Palo Alto Networks Unit 42 security researchers discovered that one of the Cuba ransomware operators, most likely associated with the Tropical Scorpius ransomware, was using previously unknown tactics, techniques, and procedures (TTPs), such as a novel remote access trojan (RAT) and a new local privilege escalation tool. In Q1 2022, the Cuba ransomware operation began with an updated encryptor with different options and quTox for live victim support. Tropical Scorpius, on the other hand, represents a shift in strategy, making the Cuba operation more dangerous and intrusive. Tropical Scorpius employs the standard Cuba ransomware payload, which has largely remained unchanged since the operation's inception in 2019. A legitimate but invalid NVIDIA certificate, stolen and leaked by the LAPSUS threat group in June 2022, is being used to sign kernel drivers that are dropped at the start of an infection. Threat actors can avoid detection in compromised environments as part of their driver's role by discovering and terminating processes associated with security products. Tropical Scorpius then retrieves a local privilege escalation tool that takes advantage of CVE-2022-24521, a zero-day flaw in the Windows Common Log File System Driver that was patched in April 2022. Tropical Scorpius downloads ADFind and Net Scan as it progresses to the next phase in order to perform lateral movement. The threat actor also introduces a new tool for retrieving cached Kerberos credentials. Furthermore, Unit 42 researchers discovered a novel approach that uses ZeroLogon hack tools to gain domain administrator privileges by exploiting CVE-2020-1472. Tropical Scorpius then deploys previously unknown malware known as "ROMCOM RAT," which handles C2 communications via ICMP requests via Windows API functions. Tropical Scorpius uploaded a new version of ROMCOM to VirusTotal on June 20, 2022, pointing to the same C2 address (hardcoded). The second malware version added ten new commands to the existing ten to provide more advanced options for remote operations such as file upload, process termination, and execution. Furthermore, the new version allows users to retrieve additional payloads from the C2, such as the "Screenshooter" desktop camera. The appearance of Tropical Scorpius and its new TTP indicate that Cuba ransomware is becoming a more serious threat, even if its population is not as large as that of other RaaS. Further, Cuba, on the other hand, has chosen to keep a low profile and employ a milder double-extortion strategy, so the exact number of victims is unknown. The gang has posted four stolen files on the Onion site under the "free" section since June 2022 but has not updated their "paid" offerings in a long time.