APT / THREAT GROUP
DevilsTongue
2
aliases
Last seen:Mar 17, 2026
Intelligence Profile
According to Microsoft, DevilsTongue is a complex modular multi-threaded piece of malware written in C and C++ with several novel capabilities.
For files on disk, PDB paths and PE timestamps are scrubbed, strings and configs are encrypted, and each file has a unique hash. The main functionality resides in DLLs that are encrypted on disk and only decrypted in memory, making detection more difficult. Configuration and tasking data is separate from the malware, which makes analysis harder. DevilsTongue has both user mode and kernel mode capabilities.
Threat Analysis
DevilsTongue is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
External References
Quick Facts
TypeAPT / Threat Group
Aliases2
Also Known As
DevilsTonguewin.devilstongue
External Intelligence
Malpedia: win.devilstongueResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.