Void Rabisu      , also known as Storm-0978 , Tropical Scorpius   , and UNC2596   , is a threat actor associated with the RomCom RAT malware and the Cuba ransomware. This group conducts financially motivated and espionage attacks   , primarily targeting Ukraine and countries supporting Ukraine in its conflict with Russia .
Void Rabisu has been implicated in exploiting a remote code execution flaw in Microsoft Office and Windows HTML  . In August 2023 , they launched updated attacks using a slimmed-down version of RomCom RAT called PEAPOD. This malware is distributed through spear-phishing emails and fake advertisements on search engines  . The targets of these attacks are specifically European Union navy personnel and political leaders involved in gender equality initiatives. The malware is disguised as a folder containing photos from the Women Political Leaders Summit and is delivered through the website wplsummit[.  ]com.
This shift in targeting comes after Void Rabisu moved away from opportunistic ransomware attacks . The ROMCOM backdoor is still being developed by the threat actor . While there is no evidence that Void Rabisu is nation-state-sponsored  , it is possible that they are financially motivated actors who have become involved in cyberespionage due to the conflict in Ukraine  .
The attacks conducted by Void Rabisu have significant implications for European Union military personnel and political leaders. It is crucial for organizations and individuals to be aware of the threat posed by RomCom RAT and take necessary precautions to protect their systems and data. Cybersecurity firms  , like Trend Micro  , play a vital role in tracking and identifying threat actors like Void Rabisu. Continued monitoring and collaboration are essential to mitigate the risks posed by such malicious actors in the future.