If you thought “RomCom” referred to awkward dates and happily-ever-afters, you’re in for a plot twist. Meet RomCom RAT, a remote access trojan deployed by the mysterious, Russian-speaking cyber espionage group Nebulous Mantis. Spoiler: no meet-cutes here—just spear-phishing, COM hijacking, and cloud-hosted malware.
From NATO-linked targets to customer feedback forms weaponized for phishing, this group makes your average cyberattack look like an Excel spreadsheet error.
“Cybersecurity joke: Why don’t malware campaigns ever get ghosted? Because they know how to maintain persistence.”
RomCom RAT: Malware With Emotional (and Digital) Range
Launched into the threat landscape in mid-2022, RomCom RAT is far from amateur hour. It’s a full-featured, multi-stage malware with:
- Living-off-the-land (LOTL) evasion tactics
- COM hijacking for persistence
- Encrypted C2 communications
- And enough functionality to make most EDR platforms cry
The infection chain starts with the usual love letter: spear-phishing emails linking to malicious documents. But from there, the tactics evolve quickly:
- First-stage DLL connects to C2 server
- Downloads payloads via the InterPlanetary File System (IPFS)
- Final-stage payload in C++ executes a buffet of backdoor commands and data gathering
The Group Behind the Chaos: Nebulous Mantis
Also known as CIGAR, Cuba, Storm-0978, Void Rabisu, and at least three names that sound like B-tier Marvel villains, Nebulous Mantis is likely:
- State-sponsored or
- A very professional, very well-funded cybercrime gang
Their known targets include:
- Critical infrastructure
- Defense organizations
- Political leaders
- And, most recently, U.K. companies via phishing feedback forms (yes, really)
Their hosting provider of choice? Bulletproof services like LuxHost and Aeza, managed by a shady figure known as LARVA-290. (Apparently, it’s all insect-themed in the cybercriminal underground.)
Feedback Forms: The New Front Line of Phishing
Welcome to Operation Deceptive Prospect—a RomCom campaign revealed by Bridewell researchers targeting:
- A hospitality company
- A Critical National Infrastructure (CNI) provider
How? By submitting fake user complaints through public feedback portals. These complaints included links to:
- Malicious files hosted on Google Drive or Microsoft OneDrive lookalike domains
- Executable downloaders disguised as PDFs
Basically: phishing in a trench coat, pretending to be a dissatisfied customer.
“Feedback form tip: If your angry customer includes a download link, they might be a nation-state actor with a malware payload, not just someone mad about the brunch menu.”
Toolkits, Timelines, and Tentacles
In typical APT style, RomCom’s final-stage tool can:
- Dump browser data
- Perform system and Active Directory reconnaissance
- Steal Outlook backups
- Issue over 40 C2 commands via a slick command panel
The campaign infrastructure evolves rapidly, employing bulletproof hosting, encrypted traffic, and time-zone-based evasion (using the tzutil command to sync attack timing with victim business hours—yikes).
Oh, and RomCom didn’t appear out of nowhere. Earlier versions from 2019 used Hancitor as the loader. It’s been an upgrade cycle worthy of a Silicon Valley product roadmap.
Also on the Radar: Ruthless Mantis
PRODAFT also highlights Ruthless Mantis, a financially motivated crew involved in double extortion ransomware, powered by affiliate programs like Ragnar Locker and INC Ransom. Led by LARVA-127, they blend:
- Legit tools
- Custom malware
- Brute Ratel C4
- And more recently, Ragnar Loader
These guys aren’t slacking. They even run an internal growth program—hiring newbies to sharpen tools and improve ROI. Who said criminals don’t value onboarding?
Final Thought: It’s Not Just Nation-States—It’s Nation-State-Grade
Nebulous Mantis and their RomCom RAT represent the hybrid model of modern threat groups: part espionage, part enterprise-grade operation. Whether it’s government secrets or endpoint persistence, they come prepared, patient, and professional.
So the next time someone complains about your website’s font size and attaches a mysterious document link—maybe don’t click it.