3C-INT | [Cyber]Crime Characterization for Intelligence

DevMan

ID: 38010cb4afb2f2b4f97a852776090b9338942

Crimeware Ransomware

Threat types: Malware, Ransomware, RaaS, Intrusion, Phishing

Unknown BRA, CAN, FRA, GRC, JPN, SGP, ZAF, ESP, THA, GBR, VNM

Updated: 2026-03-14

Created: 2026-03-04

Progress: 83% Completeness: 89% Freshness: 70%

Operation zone: Brazil, Canada, France, Greece, Japan, Singapore, South Africa, Spain, Thailand, United Kingdom, Vietnam

Aliases Limited alias preview

DragonForce

—

Associated Threat Relationships

Limited preview

Related profiles 1
Related files 11

Related profiles

	ID	Threat	Origin	Type	Categories
	31622d85a3826aa600d14a779a5f9cb796975	DragonForce Malaysia	Malaysia	related	Hacktivist Group

Related files

Filename	Size	SHA-1	Identified
6boxtqti.exe	630.41 KB	aede3562************************378d0e0f	Malware
7d7gs.exe	429.34 KB	ae3577c1************************c3f5992b	Malware
px2lsy3.exe	588.51 KB	0bffd0bb************************377ec821	Malware
ntdll.dll	418.51 KB	818d0e90************************e5bfc49f	Malware
ntdll.dll	418.51 KB	84d3cba5************************ae0dae84	Malware
newfile.zip	532.47 KB	def85543************************b96e5746	Malware
requested-items.zip	3.37 MB	ed9d993f************************ca9b4906	Malware
9lz3uqt6.exe	429.34 KB	bb3af28f************************5b485909	Malware
3xcccg.exe	429.34 KB	7888bd3a************************fce0e578	Malware
rvnoat.exe	540 KB	503eef53************************119f681a	Malware
ntdll.dll	418.51 KB	4a34bbad************************8e9a7e26	Malware

Free preview hides direct file links and partially masks file hashes.

Actor Network Graph

Open Network Graph

Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.

MITRE ATT&CK®

confidence: medium

Actor Techniques page ATT&CK® Diagram

DevMan is a ransomware variant/cluster reported since 2025 and commonly described as DragonForce-linked. Official alerting on DevMan 2.0 describes double extortion, common access routes (compromised credentials, phishing, exposed services), SMB admin-share lateral movement, recovery inhibition (shadow copy deletion), and Tor extortion infrastructure.

Technique	Technique name	Tactics	Evidence
T1078	Valid Accounts	TA0001 TA0003 TA0004 TA0005	2026-01-16 — Compromised/valid accounts described as a common access method. · ref
T1566	Phishing	TA0001	2026-01-16 — Phishing and spear-phishing listed as typical access routes. · ref
T1190	Exploit Public-Facing Application	TA0001	2026-01-16 — Exposed services without patches or misconfigurations listed as access routes (generalized). · ref
T1021.002	SMB/Windows Admin Shares	TA0008	2026-01-16 — SMB/Windows Admin Shares used for lateral movement; ADMIN$ access via net use/PsExec described. · ref
T1490	Inhibit System Recovery	TA0040	2026-01-16 — Shadow copy deletion and backup disruption described as common behavior. · ref
T1486	Data Encrypted for Impact	TA0040	2026-01-16 — Encryption for impact described; .DEVMAN extension listed as a typical artifact. · ref

Strategic Intelligence

Limited preview

Last updated: 2026-03-04T18:42:18+00:00

Preliminary Strategic Intelligence

DevMan - Ransomware / Double Extortion

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Full strategic intelligence is available in Analyst and Premium plans.

Executive Analyst Brief for CISO

Saved Limited preview

Executive Analyst Brief for Decision Makers — DevMan

Classification: Unclassified / OSINT — TLP:WHITE

Upgrade to access the full executive brief.

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.

Saved successfully.

Hunting Playbook

Saved Limited preview

Hunting Playbook — DevMan

Upgrade to access the full hunting playbook.

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.

Saved successfully.

IOC Appendix

Saved Limited preview

Last updated: 2026-03-04T18:20:35+00:00

IOC Appendix — DevMan

Classification: Unclassified / OSINT — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.

Saved successfully.

OSINT Library

Saved Limited preview

Last saved: 2026-03-04T18:41:56+00:00

OSINT Library — DevMan

2026-01-16 — ECU-CERT (Ecuador) — “AL-2026-001 — RANSOMWARE DEVMAN 2.0 (PDF)”

Full OSINT references available for Research / Analyst.

Saved successfully.

Social Medial & Communication

SOCMINT integrated: 0/7

Another 1 0
Darkweb 6 0

Address	Verification	SOCMINT
`Qto*******************************************************************************`	Restricted	Not integrated

Address	Verification	SOCMINT
`qlj***********************************************************`	Restricted	Not integrated
`dev******************************************************`	Restricted	Not integrated
`wug***********************************************************`	Restricted	Not integrated
`tyg***********************************************************`	Restricted	Not integrated
`z3w***********************************************************`	Restricted	Not integrated
`3pk***********************************************************`	Restricted	Not integrated

Notes: preview mode hides sensitive social/contact details.

Reference Images/Associated Evidence Limited

Free Preview

Onion website

Free Preview

Logo used in Ransom-notes

Threat Actor Characterization

DevMan

Associated Threat Relationships

Related profiles

Related files

Actor Network Graph

MITRE ATT&CK®

Strategic Intelligence

DevMan - Ransomware / Double Extortion

Executive Analyst Brief for CISO

Executive Analyst Brief for Decision Makers — DevMan

Hunting Playbook

Hunting Playbook — DevMan

IOC Appendix

IOC Appendix — DevMan

OSINT Library

OSINT Library — DevMan

Social Medial & Communication

Reference Images/Associated Evidence Limited