Subgroup: DEV-0270, Nemesis Kitten - Threat Group Cards: A
Threat Actor Encyclopedia
Archived: 2026-04-05 22:06:31 UTC
Home > List all groups > Subgroup: DEV-0270, Nemesis Kitten
 APT group: Subgroup: DEV-0270, Nemesis Kitten
Names
DEV-0270 (Microsoft)
Nemesis Kitten (CrowdStrike)
DireFate (BAE Systems)
Yellow Dev 23 (PWC)
Yellow Dev 24 (PWC)
Lord Nemesis (OP Innovate)
Country Iran
Motivation Financial gain
First seen 2022
Description
A subgroup of Magic Hound, APT 35, Cobalt Illusion, Charming Kitten.
(Microsoft) Microsoft threat intelligence teams have been tracking multiple
ransomware campaigns and have tied these attacks to DEV-0270, also known as
Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses
with moderate confidence that DEV-0270 conducts malicious network operations,
including widespread vulnerability scanning, on behalf of the government of Iran.
However, judging from their geographic and sectoral targeting, which often lacked a
strategic value for the regime, we assess with low confidence that some of DEV-0270’s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation.
Observed
Tools used Impacket, WmiExec, Living off the Land.
Operations performed Nov 2023
Lord Nemesis Strikes: Supply Chain Attack on the Israeli
Academic Sector
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e96efff5-793f-430f-b8fb-5c64c83fa232
Page 1 of 2

Information
Last change to this card: 10 March 2024
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e96efff5-793f-430f-b8fb-5c64c83fa232
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e96efff5-793f-430f-b8fb-5c64c83fa232
Page 2 of 2