HOMETHREATSDevilsTongue
APT / THREAT GROUP

DevilsTongue

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to Microsoft, DevilsTongue is a complex modular multi-threaded piece of malware written in C and C++ with several novel capabilities.

For files on disk, PDB paths and PE timestamps are scrubbed, strings and configs are encrypted, and each file has a unique hash. The main functionality resides in DLLs that are encrypted on disk and only decrypted in memory, making detection more difficult. Configuration and tasking data is separate from the malware, which makes analysis harder. DevilsTongue has both user mode and kernel mode capabilities.

Threat Analysis

DevilsTongue is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

DevilsTonguewin.devilstongue

External Intelligence

Malpedia: win.devilstongue

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
DevilsTongue — APT / Threat Group | Threat Intelligence | CTIWATCH.COM