Unc2596

Threat Actor updated 4 days ago (2024-10-21T09:01:07.624Z)
Download STIX
Preview STIX
UNC2596, also known as Void Rabisu, Tropical Scorpius, and Storm-0978, is a hybrid threat actor involved in both financially motivated and espionage attacks. This group has been active since at least late 2023, with cybersecurity firm Trend Micro identifying the group's activities of honing a backdoor in attacks that included attendees of the Munich Security Conference and the Masters of Digital conference. Additionally, Cisco Talos researchers have observed this Russia-linked threat actor targeting Ukrainian government agencies and Polish entities in a new wave of attacks. The threat actor has used a variety of tools in its operations, including an updated and simplified RomCom RAT variant dubbed PEAPOD. Notably, this variant was used in a series of attacks against female political leaders who participated in the Women Political Leaders Summit in June 2023. These attacks were launched by the Void Rabisu operation, further demonstrating the group's broad range of targets and capabilities. Recent developments have revealed an intriguing focus within UNC2596's operations. The group has specifically targeted women leaders within the European Union’s military and political circles, leading to increased concerns about the potential implications of these targeted attacks. Furthermore, it's believed that UNC2596 is associated with Cuba ransomware, suggesting a multifaceted approach to its cyber operations that includes both direct cyberattacks and disruptive ransomware campaigns.
Description last updated: 2024-10-21T08:33:51.937Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Tropical Scorpius is a possible alias for Unc2596. Tropical Scorpius, also known as Void Rabisu, Storm-0978, and UNC2596, is a significant threat actor in the cybersecurity landscape. Initially appearing on the radar in late 2020, the group gained notoriety for its deployment of Cuba ransomware and association with the RomCom backdoor. This maliciou
4
Void Rabisu is a possible alias for Unc2596. Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In
3
RomCom is a possible alias for Unc2596. The RomCom malware, a Remote Access Trojan (RAT), has been linked to Cuba ransomware actors and Industrial Spy ransomware actors, according to third-party and open-source reports. Since spring 2022, the Russian-speaking group UAT-5647, also known as RomCom, has targeted Ukrainian government entities
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Unc2596 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
7 days ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago