Void Rabisu

Threat Actor updated 2 months ago (2024-09-24T09:00:56.161Z)
Download STIX
Preview STIX
Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In August 2023, the actors behind Void Rabisu set up a deceptive website mimicking the legitimate WPL Summit site to lure visitors and exploit their systems. The malware was also used in spear-phishing attacks by a pro-Russian APT group against groups supporting Ukraine's admission into NATO in July 2023. The threat actor exhibited a shift in tactics during this period, deploying a different payload from the ROMCOM backdoor previously analyzed. Notably, Void Rabisu hijacked CLSID {F5078F32-C551-11D3-89B9-0000F81FE221}, typically used by the WordPad application. An updated and simplified ROMCOM RAT variant, dubbed PEAPOD, was used in attacks against female political leaders who participated in the WPL Summit. Additionally, Void Rabisu deployed the Cuba ransomware, potentially exclusively, as part of its attack strategies. Despite its sophisticated operations, there is no evidence to suggest that Void Rabisu is state-sponsored. According to researchers, the malware has stripped its backdoor "down to its core," downloading additional components as needed, possibly to make fingerprinting on the command and control server more difficult. The threat actor has also targeted other significant events, such as the Munich Security Conference and the Masters of Digital conference, underscoring the broad range of its malicious activities.
Description last updated: 2024-05-04T18:22:00.078Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Tropical Scorpius is a possible alias for Void Rabisu. Tropical Scorpius, also known as Void Rabisu, Storm-0978, and UNC2596, is a significant threat actor in the cybersecurity landscape. Initially appearing on the radar in late 2020, the group gained notoriety for its deployment of Cuba ransomware and association with the RomCom backdoor. This maliciou
3
Unc2596 is a possible alias for Void Rabisu. UNC2596, also known as Void Rabisu, Tropical Scorpius, and Storm-0978, is a hybrid threat actor involved in both financially motivated and espionage attacks. This group has been active since at least late 2023, with cybersecurity firm Trend Micro identifying the group's activities of honing a backdo
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
State Sponso...
Espionage
Malware
Ransomware
Vulnerability
Backdoor
Apt
Windows
Exploit
Papercut
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Romcom Backdoor Malware is associated with Void Rabisu. The RomCom backdoor, a malicious software, is primarily used by the threat actor Void Rabisu, also known as Tropical Scorpius or Storm-0978. This malware has been associated with Cuba ransomware and has been notably deployed in cyberespionage activities, shifting away from opportunistic ransomware ahas used
3
The RomCom Malware is associated with Void Rabisu. The RomCom malware, a Remote Access Trojan (RAT), has been linked to Cuba ransomware actors and Industrial Spy ransomware actors, according to third-party and open-source reports. Since spring 2022, the Russian-speaking group UAT-5647, also known as RomCom, has targeted Ukrainian government entitieshas used
3
The Peapod Malware is associated with Void Rabisu. Peapod is a sophisticated form of malware that has evolved from the RomCom 3.0 backdoor. The cybercriminal group Void Rabisu appears to have transitioned from using RomCom 3.0 to Peapod, which exhibits several architectural differences compared to its predecessor. This new strain, also referred to ahas used
3
The Cuba Ransomware Malware is associated with Void Rabisu. The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insihas used
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-36884 Vulnerability is associated with Void Rabisu. CVE-2023-36884 is a significant software vulnerability that affects Microsoft Windows, Server, Office, and Outlook. This flaw in the design or implementation of these software platforms allows for remote code execution (RCE), which has been exploited by cybercriminals and potentially state-sponsoredUnspecified
3
Source Document References
Information about the Void Rabisu Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Trend Micro
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago