Names | DEV-0270 (Microsoft) Nemesis Kitten (CrowdStrike) DireFate (BAE Systems) | |
Country | ![]() | |
Motivation | Financial gain | |
First seen | 2022 | |
Description | A subgroup of Magic Hound, APT 35, Cobalt Illusion, Charming Kitten. (Microsoft) Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270’s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. | |
Observed | ||
Tools used | Impacket, WmiExec, Living off the Land. | |
Information | <https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/> |
Last change to this card: 01 January 2023
Download this actor card in PDF or JSON format
Previous: Magic Hound, APT 35, Cobalt Illusion, Charming Kitten
Next: Magic Kitten
Digital Service Security Center Follow us on![]() ![]() |
Report incidents |
|
![]() |
+66 (0)2-123-1227 | |
![]() |
[email protected] |