Unc2596

Threat Actor updated a month ago (2024-11-29T13:32:57.779Z)
Download STIX
Preview STIX
UNC2596, also known as RomCom, Storm-0978, Tropical Scorpius, and Void Rabisu, is a Russian-based cybercrime group that has executed a series of attacks across Europe and North America. The threat actor has exploited two zero-day vulnerabilities in Firefox and Tor Browser in its recent operations. Researchers from TrendMicro have identified UNC2596's modus operandi to include the development of a backdoor in its attacks, targeting high-profile events such as the Munich Security Conference and the Masters of Digital conference. Since late 2023, UNC2596 has been observed by Cisco Talos researchers launching a new wave of attacks against Ukrainian government agencies and Polish entities. In addition, an updated and simplified variant of the RomCom RAT dubbed PEAPOD was used by the threat actor to target female political leaders who participated in the Women Political Leaders Summit in June. These attacks show a clear pattern of both financial and espionage motives, demonstrating the group's hybrid threat capabilities. The threat posed by UNC2596 is significant due to its wide-ranging targets and sophisticated techniques. Its ability to exploit zero-day vulnerabilities and develop new variants of malware for targeted attacks indicates a high level of technical skill and adaptability. With the group actively targeting political figures and governmental agencies, it underscores the importance of robust cybersecurity measures to mitigate these threats.
Description last updated: 2024-11-28T11:55:50.225Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Tropical Scorpius is a possible alias for Unc2596. Tropical Scorpius, also known as RomCom, Storm-0978, and UNC2596, is a threat actor group that has been active since at least late 2020. This Russian-based cybercrime group is associated with Cuba ransomware and the RomCom backdoor, and it has exploited various techniques such as Magic bytes, Proces
4
RomCom is a possible alias for Unc2596. RomCom, a malicious software, has been identified as a significant cyber threat. Reports from third-party and open-source intelligence since spring 2022 have indicated a connection between RomCom Remote Access Trojan (RAT) actors, Cuba ransomware actors, and Industrial Spy ransomware actors. The mal
3
Void Rabisu is a possible alias for Unc2596. Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cybercrime
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Unc2596 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
a month ago
InfoSecurity-magazine
a month ago
Securityaffairs
2 months ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago