🇮🇷 IR1 malware family

DEV-0270

Also known asdev_0270

DEV-0270 is a Microsoft-tracked subgroup associated in the provided content with Phosphorus, an Iranian threat cluster. The content states that Microsoft disclosed DEV-0270 conducting ransomware attacks using living-off-the-land binaries such as BitLocker. DEV-0270 is also listed among groups with a history of targeting Israel. The supporting content further places this activity in the broader context of Iranian government-linked operations, noting overlap among Iranian clusters including TA453, APT42, Charming Kitten, and Phosphorus, but only directly identifies DEV-0270 as a Phosphorus subgroup. High-confidence aliases directly mentioned for this actor are limited to DEV-0270.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics7 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1595

Active Scanning

TA0001

Initial Access

2 techniques

T1133

External Remote Services

T1190

Exploit Public-Facing Application

TA0003

Persistence

1 technique

T1133

External Remote Services

TA0011

Command and Control

1 technique

T1090

Proxy

T1090.003

Multi-hop Proxy

TA0040

Impact

1 technique

T1486

Data Encrypted for Impact

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BitLockerLast week, Microsoft took the wraps off a string of ransomware attacks mounted by a Phosphorus subgroup dubbed DEV-0270 using living-off-the-land binaries such as BitLocker.1May 26, 2026

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyfirma otherNews

Oct 18, 2023

ISRAEL GAZA CONFLICT : THE CYBER PERSPECTIVE - CYFIRMA

APT/designated activity cluster listed as having a history of targeting Israel.

the hacker newsNews

Sep 13, 2022

Iranian Hackers Target High-Value Targets in Nuclear Security and Genomic Research

A Phosphorus subgroup conducting ransomware attacks using living-off-the-land binaries.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping5

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.