Skip to main content
Mallory
Back to threat actors
Financially Motivated8 malware families

Velvet Tempest

Also known asALPHA SPIDERDEV-0504Velvet Tempest

alpha_spider is a financially motivated threat actor tracked by Microsoft as DEV-0504 and later renamed Velvet Tempest. The content describes it as a prolific ransomware affiliate that has deployed at least six ransomware-as-a-service payloads since 2020 and specifically identifies it as an affiliate of the ALPHV/BlackCat ransomware operation. Microsoft states that DEV-0504/Velvet Tempest relies on access brokers for initial access, has used compromised credentials and remote sign-in to internet-facing systems, and has deployed BlackCat against organizations including in the energy sector. Reported tradecraft includes hands-on-keyboard intrusions; use of Cobalt Strike Beacon; domain discovery; credential theft with tools such as Mimikatz and Rubeus; lateral movement and payload distribution with PsExec; disabling unprotected antivirus; data exfiltration including use of StealBit; and ransomware deployment. The content also links Velvet Tempest to ClickFix campaigns that led to a hands-on-keyboard intrusion culminating in deployment of the Termite ransomware. Aliases directly supported by the content are alpha_spider, DEV-0504, and Velvet Tempest.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Energy
  • Consumer Durables & Apparel
  • Food, Beverage & Tobacco
  • Software & Services
  • Materials
  • Capital Goods
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics11 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1078
Valid Accounts
TA0002
Execution
1 technique
T1204×2
User Execution
TA0003
Persistence
1 technique
T1078
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
1 technique
T1078
Valid Accounts
TA0006
Credential Access
1 technique
T1555
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
TA0007
Discovery
1 technique
T1018
Remote System Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.002
SMB/Windows Admin Shares
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
ARSENAL

Associated malware families

8 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
BlackCatDEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022.2May 26, 2026
Cobalt StrikeThis industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks. Within this category ... attackers using off-the-shelf tools, such as Cobalt Strike...2May 26, 2026
BLACKMATTERELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021.1May 26, 2026
CastleRAT...Velvet Tempest ... used a ClickFix lure ... to drop payloads like DonutLoader and CastleRAT.1Mar 9, 2026
DonutLoader...Velvet Tempest ... used a ClickFix lure ... to drop payloads like DonutLoader and CastleRAT.1Mar 9, 2026

3 additional families tracked in Mallory.

IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
the hacker newsNews
Mar 2, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Operator attributed with a ClickFix-driven intrusion culminating in hands-on-keyboard activity and deployment of Termite ransomware.

Read more
the hacker newsNews
Mar 2, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Operator attributed to a ClickFix-driven intrusion culminating in hands-on-keyboard activity and deployment of Termite ransomware.

Read more
risky biz rssNews
Mar 2, 2026
LLMs can deanonymize internet users based on their comments

Linked to a ClickFix-driven intrusion chain that culminates in hands-on-keyboard activity and deployment of Termite ransomware.

Read more
web archiveNews
Dec 6, 2024
How Microsoft names threat actors - Microsoft Defender XDR | Microsoft Learn

Financially motivated threat actor tracked by Microsoft under the Tempest family.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal8

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.