Tropical Scorpius

Threat Actor updated 8 months ago (2024-11-29T14:51:11.381Z)
Download STIX
Preview STIX
Tropical Scorpius, also known as RomCom, Storm-0978, and UNC2596, is a threat actor group that has been active since at least late 2020. This Russian-based cybercrime group is associated with Cuba ransomware and the RomCom backdoor, and it has exploited various techniques such as Magic bytes, Process Doppelgänging, and Steganography to execute its malicious actions. The group targets diverse industries and regions, with a notable focus on the Cryptocurrency sector in Europe, the USA, and Latin America. They have also targeted Windows systems through different file types like DLL, EXE, PIF, and PNG. In June 2023, the group was implicated in attacks against politicians in Ukraine and U.S.-based healthcare providers aiding refugees from Ukraine. In these instances, they used malware such as DoubleFinger, GreetingGhoul, Remcos RAT, and a Loader-type malware. Later that year, in a wave of attacks starting in late 2023, Tropical Scorpius targeted Ukrainian government agencies and Polish entities. They also exploited two Firefox and Tor Browser zero-day vulnerabilities in attacks on users across Europe and North America. In another significant development, the group launched attacks against female political leaders who participated in the Women Political Leaders Summit in June using an updated and simplified RomCom RAT variant dubbed PEAPOD. These attacks were part of a broader campaign that also targeted attendees of the Munich Security Conference and the Masters of Digital conference. The group's activities underscore the need for robust cybersecurity measures across all sectors, particularly in high-profile events and critical industries.
Description last updated: 2024-11-28T11:55:40.496Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Unc2596 is a possible alias for Tropical Scorpius. UNC2596, also known as RomCom, Storm-0978, Tropical Scorpius, and Void Rabisu, is a Russian-based cybercrime group that has executed a series of attacks across Europe and North America. The threat actor has exploited two zero-day vulnerabilities in Firefox and Tor Browser in its recent operations. R
5
RomCom is a possible alias for Tropical Scorpius. RomCom, a malicious software, has been identified as a significant cyber threat. Reports from third-party and open-source intelligence since spring 2022 have indicated a connection between RomCom Remote Access Trojan (RAT) actors, Cuba ransomware actors, and Industrial Spy ransomware actors. The mal
4
Void Rabisu is a possible alias for Tropical Scorpius. Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In
3
Cuba Ransomware is a possible alias for Tropical Scorpius. The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi
3
Cuba is a possible alias for Tropical Scorpius. The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted w
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Backdoor
Cuba
Rat
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Mantis Threat Actor is associated with Tropical Scorpius. Mantis, a threat actor known for its malicious activities, has been employing a sophisticated strategy to disrupt systems. Using a decoy FTP server, Mantis initiates a prompt-injection attack against the LLM agent. This approach essentially turns attacking AIs into prey, thereby multiplying the forcUnspecified
2
Source Document References
Information about the Tropical Scorpius Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
13 days ago
Securityaffairs
2 months ago
ESET
5 months ago
Securityaffairs
8 months ago
InfoSecurity-magazine
8 months ago
Securityaffairs
9 months ago
Securelist
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
BankInfoSecurity
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
InfoSecurity-magazine
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago