Skip to main content
Mallory
Back to threat actors
5 malware families

DEV-0506

Also known asDEV-0506

DEV-0506 is a Microsoft-tracked cybercriminal ransomware affiliate. Microsoft reported that DEV-0506 previously deployed Conti before the Conti shutdown and later switched to deploying Black Basta regularly. Microsoft also stated that DEV-0506 uses DEV-0365’s Cobalt Strike Beacon infrastructure and has been observed adding Brute Ratel. Microsoft further identified DEV-0506 as one of the affiliates linked to Qakbot distributor activity from DEV-0450 and DEV-0464, indicating infections from those distributors have led to ransomware deployments by DEV-0506. High-confidence aliases directly mentioned in the content are limited to DEV-0506.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics4 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0011
Command and Control
3 techniques
T1071
Application Layer Protocol
T1105
Ingress Tool Transfer
T1219
Remote Access Tools
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Black BastaFor example, DEV-0506 was deploying BlackBasta part-time before the Conti shutdown and is now deploying it regularly.1May 26, 2026
Brute Ratel C4In late September 2022, Microsoft observed DEV-0506 adding Brute Ratel as a tool to facilitate their hands-on-keyboard access as well as Cobalt Strike Beacons.1May 26, 2026
Cobalt StrikeThis industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks. Within this category ... attackers using off-the-shelf tools, such as Cobalt Strike...1May 26, 2026
ContiBased on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload.1May 26, 2026
QakBotSeptember 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment. ... Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates.1May 26, 2026
ACTIVITY FEED

Recent activity

2 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

2 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.