Skip to main content
Mallory
Back to threat actors
7 malware families

DEV-0216

Also known asdev_0216

DEV-0216 is a cybercriminal ransomware-as-a-service (RaaS) affiliate. Microsoft reported that it acquired initial access from Qakbot infections, maintained its own Cobalt Strike Beacon infrastructure, and operated as an affiliate for multiple ransomware programs, including Egregor, Maze, LockBit, REvil, and Conti, in numerous high-impact incidents. The available content directly associates DEV-0216 with follow-on ransomware activity stemming from Qakbot distributor operations and with use of Cobalt Strike infrastructure, but does not provide additional high-confidence details on geography, specific victim sectors, or nation-state affiliation.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics2 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0011
Command and Control
1 technique
T1071
Application Layer Protocol
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
ARSENAL

Associated malware families

7 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Cobalt StrikeThis industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks. Within this category ... attackers using off-the-shelf tools, such as Cobalt Strike...1May 26, 2026
ContiBased on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload.1May 26, 2026
EgregorDEV-0216 ... has operated as an affiliate for Egregor, Maze, Lockbit, REvil, and Conti in numerous high-impact incidents.1May 26, 2026
LockBitAround November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. ... In a notable shift ... DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.1May 26, 2026
MazeIn 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.1May 26, 2026

2 additional families tracked in Mallory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

2 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal7

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.