nvd0rz is a threat actor handle identified in reporting on territorial competition among criminal groups targeting internet-exposed FreePBX, Elastix, Issabel, and Sangoma VoIP systems for toll fraud. In the cited reporting, nvd0rz is not described as the primary operator of the observed malware, but as one of at least seven competing actors whose implants, accounts, cron jobs, and webshells were specifically removed by a newer FreePBX malware variant deployed by a rival operation. Artifacts associated with nvd0rz included a competitor-associated FreePBX or OS account named "nvd0rz," which the rival Stage 2 payload deleted during takeover activity. The mention context groups nvd0rz with tchTowr as distinct competing operations with different regional origins. No nation-state attribution is indicated in the provided content. Known alias directly supported by the content: nvd0rz.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.