Mantis

Threat Actor updated 7 months ago (2024-11-29T14:40:54.433Z)

Download STIX

Preview STIX

Mantis, a threat actor known for its malicious activities, has been employing a sophisticated strategy to disrupt systems. Using a decoy FTP server, Mantis initiates a prompt-injection attack against the LLM agent. This approach essentially turns attacking AIs into prey, thereby multiplying the force of the attack. Despite the presence of defensive systems like the one created by GMU researchers, Mantis's prompt-injection attacks continue to be effective. While the defense system, also named Mantis, uses deceptive techniques to emulate targeted services and send back a payload containing a prompt-injection attack when it detects a potential automated attacker, the success of these countermeasures is still under scrutiny. The Mantis defense system operates autonomously once deployed, orchestrating countermeasures based on the nature of detected interactions. The team behind this system focuses on two types of defensive actions: passive defenses that aim to slow down the attacker and increase the cost of their actions, and active defenses that hack back with the goal of gaining the ability to run commands on the attacker's system. However, as long as prompt-injection attacks remain effective, the threat posed by the Mantis threat actor will persist. In addition to its direct attacks, Mantis has been linked to several clusters of domains showing signs of connections to TAG-63, otherwise tracked as APT-C-23, Desert Falcons, Arid Viper, or Mantis, which is perhaps the longest-running Arabic cyber operations group publicly known. Despite efforts from cybersecurity professionals and companies such as Blue Mantis, which has recommended training new cybersecurity professionals, the threat from Mantis remains significant. As a result, firms such as c/side are developing solutions to protect businesses from costly and damaging browser-executed attacks, with funding led by Uncork Capital and participation from Mantis VC, Scribble Ventures, Roar Ventures, and PrimeSet.

Description last updated: 2024-11-21T10:32:38.531Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Exploit

Decoy

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The RomCom Malware is associated with Mantis. RomCom, a malicious software, has been identified as a significant cyber threat. Reports from third-party and open-source intelligence since spring 2022 have indicated a connection between RomCom Remote Access Trojan (RAT) actors, Cuba ransomware actors, and Industrial Spy ransomware actors. The mal	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Tropical Scorpius Threat Actor is associated with Mantis. Tropical Scorpius, also known as RomCom, Storm-0978, and UNC2596, is a threat actor group that has been active since at least late 2020. This Russian-based cybercrime group is associated with Cuba ransomware and the RomCom backdoor, and it has exploited various techniques such as Magic bytes, Proces	Unspecified	2

Source Document References

Information about the Mantis Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	5 days ago	New Report Uncovers Major Overlaps in Cybercrime and Espionage
Securityaffairs	a month ago	Attackers exploit Fortinet flaws to deploy Qilin ransomware
InfoSecurity-magazine	a month ago	Kettering Health Cyber-Attack Disrupts Services
Securityaffairs	2 months ago	Security Affairs newsletter Round 522 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	2 months ago	Russia-linked group Nebulous Mantis targets NATO-related defense organizations
Securityaffairs	4 months ago	Leaked Black Basta chat logs reveal the gang's operations
DARKReading	8 months ago	AI About-Face: 'Mantis' Turns LLM Attackers Into Prey
DARKReading	10 months ago	c/side Lands $6M to Combat Supply Chain Attacks
CERT-EU	a year ago	5 certifications that can boost a cybersecurity leader’s career \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	2 years ago	Hamas-linked app offers window into cyber infrastructure, possible links to Iran
CERT-EU	2 years ago	Takeaways from Black Hat USA 2023
CSO Online	2 years ago	Microsoft tells Exchange admins to revert previously recommended antivirus exclusions
CERT-EU	a year ago	New Linux Malware "Migo" Exploits Redis for Cryptojacking, Disables Security
CERT-EU	2 years ago	What the cybersecurity workforce can expect in 2024
CERT-EU	2 years ago	12 Best Vulnerability Management Systems & Tools 2023
CERT-EU	2 years ago	Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History
CERT-EU	2 years ago	New Diicot Threat Group Targets SSH Servers with Brute-Force Malware
CERT-EU	2 years ago	Decoy Dog Malware Upgraded to Include New Features
CERT-EU	2 years ago	Blue Mantis to Host 2023 Cloudscape Technology Conference in Newport, Rhode Island
CERT-EU	2 years ago	Mantis: New Tooling Used in Attacks Against Palestinian Targets – Cyber Security Review