{ "id": "dbb0964f-d0e7-4188-94fa-d27b07b027c4", "created_at": "2026-04-06T00:21:48.075602Z", "updated_at": "2026-04-10T13:11:33.663755Z", "deleted_at": null, "sha1_hash": "942be7a4ad1115ebd8ba8021add3eb85f5b49dc0", "title": "Profiling DEV-0270: PHOSPHORUS’ ransomware operations | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1073791, "plain_text": "Profiling DEV-0270: PHOSPHORUS’ ransomware operations |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-09-07 · Archived: 2026-04-05 16:14:09 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned\r\naround the theme of weather.\r\nPHOSPHORUS is now tracked as Mint Sandstorm\r\nDEV-0270 is now tracked as Storm-0270\r\nTo learn more about this evolution, how the new taxonomy represents the origin, unique traits, and impact of\r\nthreat actors, and a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat\r\nactor naming taxonomy.\r\nMicrosoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks\r\nto DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses\r\nwith moderate confidence that DEV-0270 conducts malicious network operations, including widespread\r\nvulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral\r\ntargeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270’s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. This\r\nblog profiles the tactics and techniques behind the DEV-0270/PHOSPHORUS ransomware campaigns. We hope\r\nthis analysis, which Microsoft is using to protect customers from related attacks, further exposes and disrupts the\r\nexpansion of DEV-0270’s operations.\r\nDEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early\r\nadoption of newly disclosed vulnerabilities. DEV-0270 also extensively uses living-off-the-land binaries\r\n(LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices.\r\nIn some instances where encryption was successful, the time to ransom (TTR) between initial access and the\r\nransom note was around two days. The group has been observed demanding USD 8,000 for decryption keys. In\r\naddition, the actor has been observed pursuing other avenues to generate income through their operations. In one\r\nattack, a victim organization refused to pay the ransom, so the actor opted to post the stolen data from the\r\norganization for sale packaged in a SQL database dump.\r\nUsing these observations, this blog details the group’s tactics and techniques across its end-to-end attack chain to\r\nhelp defenders identify, investigate, and mitigate attacks. We also provide extensive hunting queries designed to\r\nsurface stealthy attacks. This blog also includes protection and hardening guidance to help organizations increase\r\nresilience against these and similar attacks.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\r\nPage 1 of 12\n\nFigure 1. Typical DEV-0270 attack chain\r\nWho is DEV-0270?\r\nMicrosoft assesses that DEV-0270 is operated by a company that functions under two public aliases: Secnerd\r\n(secnerd[.]ir) and Lifeweb (lifeweb[.]ir). We have observed numerous infrastructure overlaps between DEV-0270\r\nand Secnerd/Lifeweb. These organizations are also linked to Najee Technology Hooshmand (هوشمند تکنولوژی ناجی(,\r\nlocated in Karaj, Iran.\r\nThe group is typically opportunistic in its targeting: the actor scans the internet to find vulnerable servers and\r\ndevices, making organizations with vulnerable and discoverable servers and devices susceptible to these attacks.\r\nAs with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or\r\ncompromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-####\r\ndesignations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity,\r\nallowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a\r\nhigh confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is\r\nconverted to a named actor.\r\nObserved actor activity\r\nInitial access\r\nIn many of the observed DEV-0270 instances, the actor gained access by exploiting known vulnerabilities in\r\nExchange or Fortinet (CVE-2018-13379). For Exchange, the most prevalent exploit has been ProxyLogon—this\r\nhighlights the need to patch high-severity vulnerabilities in internet-facing devices, as the group has continued to\r\nsuccessfully exploit these vulnerabilities even recently, well after updates supplied the fixes. While there have\r\nbeen indications that DEV-0270 attempted to exploit Log4j 2 vulnerabilities, Microsoft has not observed this\r\nactivity used against customers to deploy ransomware.\r\nDiscovery\r\nUpon gaining access to an organization, DEV-0270 performs a series of discovery commands to learn more about\r\nthe environment. The command wmic computersystem get domain obtains the target’s domain name. The whoami\r\ncommand displays user information and net user command is used to add or modify user accounts. For more\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\r\nPage 2 of 12\n\ninformation on the accounts created and common password phrases DEV-0270 used, refer to the Advanced\r\nHunting section.\r\nwmic computersystem get domain\r\nwhoami\r\nnet user\r\nOn the compromised Exchange server, the actor used the following command to understand the target\r\nenvironment.\r\nGet-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidet\r\nFor discovery of domain controllers, the actor used the following PowerShell and WMI command.\r\nCredential access\r\nDEV-0270 often opts for a particular method using a LOLBin to conduct their credential theft, as this removes the\r\nneed to drop common credential theft tools more likely to be detected and blocked by antivirus and endpoint\r\ndetection and response (EDR) solutions. This process starts by enabling WDigest in the registry, which results in\r\npasswords stored in cleartext on the device and saves the actor time by not having to crack a password hash.\r\n\"reg\" add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t RE\r\nThe actor then uses rundll32.exe and comsvcs.dll with its built-in MiniDump function to dump passwords from\r\nLSASS into a dump file. The command to accomplish this often specifies the output to save the passwords from\r\nLSASS. The file name is also reversed to evade detections (ssasl.dmp):\r\nPersistence\r\nTo maintain access in a compromised network, the DEV-0270 actor adds or creates a new user account, frequently\r\nnamed DefaultAccount with a password of P@ssw0rd1234, to the device using the command net user /add. The\r\nDefaultAccount account is typically a pre-existing account set up but not enabled on most Windows systems.\r\nThe attacker then modifies the registry to allow remote desktop (RDP) connections for the device, adds a rule in\r\nthe firewall using netsh.exe to allow RDP connections, and adds the user to the remote desktop users group:\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\r\nPage 3 of 12\n\n\"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v TSEnabled /t REG_DWORD /d 1 /f\r\n\"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD\r\n\"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthenti\r\n\"netsh\" advfirewall firewall add rule name=\"Terminal Server\" dir=in action=allow protocol=TCP localpo\r\nScheduled tasks are one of the recurrent methods used by DEV-0270 in their attacks to maintain access to a\r\ndevice. Generally, the tasks load via an XML file and are configured to run on boot with the least privilege to\r\nlaunch a .bat via the command prompt. The batch file results in a download of a renamed dllhost.exe, a reverse\r\nproxy, for maintaining control of the device even if the organization removes the file from the device.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\r\nPage 4 of 12\n\nFigure 2. Scheduled task used in DEV-0270 attacks\r\nPrivilege escalation\r\nDEV-0270 can usually obtain initial access with administrator or system-level privileges by injecting their web\r\nshell into a privileged process on a vulnerable web server. When the group uses Impacket’s WMIExec to move to\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\r\nPage 5 of 12\n\nother systems on the network laterally, they are typically already using a privileged account to run remote\r\ncommands. DEV-0270 also commonly dumps LSASS, as mentioned in the credential access section, to obtain\r\nlocal system credentials and masquerade as other local accounts which might have extended privileges.\r\nAnother form of privilege escalation used by DEV-0270 involves the creation or activation of a user account to\r\nprovide it with administrator privileges. DEV-0270 uses powershell.exe and net.exe commands to create or enable\r\nthis account and add it to the administrators’ group for higher privileges.\r\nDefense evasion\r\nDEV-0270 uses a handful of defensive evasion techniques to avoid detection. The threat actors typically turn off\r\nMicrosoft Defender Antivirus real-time protection to prevent Microsoft Defender Antivirus from blocking the\r\nexecution of their custom binaries. The threat group creates or activates the DefaultAccount account to add it to\r\nthe Administrators and Remote Desktop Users groups. The modification of the DefaultAccount provides the threat\r\nactor group with a legitimate pre-existing account with nonstandard, higher privileges. DEV-0270 also uses\r\npowershell.exe to load their custom root certificate to the local certificate database. This custom certificate is\r\nspoofed to appear as a legitimate Microsoft-signed certificate. However, Windows flags the spoofed certificate as\r\ninvalid due to the unverified certificate signing chain. This certificate allows the group to encrypt their malicious\r\ncommunications to blend in with other legitimate traffic on the network.\r\nAdditionally, DEV-0270 heavily uses native LOLBins to effectively avoid detection. The threat group commonly\r\nuses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and\r\noperational security. They also install and masquerade their custom binaries as legitimate processes to hide their\r\npresence. Some of the legitimate processes they masquerade their tools as include: dllhost.exe, task_update.exe,\r\nuser.exe, and CacheTask. Using .bat files and powershell.exe, DEV-0270 might terminate existing legitimate\r\nprocesses, run their binary with the same process name, and then configure scheduled tasks to ensure the\r\npersistence of their custom binaries.\r\nLateral movement\r\nDEV-0270 has been seen creating defaultaccount and adding that account to the Remote Desktop Users group.\r\nThe group uses the RDP connection to move laterally, copy tools to the target device, and perform encryption.\r\nAlong with RDP, Impacket’s WMIExec is a known toolkit used by the group for lateral movement. In multiple\r\ncompromises, this was the main method observed for them to pivot to additional devices in the organization,\r\nexecute commands to find additional high-value targets, and dump credentials for escalating privileges.\r\nAn example of a command using Impacket’s WMIExec from a remote device:\r\ncmd.exe /Q /c quser 1\u003e \\\\127.0.0.1\\ADMIN$\\__1657130354.2207212 2\u003e\u00261\r\nImpact\r\nDEV-0270 has been seen using setup.bat commands to enable BitLocker encryption, which leads to the hosts\r\nbecoming inoperable. For workstations, the group uses DiskCryptor, an open-source full disk encryption system\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\r\nPage 6 of 12\n\nfor Windows that allows for the encryption of a device’s entire hard drive. The group drops DiskCryptor from an\r\nRDP session and when it is launched, begins the encryption. This method does require a reboot to install and\r\nanother reboot to lock out access to the workstation.\r\nThe following are DEV-0270’s PowerShell commands using BitLocker:\r\nMicrosoft will continue to monitor DEV-0270 and PHOSPHORUS activity and implement protections for our\r\ncustomers. The current detections, advanced detections, and IOCs in place across our security products are\r\ndetailed below.\r\nRecommended mitigation steps\r\nThe techniques used by DEV-0270 can be mitigated through the following actions:\r\nApply the corresponding security updates for Exchange Server, including applicable fixes for CVE-2021-\r\n26855, CVE-2021-26858, CVE-2021-26857 and CVE-2021-27065. While it is important to prioritize\r\npatching of internet-facing Exchange servers to mitigate risk in an ordered manner, unpatched internal\r\nExchange Server instances should also be addressed as soon as possible.\r\nFor Exchange Server instances in Mainstream Support, critical product updates are released for the\r\nmost recently released Cumulative Updates (CU) and for the previous CU. For Exchange Server\r\ninstances in Extended Support, critical product updates are released for the most recently released\r\nCU only.\r\nIf you don’t have a supported CU, Microsoft is producing an additional series of security updates\r\n(SUs) that can be applied to some older and unsupported CUs to help customers more quickly\r\nprotect their environment. For information on these updates, see March 2021 Exchange Server\r\nSecurity Updates for older Cumulative Updates of Exchange Server.\r\nInstalling the updates is the only complete mitigation for these vulnerabilities and has no impact on\r\nfunctionality. If the threat actor has exploited these vulnerabilities to install malware, installing the\r\nupdates does not remove implanted malware or evict the actor.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\r\nPage 7 of 12\n\nUse Microsoft Defender Firewall, intrusion prevention devices, and your network firewall to prevent RPC\r\nand SMB communication among devices whenever possible. This limits lateral movement and other attack\r\nactivities.\r\nCheck your perimeter firewall and proxy to restrict or prevent network appliances like Fortinet SSL VPN\r\ndevices from making arbitrary connections to the internet to browse or download files.\r\nEnforce strong local administrator passwords. Use tools like LAPS.\r\nEnsure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.\r\nKeep backups so you can recover data affected by destructive attacks. Use controlled folder access to\r\nprevent unauthorized applications from modifying protected files.\r\nTurn on the following attack surface reduction rules to block or audit activity associated with this threat:\r\nBlock credential stealing from the Windows local security authority subsystem (lsass.exe)\r\nBlock process creations originating from PsExec and WMI commands\r\nBlock persistence through WMI event subscription. Ensure that Microsoft Defender for Endpoint is\r\nup to date and that real-time behavior monitoring is enabled\r\nDetection details\r\nMicrosoft Defender for Endpoint\r\nAlerts with the following titles in the security center can indicate threat activity on your network:\r\nMalware associated with DEV-0270 activity group detected\r\nThe following additional alerts may also indicate activity associated with this threat. These alerts, however, can be\r\ntriggered by unrelated threat activity and are not monitored in the status cards provided with this report.\r\nA script with suspicious content was\r\nobserved\r\nSuspicious file dropped by Exchange Server\r\nprocess\r\nA suspicious file was observed Suspicious Modify Registry\r\nAnomalous behavior by a common\r\nexecutable\r\nSuspicious Permission Groups Discovery\r\nLazagne post-exploitation tool Suspicious PowerShell command line\r\nLocal Emails Collected\r\nSuspicious PowerShell download or encoded\r\ncommand execution\r\nMimikatz credential theft tool Suspicious Process Discovery\r\n‘Mimilove’ high-severity malware was\r\nprevented\r\nSuspicious process executed PowerShell\r\ncommand\r\nNew group added suspiciously Suspicious process launched using dllhost.exe\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\r\nPage 8 of 12\n\nOngoing hands-on-keyboard attack via\r\nImpacket toolkit\r\nSuspicious ‘PShellCobStager’ behavior was\r\nblocked\r\nPossible Antimalware Scan Interface\r\n(AMSI) tampering\r\nSuspicious Scheduled Task Process Launched\r\nPossible attempt to discover groups and\r\npermissions\r\nSuspicious sequence of exploration activities\r\nPossible exploitation of Exchange Server\r\nvulnerabilities\r\nSuspicious ‘SuspExchgSession’ behavior was\r\nblocked\r\nPossible exploitation of ProxyShell\r\nvulnerabilities\r\nSuspicious System Network Configuration\r\nDiscovery\r\nPossible web shell installation Suspicious System Owner/User Discovery\r\nProcess memory dump Suspicious Task Scheduler activity\r\nSuspicious Account Discovery: Email\r\nAccount\r\nSuspicious User Account Discovery\r\nSuspicious behavior by cmd.exe was\r\nobserved\r\nSuspicious user password change\r\nSuspicious behavior by svchost.exe was\r\nobserved\r\nSuspicious w3wp.exe activity in Exchange\r\nSystem file masquerade\r\nSuspicious behavior by Web server\r\nprocess\r\nTampering with the Microsoft Defender for\r\nEndpoint sensor\r\nSuspicious Create Account Unusual sequence of failed logons\r\nSuspicious file dropped WDigest configuration change\r\nHunting queries\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the following queries to look for the related malicious activity in their\r\nenvironments.\r\nDEV-0270 registry IOC\r\nThis query identifies modification of registry by DEV-0270 actor to disable security feature as well as to add\r\nransom notes:\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\r\nPage 9 of 12\n\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270RegistryIOCSep2022.yaml\r\nDEV-0270 malicious PowerShell usage\r\nDEV-0270 heavily uses PowerShell to achieve their objective at various stages of their attack. This query locates\r\nPowerShell activity tied to the actor:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270PowershellSep2022.yaml\r\nDEV-0270 WMIC discovery\r\nThis query identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the\r\nenvironment:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270WMICDiscoverySep2022.yaml\r\nDEV-0270 new user creation\r\nThis query tries to detect creation of a new user using a known DEV-0270 username/password schema:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270NewUserSep2022.yaml\r\nMicrosoft 365 Defender\r\nTo locate possible actor activity, run the following queries.\r\nDisable services via registry\r\nSearch for processes modifying the registry to disable security features. GitHub link\r\nDeviceProcessEvents\r\n| where InitiatingProcessCommandLine has_all(@’”reg”’, ‘add’, @’”HKLM\\SOFTWARE\\Policies\\’, ‘/v’,’/t’\r\n and InitiatingProcessCommandLine has_any(‘DisableRealtimeMonitoring’, ‘UseTPMKey’, ‘UseTPMKeyPIN\r\nModifying the registry to add a ransom message notification\r\nIdentify registry modifications that are indicative of a ransom note tied to DEV-0270. GitHub link\r\nDeviceProcessEvents\r\n| where InitiatingProcessCommandLine has_all(‘”reg”’, ‘add’, @’”HKLM\\SOFTWARE\\Policies\\’, ‘/v’,’/t’,\r\nDLLHost.exe file creation via PowerShell\r\nIdentify masqueraded DLLHost.exe file created by PowerShell. GitHub link\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\r\nPage 10 of 12\n\nDeviceProcessEvents\r\n| where InitiatingProcessFileName =~ ‘powershell.exe’\r\n| where InitiatingProcessCommandLine has_all(‘$file=’, ‘dllhost.exe’, ‘Invoke-WebRequest’, ‘-OutFile\r\nAdd malicious user to Admins and RDP users group via PowerShell\r\nLook for adding a user to Administrators in remote desktop users via PowerShell. GitHub link\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName =~ 'powershell.exe'\r\n| where InitiatingProcessCommandLine has_all('$admins=', 'System.Security.Principal.SecurityIdentifie\r\nEmail data exfiltration via PowerShell\r\nIdentify email exfiltration conducted by PowerShell. GitHub link\r\nDeviceProcessEvents\r\n| where FileName =~ 'powershell.exe'\r\n| where ProcessCommandLine has_all('Add-PSSnapin', 'Get-Recipient', '-ExpandProperty', 'EmailAddresse\r\nCreate new user with known DEV-0270 username/password\r\nSearch for the creation of a new user using a known DEV-0270 username/password schema. GitHub link\r\nDeviceProcessEvents\r\n| where InitiatingProcessCommandLine has_all('net user', '/add')\r\n| parse InitiatingProcessCommandLine with * \"user \" username \" \"*\r\n| extend password = extract(@\"\\buser\\s+[^\\s]+\\s+([^\\s]+)\", 1, InitiatingProcessCommandLine)\r\n| where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394')\r\nPowerShell adding exclusion path for Microsoft Defender of ProgramData\r\nIdentify PowerShell creating an exclusion path of ProgramData directory for Microsoft Defender to not monitor.\r\nGitHub link\r\nDeviceProcessEvents\r\n| where FileName =~ \"powershell.exe\" and ProcessCommandLine has_all(\"try\", \"Add-MpPreference\", \"-Excl\r\nDLLHost.exe WMIC domain discovery\r\nIdentify dllhost.exe using WMIC to discover additional hosts and associated domain. GitHub link\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName =~ \"dllhost.exe\" and InitiatingProcessCommandLine == \"dllhost.exe\"\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\r\nPage 11 of 12\n\n| where ProcessCommandLine has \"wmic computersystem get domain\"\r\nSource: https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/" ], "report_names": [ "profiling-dev-0270-phosphorus-ransomware-operations" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b4a82e8-21f1-4bc7-84cf-e27334998b48", "created_at": "2022-10-25T16:07:23.84296Z", "updated_at": "2026-04-10T02:00:04.762229Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "DEV-0270", "DireFate", "Lord Nemesis", "Nemesis Kitten", "Yellow Dev 23", "Yellow Dev 24" ], "source_name": "ETDA:DEV-0270", "tools": [ "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "WmiExec" ], "source_id": "ETDA", "reports": null }, { "id": "eaef3218-1f8c-4767-b1ff-da7a6662acc0", "created_at": "2023-03-04T02:01:54.110909Z", "updated_at": "2026-04-10T02:00:03.359871Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "Nemesis Kitten", "Storm-0270" ], "source_name": "MISPGALAXY:DEV-0270", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434908, "ts_updated_at": 1775826693, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/942be7a4ad1115ebd8ba8021add3eb85f5b49dc0.pdf", "text": "https://archive.orkl.eu/942be7a4ad1115ebd8ba8021add3eb85f5b49dc0.txt", "img": "https://archive.orkl.eu/942be7a4ad1115ebd8ba8021add3eb85f5b49dc0.jpg" } }