliases like Storm-0978, Tropical Scorpius, Void Rabisu, and Cuba, focuses its campaigns on critical targets such as government agencies, political figures, and defense organizations linked to NATO. Their go-to strategy? Spear-phishing emails carrying infected document links, cleverly disguised to trick recipients into triggering the infection.
A Look Inside the RomCom Infection Chain
The initial stage involves a malicious DLL that quietly connects to a command-and-control (C2) server. From there, it pulls additional payloads via the InterPlanetary File System (IPFS)—a decentralized hosting method favored for its resilience. Once embedded in the victim’s system, RomCom executes C++ malware designed for deeper infiltration.
RomCom’s capabilities stretch far beyond simple data theft. The malware runs system commands, scans for time zone settings using tzutil (to match operations with working hours), and exploits Windows Registry for persistent access. It also performs Active Directory enumeration, lateral movement, and credential theft. Among the most concerning features is its ability to extract sensitive files, browser data, system configurations, and Microsoft Outlook backups.
All infected endpoints are managed through a centralized C2 dashboard, allowing threat actors to send more than 40 different commands remotely—each designed to harvest data, maintain control, or expand their access within targeted networks.
Behind the Scenes: Infrastructure and Actor Profiles
Much of the backend infrastructure supporting Nebulous Mantis operations—such as domain management and server procurement—is controlled by a threat actor identified as LARVA-290. These services are often hosted on bulletproof providers like LuxHost and Aeza, which help maintain long-term access by dodging takedown attempts.
The meticulous nature of these campaigns, combined with the use of evasive tactics and complex malware layers, points to a highly resourced group. Analysts suggest that Nebulous Mantis could be state-sponsored or part of a professional cybercrime network operating with strategic intent.
A Broader Picture: Ruthless Mantis and Expanding Threat Landscapes
This revelation comes shortly after PRODAFT also unmasked another threat group—Ruthless Mantis, known for its double extortion tactics in ransomware attacks. Operating under the command of LARVA-127, this financially motivated gang partners with criminal affiliate programs like Ragnar Locker and INC Ransom, using sophisticated frameworks such as Brute Ratel C4 and Ragnar Loader to breach systems.
Unlike many ransomware crews, Ruthless Mantis merges veteran hackers with newer recruits, continuously refining its attack chains. From initial access to data exfiltration, they leverage a mix of commercial and custom tools to streamline operations and enhance speed.
Together, these Mantis groups exemplify the evolving threat landscape—one where cyber warfare is not just persistent, but deeply strategic. With overlapping infrastructures and specialized malware arsenals, they blur the lines between espionage and financially driven cybercrime, making them a critical focus for global defense and cybersecurity efforts.
