Nitrogen
Nitrogen is a malware family and ransomware operation first observed in 2023. The content describes two closely related uses of the name: an initial access malware/loader used in malvertising-driven intrusions, and a later independent ransomware group/strain. As an initial access malware, Nitrogen was delivered via Google and Bing search ads and fake software download sites impersonating products such as AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP. Victims downloaded trojanized ISO installers containing a malicious DLL (msi.dll) acting as NitrogenInstaller, which installed the expected legitimate application, deployed a malicious Python package, created a registry Run key named Python for persistence, executed a malicious pythonw.exe every five minutes, and launched NitrogenStager via python.311.dll. NitrogenStager communicated with command-and-control infrastructure and deployed Meterpreter and Cobalt Strike Beacons; researchers assessed this activity as staging for ransomware deployment. Trend Micro previously linked a similar ad-driven chain to BlackCat/ALPHV ransomware, and the content explicitly states Nitrogen began as a loader used to deliver BlackCat/ALPHV in 2023.
By mid-2024, Nitrogen had evolved into an independent ransomware operator conducting double-extortion attacks and using infrastructure primarily linked to Eastern Europe. The ransomware strain is described as derived from leaked Conti 2 builder code, with some reporting also noting codebase overlap detected across multiple operations. Nitrogen has targeted VMware ESXi environments and broader enterprise networks, and the content associates it with victims in manufacturing, business services, technology, hospitality, education, utilities, finance, and media. Reported victim geography includes a concentration in the United States and Canada. Foxconn is specifically cited as a victim: Nitrogen claimed responsibility for a cyberattack affecting several North American Foxconn factories, listed the company on its leak site, and claimed theft of approximately 8 TB of data and more than 11 million files, including confidential documents, technical records, blueprints, project directives, and engineering drawings allegedly tied to customers such as Apple, Intel, Google, Dell, Nvidia, and AMD.
A notable characteristic of Nitrogen ransomware is a critical cryptographic implementation flaw in its VMware ESXi variant. Multiple sources in the content state that the malware encrypts files with the wrong or corrupted public key, including descriptions that part of the public key is overwritten with zeros or otherwise corrupted on the stack. This makes decryption impossible even for the operators, rendering ransom payment futile for affected ESXi victims. The flaw has been described as causing irrevocable corruption of encrypted files and preventing the gang's decryptor from recovering victim data. The content also references Nitrogen ransom note filenames READ_ME_.TXT and readme.txt, ATT&CK-style behaviors including PowerShell, scheduled tasks, LSASS credential dumping, RDP, SMB/admin shares, automated collection, and exfiltration over command-and-control channels, and IOC hashes including MD5 values 1b637a43abca552acaee11c01913db18, 3139c8e0d0dd9683ebfecdb2e4f1b6bb, 3dbd3c04b1acab0b70546e48d39247b7, 7e043d880dcf7889c6767ab97764769c, 834d94cf35d9417aa93a5cb350a756e9, and a9297a8acbee74ba0169333ee38be2ef.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
2 techniques
Initial Access
Collection
1 technique
Collection
Exfiltration
1 technique
Exfiltration
Impact
2 techniques
Impact
Nova, the affiliate program for ransomware crew RAlord, on Tuesday issued an apology to Eriell Group... The malware slingers claimed they didn’t encrypt any files... Pro-Russian hacktivist crew CyberVolk got sloppy when they debuted a ransomware service late last year. They hardcoded the master keys... thus allowing victims to recover encrypted data without paying any extortion fees. ... Sicarii encryptor generates a new cryptographic key pair during every execution... Similarly, a programming mistake in Nitrogen ransomware prevents the gang's decryptor from recovering victims' files
Recent activity
22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware tool affected by a cryptographic implementation error that rendered decryption ineffective and victim payment futile.
Ransomware whose decryptor is broken due to a programming mistake, preventing recovery of victims' files even after payment.
Ransomware used in the Foxconn intrusion, with operators claiming data theft and system disruption. The content notes suspected ties since 2023 to variants derived from leaked Conti 2 code and highlights flawed decryption mechanisms, particularly affecting VMware ESXi targets, meaning victims may be unable to recover encrypted data even after payment.
Nitrogen is described as a ransomware operation that claimed data theft from Foxconn and is also noted to have used a malware loader and developed its own ransomware strain.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.