HOMETHREATSDEV-0270
APT / THREAT GROUP💰 FINANCIALHIGH

DEV-0270

🇮🇷Iran-attributed
1
campaigns
3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.

Threat Analysis

DEV-0270 is a high-sophistication threat actor attributed to Iran, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like DEV-0270 prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, DEV-0270 is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

Known Campaigns

DEV-0270 — Active Operations March 2026

DEV-0270 is a financial threat actor attributed to Iran. Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious networ...

ACTIVEMEDIUM2026

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Origin🇮🇷 Iran
Aliases3
SourceMalpedia

Also Known As

Storm-0270Nemesis KittenDEV-0270

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.