Nebulous Mantis Launches Multi-Stage Malware Attacks on NATO-Linked Organizations

Key Takeaways

• Nebulous Mantis (also known as CIGAR, Cuba, Storm-0978, Tropical Scorpius, UNC2596, Void Rabisu) is a Russian-speaking cyber espionage group active since at least 2019.
• The group targets critical infrastructure, government agencies, political leaders, and NATO-related defense organizations.
• Campaigns use spear-phishing emails with weaponized document links to deliver the RomCom RAT malware.
• RomCom RAT employs advanced evasion, including living-off-the-land (LOTL) tactics, encrypted C2, and bulletproof hosting (LuxHost, Aeza).
• The malware executes a multi-stage payload delivery process, starting with a DLL that connects to C2, downloads further payloads via IPFS, and deploys a final-stage C++ module.
• Capabilities include credential harvesting, system reconnaissance, Active Directory enumeration, lateral movement, data exfiltration, and Outlook backup theft.
• The group demonstrates operational discipline, aligning attack timing with victim time zones and minimizing its footprint, suggesting state sponsorship or a highly professional operation.

Campaign Overview

Nebulous Mantis has been linked to a series of multi-stage malware attacks against organizations associated with NATO. The group is notable for its use of the RomCom RAT, which leverages advanced evasion techniques and a modular architecture to maximize persistence and stealth. Researchers at PRODAFT have documented the group’s evolving arsenal and operational discipline, highlighting its ability to blend living-off-the-land tactics with custom malware payloads.¹

The group’s campaigns typically begin with spear-phishing emails containing malicious document links. Once executed, the initial RomCom DLL establishes a connection to a command-and-control (C2) server, downloads additional payloads via the InterPlanetary File System (IPFS), and executes a final-stage C++ malware module. This module allows for extensive data gathering and remote command execution on compromised systems.

Technical Details & Tactics

The Nebulous Mantis campaign demonstrates a high level of technical sophistication:

• Infrastructure: Utilizes bulletproof hosting providers such as LuxHost and Aeza to evade takedown efforts and maintain persistent C2 infrastructure.
• Evasion: Employs encrypted C2 communications, living-off-the-land binaries, and COM hijacking for persistence.
• Reconnaissance: Executes system commands (e.g., tzutil) to determine the victim’s time zone, aligning attack activity with working hours and evading time-based security controls.
• Capabilities:
  • Credential harvesting and system reconnaissance
  • Active Directory enumeration and lateral movement
  • Data exfiltration, including files, credentials, configuration details, and Outlook backups
  • Over 40 remote commands supported via a dedicated C2 panel

These tactics, combined with disciplined operational security, enable Nebulous Mantis to conduct long-term, targeted espionage campaigns with minimal risk of detection. ¹, ²

Attribution and Related Activity

Nebulous Mantis is also tracked under several aliases, including CIGAR, Cuba, Storm-0978, Tropical Scorpius, UNC2596, and Void Rabisu. The group’s activities overlap with ransomware operations (notably Ruthless Mantis/PTI-288), suggesting a blend of espionage and financially motivated campaigns.

The infrastructure is managed by threat actors known as LARVA-290 and LARVA-127, who procure resources and facilitate multi-phase attacks. The group’s use of affiliate ransomware programs and custom tools further complicates attribution and defense.

Mitigation Recommendations

Based on the research, defenders should consider the following measures to reduce exposure to Nebulous Mantis campaigns:

• Block known bulletproof hosting providers (e.g., LuxHost, Aeza) and monitor for related C2 infrastructure.
• Employ behavioral detection for living-off-the-land tactics and unusual system commands (e.g., tzutil usage).
• Harden email security to detect spear-phishing attempts and weaponized documents.
• Monitor for suspicious persistence mechanisms, such as COM hijacking and registry modifications.
• Conduct regular threat intelligence reviews to stay updated on evolving TTPs and IoCs associated with Nebulous Mantis.

Detection and Defensive Guidance

BlackBerry’s technical research provides actionable detection opportunities for defenders, including Sigma and YARA rules to identify RomCom RAT’s persistence mechanisms (such as COM hijacking and DLL injection), and indicators of compromise (IoCs) linked to NATO-targeted campaigns. Security teams are encouraged to review these resources and integrate them into their monitoring and response workflows.²

Final Thoughts

The Nebulous Mantis campaign underscores the increasing technical sophistication and operational discipline of state-linked threat actors targeting NATO and allied organizations. Ongoing vigilance, layered defense, and collaboration with trusted research sources are essential to mitigate the risks posed by such advanced adversaries.

Related Articles

• Proton66 Bulletproof Hosting Leveraged in Global Malware & Ransomware Wave (CVE‑2024‑55591, CVE‑2025‑24472)
• XORDDoS Trojan: 2023–2025 Global Linux DDoS Campaigns, Evolving Infrastructure, and U.S. Targeting
• North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures