ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Subgroup: DEV-0270, Nemesis Kitten

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Subgroup: DEV-0270, Nemesis Kitten

NamesDEV-0270 (Microsoft)
Nemesis Kitten (CrowdStrike)
DireFate (BAE Systems)
Yellow Dev 23 (PWC)
Yellow Dev 24 (PWC)
Lord Nemesis (OP Innovate)
CountryIran Iran
MotivationFinancial gain
First seen2022
DescriptionA subgroup of Magic Hound, APT 35, Cobalt Illusion, Charming Kitten.

(Microsoft) Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270’s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation.
Observed
Tools usedImpacket, WmiExec, Living off the Land.
Operations performedNov 2023Lord Nemesis Strikes: Supply Chain Attack on the Israeli Academic Sector
<https://op-c.net/blog/lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector/>
Information<https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/>

Last change to this card: 10 March 2024

Download this actor card in PDF or JSON format

Previous: Magic Hound, APT 35, Cobalt Illusion, Charming Kitten
Next: Subgroup: TA455, Smoke Sandstorm

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]