Tropical Scorpius

Threat Actor updated a month ago (2024-10-21T09:01:59.779Z)
Download STIX
Preview STIX
Tropical Scorpius, also known as Void Rabisu, Storm-0978, and UNC2596, is a significant threat actor in the cybersecurity landscape. Initially appearing on the radar in late 2020, the group gained notoriety for its deployment of Cuba ransomware and association with the RomCom backdoor. This malicious entity has been linked to various types of malware such as DoubleFinger, GreetingGhoul, Remcos RAT, and an updated RomCom RAT variant named PEAPOD. Their preferred techniques include Magic bytes, Process Doppelgänging, and Steganography, often delivered via DLL, EXE, PIF, and PNG files. The group has targeted industries like Cryptocurrency and systems running Windows. Throughout 2023, Tropical Scorpius executed a series of sophisticated cyberattacks against multiple targets, primarily in Europe, the USA, and Latin America. In June 2023, the group was associated with attacks targeting Ukrainian politicians and U.S.-based healthcare providers aiding Ukrainian refugees. Later in the year, they launched a new wave of attacks targeting Ukrainian government agencies and Polish entities. Furthermore, Cisco Talos researchers observed the group's links with Russia, suggesting geopolitical motivations behind their activities. In August and October 2023, Tropical Scorpius made headlines again by leveraging an updated RomCom RAT variant dubbed PEAPOD in its campaigns. These attacks targeted female political leaders who participated in the Women Political Leaders Summit in June. Additionally, the group honed a backdoor in attacks that included attendees of the Munich Security Conference and the Masters of Digital conference. This ongoing activity demonstrates Tropical Scorpius's adaptability and persistent threat to global cybersecurity.
Description last updated: 2024-10-21T08:33:42.662Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Unc2596 is a possible alias for Tropical Scorpius. UNC2596, also known as Void Rabisu, Tropical Scorpius, and Storm-0978, is a hybrid threat actor involved in both financially motivated and espionage attacks. This group has been active since at least late 2023, with cybersecurity firm Trend Micro identifying the group's activities of honing a backdo
4
Void Rabisu is a possible alias for Tropical Scorpius. Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In
3
Cuba Ransomware is a possible alias for Tropical Scorpius. The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi
3
Cuba is a possible alias for Tropical Scorpius. The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted w
2
RomCom is a possible alias for Tropical Scorpius. The RomCom malware, a Remote Access Trojan (RAT), has been linked to Cuba ransomware actors and Industrial Spy ransomware actors, according to third-party and open-source reports. Since spring 2022, the Russian-speaking group UAT-5647, also known as RomCom, has targeted Ukrainian government entities
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Cuba
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Tropical Scorpius Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
a month ago
Securelist
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securelist
a year ago
CERT-EU
a year ago
CISA
2 years ago