HOMETHREATSDEV-0586
APT / THREAT GROUP💰 FINANCIALHIGH

DEV-0586

🇷🇺Russia-attributed
1
campaigns
3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware (WhisperGate), which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.

Threat Analysis

DEV-0586 is a high-sophistication threat actor attributed to Russia, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like DEV-0586 prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, DEV-0586 is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

Known Campaigns

DEV-0586 — Active Operations March 2026

DEV-0586 is a financial threat actor attributed to Russia. MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware (WhisperGate), which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be d...

ACTIVEMEDIUM2026

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Origin🇷🇺 Russia
Aliases3
SourceMalpedia

Also Known As

Cadet BlizzardRuinous UrsaDEV-0586

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
DEV-0586 — APT / Threat Group | Threat Intelligence | CTIWATCH.COM