🇷🇺

RomCom

APT Group Financial gain Information theft and espionage 31 zero-day CVEs ETDA ✓

Also Known As 2 names

Storm-0978 UAT-5647

Target Countries 16

Countries highlighted in red

Azerbaijan Brazil Canada Cameroon Germany Spain France United Kingdom Japan Republic of Korea Philippines Poland Singapore Province of China Taiwan Ukraine United States

Sectors Targeted

Independent Artists, Writers, and Performers 7115 Engineering Services 54133 Periodical Publishers 51112 Computer Systems Design and Related Services 54151 Computer Systems Design and Related Services 5415 Finance and Insurance 52 Computer Systems Design Services 541512 Human Resources Consulting Services 541612

Details

Origin 🇷🇺 RU

Last Updated 12 Nov 2022

Malware Families 4

romcom_rat

win.slip_screen

win.rusty_claw

win.dynamichttp

MITRE ATT&CK 124

T1003 - OS Credential Dumping T1005 - Data from Local System T1012 - Query Registry T1016 - System Network Configuration Discovery T1021 T1021.001 - Remote Desktop Protocol T1021.002 - SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.002 - Software Packing T1033 - System Owner/User Discovery T1036 - Masquerading T1036.005 T1041 T1047 - Windows Management Instrumentation T1049 T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1055 - Process Injection T1056 - Input Capture T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 T1059.003 - Windows Command Shell T1059.007 - JavaScript T1068 - Exploitation for Privilege Escalation T1069 - Permission Groups Discovery T1070 - Indicator Removal on Host T1070.001 - Clear Windows Event Logs T1071 - Application Layer Protocol T1071.001 - Web Protocols T1072 T1074 - Data Staged T1078 - Valid Accounts T1078.003 T1082 - System Information Discovery T1083 - File and Directory Discovery T1090 T1095 T1098 T1102 - Web Service T1102.001 - Dead Drop Resolver T1102.002 - Bidirectional Communication T1105 - Ingress Tool Transfer T1106 - Native API T1110 T1112 - Modify Registry T1113 - Screen Capture T1132.001 - Standard Encoding T1133 T1135 - Network Share Discovery T1136.001 T1140 - Deobfuscate/Decode Files or Information T1176 T1187 T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1199 T1203 - Exploitation for Client Execution T1204 - User Execution T1204.002 - Malicious File T1210 - Exploitation of Remote Services T1217 T1218 T1218.001 T1218.011 - Rundll32 T1219 T1221 T1482 - Domain Trust Discovery T1486 - Data Encrypted for Impact T1489 T1490 - Inhibit System Recovery T1495 T1497 - Virtualization/Sandbox Evasion T1518 - Software Discovery T1531 T1543.003 - Windows Service T1546 T1546.015 T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1553 - Subvert Trust Controls T1555 T1558 T1559 T1559.002 T1560 - Archive Collected Data T1562 T1562.001 - Disable or Modify Tools T1563 T1564 T1564.001 T1564.004 - NTFS File Attributes T1566 - Phishing T1566.001 T1566.002 T1569 - System Services T1569.002 T1571 T1572 - Protocol Tunneling T1573 T1573.002 T1574 - Hijack Execution Flow T1574.001 - DLL Search Order Hijacking T1583 T1583.001 - Domains T1584 T1587.001 - Malware T1588 T1588.001 - Malware T1588.002 - Tool T1588.005 - Exploits T1588.006 - Vulnerabilities T1598 T1598.002 T1614 - System Location Discovery TA0001 TA0002 TA0003 TA0005 TA0009 TA0010 TA0011 TA0040 TA0043

Related Zero-Days 31

CVE-2013-3893 CVE-2020-1472 CVE-2021-40444 CVE-2022-24521 CVE-2022-30190 CVE-2023-36584 CVE-2023-36884 CVE-2023-38831 CVE-2023-46805 CVE-2024-21338 CVE-2024-21887 CVE-2024-29745 CVE-2024-29748 CVE-2024-32896 CVE-2024-3400 CVE-2024-38178 CVE-2024-44308 CVE-2024-44309 CVE-2024-49039 CVE-2024-53104 CVE-2024-8068 CVE-2024-9680 CVE-2025-25256 CVE-2025-29824 CVE-2025-43300 CVE-2025-4427 CVE-2025-54948 CVE-2025-6218 CVE-2025-7775 CVE-2025-8088 CVE-2025-8424

Known Names 10 entries

Tropical Scorpius Palo Alto

RomCom Palo Alto

Void Rabisu Trend Micro

DEV-0978 Microsoft

Storm-0671 Microsoft

Storm-0978 Microsoft

UNC2596 Mandiant

CIGAR Mandiant

UAC-0180 CERT-UA

TA829 Proofpoint

Description

(Palo Alto) The most recent Unit 42 Ransomware Threat Report includes observations of Cuba Ransomware impacting 33 organizations. As of July 2022, Tropical Scorpius has used Cuba Ransomware to impact 27 additional organizations across multiple vectors, such as Professional and Legal Services, State and Local Government, Manufacturing, Transportation and Logistics, Wholesale and Retail, Real Estate, Financial Services, Health Care, High Technology, Utilities and Energy, Construction, and Education. A total of 60 organizations were exposed by this ransomware gang on its leak site since the group first surfaced in 2019.

Tools Used 4

Cuba Industrial Spy ROMCOM RAT Underground

Operations 7

2022-07 Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries

2022-11 RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass

2023-02 Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html

2023-06 Storm-0978 attacks reveal financial and espionage motives https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/

2023-06 Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html

2023-07 RomCom Threat Actor Suspected of Targeting Ukraine's NATO Membership Talks at the NATO Summit https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

2024-10 RomCom exploits Firefox and Windows zero days in the wild https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/

Reports & References 3

https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/ https://thehackernews.com/2025/04/nebulous-mantis-targets-nato-linked.html https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader

ETDA Profile

Tropical Scorpius, RomCom

Origin

Russia

First Seen 2019

Motivation

Information theft and espionage Financial gain

View on ETDA APT Groups ↗