The campaign employs deceptive spear-phishing tactics coupled with multi-stage malware deployment to establish persistent access to victim networks, exfiltrate sensitive data, and potentially enable lateral movement within compromised infrastructures. The malware executes a comprehensive set of commands to gather system information, including time zone data through “tzutil /g” and user details via “whoami /all” and “net localgroup administrators”. Cybersecurity experts have uncovered a sophisticated espionage campaign orchestrated by the threat actor group known as Nebulous Mantis, utilizing an advanced remote access trojan called RomCom to target organizations globally. Catalyst researchers identified that upon execution, the malware employs sophisticated anti-analysis mechanisms to evade detection, including filename hash verification and registry checks to determine if it’s running in a sandbox environment. Cybercriminals have refined their attack methodologies with a sophisticated campaign leveraging LummaStealer malware and deceptive CAPTCHA prompts to harvest sensitive data. When unsuspecting victims click these links, they unknowingly download the initial executable of the RomCom downloader variant from Mediafire, representing a tactical shift from the group’s previous use of temp.sh for file hosting services. This command creates a reverse tunnel mapping the attacker’s port to the internal RDP service, enabling external access to internal resources while evading traditional network security controls. This DLL, written in C, establishes connection with command and control (C2) infrastructure to download additional attack toolkits and execute commands on the compromised system. Instead of relying exclusively on traditional centralized C2 servers, RomCom leverages domains such as ipfs.io, hardbin.com, and dweb.link to retrieve additional payloads, making detection and takedown efforts significantly more challenging. The malware specifically examines the “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs” registry key to verify if the value exceeds 55, which would be consistent with normal user activity rather than an analysis environment. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. What distinguishes this campaign is the threat actor’s innovative use of the InterPlanetary File System (IPFS) – a decentralized peer-to-peer network designed for file storage and sharing. Once established on the victim’s system, the final stage of RomCom connects to its C2 server at opendnsapi.net to receive commands and download supplementary modules. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The infection chain involves multiple stages, with the malware utilizing specific IPNS CID addresses to connect to IPFS domains. The RomCom RAT operates through a multi-stage infection process, beginning with a downloader component that injects the first-stage DLL variant into the legitimate explorer.exe process.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 02 May 2025 07:40:11 +0000