Tropical Scorpius

Threat Actor updated 24 days ago (2024-09-24T09:00:58.505Z)
Download STIX
Preview STIX
Tropical Scorpius is a notorious malware, first identified in late 2020, associated with the Cuba ransomware gang. This malicious software has been linked to multiple cybercriminal activities, including disrupting operations, stealing personal information, and holding data hostage for ransom. The malware infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. The threat actor, also known as Void Rabisu, Storm-0978, and UNC2596, targets a wide range of industries and regions, notably the cryptocurrency industry, Europe, the USA, and Latin America. In June 2023, the RomCom threat group, associated with Tropical Scorpius and Cuba ransomware, resurfaced targeting politicians in Ukraine and U.S.-based healthcare providers aiding refugees from Ukraine. Furthermore, in August of the same year, the group leveraged the fourth version of the RomCom backdoor in its campaign against attendees of the Women Political Leaders (WPL) Summit in Brussels. The malware variants used included DoubleFinger, GreetingGhoul, Remcos RAT, and others, delivered through file types such as DLL, EXE, PIF, and PNG. By October 2023, the group had launched attacks using an updated and simplified RomCom RAT variant dubbed PEAPOD against female political leaders who participated in the WPL Summit. These attacks were part of a broader strategy of both financially motivated and espionage attacks, demonstrating the hybrid nature of this threat actor. Techniques employed by Tropical Scorpius include Magic bytes, Process Doppelgänging, and Steganography, primarily targeting Windows systems.
Description last updated: 2024-05-04T16:33:52.336Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Unc2596 is a possible alias for Tropical Scorpius. UNC2596, also known as Void Rabisu, Tropical Scorpius, and Storm-0978, is a hybrid threat actor involved in both financially motivated and espionage attacks. This group has been refining its tactics and techniques, utilizing backdoor attacks that have targeted various high-profile events, including
4
Void Rabisu is a possible alias for Tropical Scorpius. Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In
3
Cuba Ransomware is a possible alias for Tropical Scorpius. The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi
3
Cuba is a possible alias for Tropical Scorpius. The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted w
2
RomCom is a possible alias for Tropical Scorpius. The RomCom malware, a malicious software that has been active since 2022, is an ongoing cyber threat. This Remote Access Trojan (RAT) is known for its various harmful activities including ransomware attacks, extortion, and targeted credential gathering, primarily aimed at supporting intelligence-gat
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Cuba
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Tropical Scorpius Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securelist
a year ago
CERT-EU
a year ago
CISA
2 years ago
CERT-EU
a year ago