A Russian hacker group spied on NATO structures and government institutions for several years using malicious software and a sophisticated cyber infrastructure, according to a report by the cyber intelligence firm PRODAFT, which conducted a detailed investigation into the activities of the group known as Nebulous Mantis — also referred to as Cuba, STORM-0978, Tropical Scorpius, and UNC2596, as reported by Industrialcyber.
Researchers describe the group as Russian-speaking and assert that it operates with geopolitical motives, actively targeting critical infrastructure, politicians, defense structures, and institutions linked to the NATO alliance.
The malware used by the group serves both espionage and ransomware purposes, employing techniques to evade detection.
The group frequently rotates its domains — typically on a monthly basis — and rents servers from LuxHost and AEZA, providers known for bulletproof hosting that resists law enforcement takedowns. The analysis reveals that a hacker under the alias LARVA-290 plays a central role in operations by purchasing and configuring intrusion servers and participating in ransomware attacks, including those involving RomCom malware.
Researchers emphasize that despite signs of double extortion tactics, the group’s primary objective is espionage.
According to PRODAFT’s estimate, Nebulous Mantis can infect over 46 strategically important targets per month.
The group operates like a professional cybercriminal organization, using a multi-stage attack strategy. First, they conduct phishing campaigns; once a malicious file is opened, it provides system access. This is followed by persistence mechanisms, privilege escalation, and data exfiltration. The group combines social engineering with technical exploits, often deploying zero-day vulnerabilities. Their toolkit includes modular malware, ranging from simple droppers to advanced backdoors designed to bypass antivirus defenses.
Nebulous Mantis also maintains an extensive network of command-and-control (C2) servers and encrypted communication channels, frequently changes entry points, and conducts its operations with notable discipline — all of which point to possible state support or the actions of a highly professional cybercrime syndicate.
Since 2022, the group has shifted from using the Hancitor loader to RomCom. Almost all attacks begin with phishing emails, in which attackers mimic interfaces of popular apps or send malicious documents disguised as invitations to high-profile events. When victims click the link, they’re directed to a fake website resembling OneDrive, where the malware is downloaded.
