Unc2596

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
UNC2596, also known as Void Rabisu, Tropical Scorpius, and Storm-0978, is a hybrid threat actor involved in both financially motivated and espionage attacks. This group has been refining its tactics and techniques, utilizing backdoor attacks that have targeted various high-profile events, including the Munich Security Conference and the Masters of Digital conference. The cybersecurity firm Trend Micro has been tracking this threat actor, which is also believed to be associated with Cuba ransomware. In October 2023, UNC2596 launched a series of targeted attacks against female political leaders who participated in the Women Political Leaders Summit in June. These attacks utilized an updated and simplified variant of the RomCom RAT (Remote Access Trojan) malware, dubbed PEAPOD. This new variant was specifically used by UNC2596, indicating an evolution in the group's capabilities and strategies. The attribution of these attacks to UNC2596 is based on a combination of factors including tactics, techniques, and procedures (TTPs), code similarity, and attack infrastructure. The group's focus on targeting women leaders within the European Union’s military and political circles represents a notable shift in its target demographic. As such, it's imperative for organizations and individuals alike to remain vigilant and employ robust cybersecurity measures to mitigate the risk posed by this threat actor.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Tropical Scorpius
4
Tropical Scorpius is a notorious malware, first identified in late 2020, associated with the Cuba ransomware gang. This malicious software has been linked to multiple cybercriminal activities, including disrupting operations, stealing personal information, and holding data hostage for ransom. The ma
Void Rabisu
3
Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In
RomCom
2
RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R
Peapod
1
PEAPOD, a novel variant of the RomCom RAT malware, was discovered to have been used in targeted attacks against female political leaders who participated in the Women Political Leaders Summit in June. The threat operation responsible for these attacks is known as Void Rabisu, also referred to as Sto
Romcom Rat
1
RomCom RAT, a type of malware, has been linked to Cuba ransomware and Industrial Spy ransomware actors since spring 2022. These malicious actors have been observed deploying the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a Command and Control (C2) server before initiating their ra
Cuba
1
The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted w
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cybercrime
Malware
Ransomware
Espionage
Backdoor
Exploits
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Romcom BackdoorUnspecified
1
The RomCom backdoor, a malicious software, is primarily used by the threat actor Void Rabisu, also known as Tropical Scorpius or Storm-0978. This malware has been associated with Cuba ransomware and has been notably deployed in cyberespionage activities, shifting away from opportunistic ransomware a
Cuba RansomwareUnspecified
1
The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Vice SocietyUnspecified
1
Vice Society, a threat actor group known for its malicious activities, has been linked to a series of ransomware attacks targeting various sectors, most notably education and healthcare. Throughout 2022 and the first half of 2023, Vice Society, along with Royal Ransomware, were actively executing mu
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Unc2596 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
SpyNote Android trojan detailed
CERT-EU
9 months ago
Android spyware deployed via fraudulent Israeli rocket alert app
BankInfoSecurity
9 months ago
Women Political Leaders Targeted With RomCom RAT Variant
CERT-EU
9 months ago
Israel, Gaza relief groups subjected to DDoS attacks
CERT-EU
9 months ago
Novel RomCom RAT variant used in attacks against female political leaders
CERT-EU
9 months ago
Ransomware attack claims against Colonial Pipeline linked to third-party breach
InfoSecurity-magazine
9 months ago
New RomCom Backdoor Targets Female Political Leaders
CERT-EU
9 months ago
Google trending Ransomware news headlines for the day - Cybersecurity Insiders
CERT-EU
9 months ago
New PEAPOD Cyberattack Campaign Targeting Women Political Leaders
CERT-EU
9 months ago
New PEAPOD Cyberattack Campaign Targeting Women Political Leaders
CERT-EU
a year ago
Microsoft Releases Patches for 132 Vulnerabilities, Including 6 Under Active Attack
Securityaffairs
a year ago
RomCom RAT attackers target groups supporting NATO membership of Ukraine
CERT-EU
a year ago
Most Weaponized Vulnerabilities of 2022 and 5 Key Risks: Report
CERT-EU
a year ago
Microsoft's latest Patch Tuesday addresses 6 actively exploited zero-day vulnerabilities
CERT-EU
a year ago
RomCom RAT Targets Pro-Ukraine Guests at Upcoming NATO Summit