THREAT ACTOR

DevMan

7.2
THREAT LEVEL
EMERGENCE DATE
Apr 2025
CATEGORY
Closed Group
AFFILIATIONS

Multi-RaaS affiliate partnerships with Qilin (primary, 80-85% revenue share), DragonForce (technical lineage), Apos, RansomHub, and former INC Ransom connections.

DEscription

Emerging in April 2025 as a closed operation, the threat actor descended from the DragonForce and Conti ransomware lineage while functioning as multi-RaaS affiliate across Qilin, DragonForce, Apos, and RansomHub platforms. The group conducts direct attacks with proprietary toolset rather than recruiting affiliates, targeting small to mid-sized enterprises across Asia-Pacific markets.

Despite June 2025 GangExposed doxing exposing operator identities, the group evolved to version 2.0 with Rust implementation and continued operations through 2025.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Closed Group

DevMan runs as non-public closed operation conducting direct attacks without external affiliate recruitment while functioning as affiliate for multiple RaaS platforms. The group keeps full attack lifecycle control from initial access through negotiation while drawing on partnerships for operational redundancy. Revenue-threshold targeting sets minimum annual revenue at $100M+ for critical infrastructure and $50M+ for healthcare entities.

Current Status: Active as of October 2025 with sustained operational tempo following June 2025 GangExposed doxing; evolved to version 2.0 with continued victim acquisition across Asia-Pacific, North American, and European markets.

Threat Level:
7.2

Origins and Methodology

The operation features unprecedented multi-RaaS affiliate model maintaining partnerships across competing platforms while building out independent capabilities. Offline operational architecture eliminates traditional C2 beaconing reducing detection surface.

Technical advancement shows through rapid C++ to Rust migration within three months, Windows Restart Manager exploitation for file lock bypass, and Group Policy Object deployment for enterprise-wide distribution. Dual-use campaigns embed custom info-stealer components for credential harvesting. The Asia-Pacific concentration with over 60% victim targeting suggests regional expertise distinguishing from typical North American focused operations.

What is the Evolution of DevMan Ransomware?
0.1
Formation

Coming up in April 2025 with self-identification as Qilin affiliate establishing dual operational identity, early operations used DragonForce builder and infrastructure inherited from Conti and DragonForce lineage. Formation phase showed immediate capability through government agency and critical infrastructure targeting including national social security fund compromise with 2.5TB exfiltration via compromised RDP accounts.

Initial ransom demands ranged $60,000 to $2.5M with strategic scaling based on victim profile. The operation set up dedicated leak site on TOR for victim countdown timers and data auctions.

0.2
EVOLUTION

Initial months following emergence showed rapid victim acquisition with May 2025 surge to +12 claimed victims placing operations among top-tier groups that month. Expansion phase revealed capabilities across Microsoft Exchange, VMware ESXi, and edge-facing services. PowerShell and cmd deployment combined with security tool disablement and PsExec and RDP lateral movement showed comprehensive MITRE ATT&CK implementation.

June 2025 brought significant disruption when GangExposed publicly doxed operator identities causing immediate affiliate abandonment, though resilience came through July 2025 evolution to version 2.0 with Rust implementation and separate TOR infrastructure. Current operations since July 2025 show sustained capability with ransom escalation from $60K-$2.5M (version 1.0) to $1M-$91M (version 2.0).

0.3
Lineage/Connections

Technical ancestry traces to Conti ransomware through February 2022 source code leak enabling DragonForce development from 2023-2024, then current operations from April 2025. Multiple sources confirm shared characteristics including DragonForce builder usage, identical ransom note templates, Windows Restart Manager exploitation patterns, and three-mode encryption architecture directly from DragonForce and Conti lineage.

Qilin RaaS network integration through self-identified affiliation establishes primary partnership with 80% affiliate retention for ransoms under $3M and 85% for ransoms exceeding $3M. Connections to broader DragonForce ecosystem where parent operation previously claimed taking over RansomHub in March 2025 suggest complex inter-group relationships.

Which Unique Techniques Does DevMan Use?

Attack methodology emphasizes offline architecture eliminating C2 beaconing while carrying out reconnaissance, lateral movement, and encryption within compromised networks. Strategic revenue-threshold victim selection combines minimum annual revenue targets with opportunistic exploitation.

TECHNIQUE

DETAILS

Infection Vectors

Phishing campaigns with malicious attachments; RDP brute-force password spraying and credential stuffing; exploitation of edge-facing services including VPN gateways and remote management interfaces

Target Selection

Revenue-threshold methodology requiring $100M+ for critical infrastructure and $50M+ for healthcare; primary Asia-Pacific concentration (over 60% victims) in Taiwan, Thailand, China, Japan, Singapore with secondary African operations and expanding European and North American presence

Operational Complexity

Rapid C++ to Rust migration within three months; Group Policy Object deployment (version 2.0) for enterprise-wide distribution; offline architecture with minimal C2 communication; three-mode encryption with Windows Restart Manager file lock bypass

Key Features & Technical Details

Technical architecture emphasizes offline operation eliminating C2 infrastructure while carrying out attacks within compromised networks. DragonForce derived encryptor uses hybrid cryptography combining symmetric AES-256 for speed with asymmetric RSA-2048 for key protection.

FEATURE

DETAILS

Encryption Method

Hybrid AES-256 in CBC mode with RSA-2048 asymmetric key encryption; three modes including full encryption, header-only encryption for speed, and custom encryption; DragonForce encryptor inherited from technical lineage

File Extension

Version 1.0: .DEVMAN or .devmanv1; Version 2.0: .devman1

Ransom Note

README.devmanv1.txt (version 1.0), README.txt, README.yAGRTb.txt; builder flaw causes self-encryption with deterministic renaming to e47qfsnz2trbkhnt.devman

Double Extortion

Hybrid data-extortion-first with encryption in majority of attacks; typical 50GB to 300GB exfiltration with maximum 2.5TB documented; data uploaded to Mega.nz; dedicated TOR leak sites with countdown timers

Communication Channels

Offline architecture with minimal external communication; TOX encrypted peer-to-peer messaging; email devman@cyberfear.com; TOR sites at qljmlmp4psnn3wqskkf3alqquatymo6hntficb4rhq5n76kuogcv7zyd.onion (version 1.0) and wugurgyscp5rxpihef5vl6b6m5ont3b6sezhl7boboso2enib2k3q6qd.onion (version 2.0)

Deployment Speed

Rapid automated encryption targeting local and networked drives; Windows Restart Manager API for file lock bypass; PowerShell and cmd script deployment; Group Policy Object push (version 2.0) for domain-wide distribution

Payment Method

Bitcoin primary cryptocurrency routed through affiliate wallets then transferred to RaaS operators per Qilin structure (80-85% affiliate retention)

Operational Model

Closed group conducting direct attacks without external affiliate recruitment while functioning as multi-RaaS affiliate for Qilin, DragonForce, Apos, RansomHub; $100M+ critical infrastructure and $50M+ healthcare minimum targeting

Activities

Since coming up in April 2025, operations kept up low to moderate but steadily increasing attack tempo reaching 40 to 50 confirmed victims as of second quarter 2025, while alternative tracking sources document 70 to 86 total victims through third quarter 2025. Peak activity occurred in May 2025 placing operations among top-tier groups that month. Following June 2025 GangExposed doxing, the group showed resilience through July 2025 version 2.0 evolution and sustained victim acquisition through October 2025.

Geographic distribution reveals heavy Asia-Pacific concentration with significant activity across Taiwan, Thailand, China, Japan, and Singapore. Secondary operations target African markets including South Africa, Egypt, Kenya, with expanding European and North American presence evidenced through September 2025 government and energy sector attacks.

Which Industries Are Most Vulnerable to DevMan?

Primary targeting concentrates on manufacturing (highest sector concentration), business services and professional services, information technology and telecommunications, retail, construction, healthcare, with strategic government and critical infrastructure operations commanding multi-million dollar demands.

HAL Most Recent Attacks

Modus Operandi

Attack chains emphasize offline execution with comprehensive MITRE ATT&CK implementation.

Details

Phishing campaigns with malicious attachments through Phishing (T1566). RDP brute-force password spraying and credential stuffing through Valid Accounts (T1078). Edge-facing service exploitation including VPN gateways and remote management interfaces through Exploit Public-Facing Application (T1190).

National social security fund compromise achieved via compromised RDP account enabling domain administrator access.

Details

BloodHound deployment for Active Directory attack path visualization through Domain Trust Discovery (T1482). SoftPerfect Network Scanner for network reconnaissance through Remote System Discovery (T1018). SMB scanning targeting administrative shares across network ranges through Network Share Discovery (T1135).

Details

No traditional RAT deployment; operations use PowerShell and cmd scripts for payload deployment through Command and Scripting Interpreter (T1059.001). PsExec driven propagation for remote service creation and RDP for interactive access serve primary remote access functions.

Details

Systematic security product termination including antivirus engines, EDR tools, and backup software through Impair Defenses (T1562.001). Rapid registry entry deletion within milliseconds through Indicator Removal on Host (T1070). Rust language implementation evades signature-based detection. Offline architecture eliminates C2 beaconing.

Details

Mimikatz deployment for LSASS memory dumping extracting plaintext passwords, NTLM hashes, and Kerberos tickets through OS Credential Dumping (T1003). Custom info-stealer components harvest browser-stored credentials from Chrome, Firefox, Edge through Credentials from Password Stores (T1555).

Details

Offline operation model with minimal external communication through Application Layer Protocol (T1071) when required. No traditional C2 beaconing observed. Post-compromise communication via TOX protocol and TOR hidden services.

Details

PsExec driven propagation across administrative shares using network APIs through Remote Services: SMB and Windows Admin Shares (T1021.002). RDP lateral movement with stolen credentials through Remote Services: Remote Desktop Protocol (T1021.001).

Group Policy Object deployment (version 2.0) for domain-wide distribution through Domain Policy Modification (T1484.001).

Details

Pre-encryption data exfiltration to attacker infrastructure through Exfiltration Over C2 Channel (T1041). Data uploaded to cloud storage including MEGA nz through Exfiltration Over Web Service (T1567). Typical 50GB to 300GB volumes with maximum 2.5TB documented.

Details

Registry modification at run keys for automated execution through Boot or Logon Autostart Execution (T1547.001). Windows service creation through Create or Modify System Process (T1543.003). Scheduled task creation through Scheduled Task and Job (T1053.005).

Details

Core ransomware functionality applying file extensions through Data Encrypted for Impact (T1486). Desktop wallpaper modification on Windows 10 through Defacement (T1491) though fails on Windows 11. Forced system restart through System Shutdown and Reboot (T1529). Government ministry compromise encrypted 2,000 systems.

Details

Rapid automated encryption targeting local and networked drives applying file extensions through Data Encrypted for Impact (T1486). Three operational modes deployed: full encryption, header-only for speed, custom configurable strategy. Windows Restart Manager API exploitation creates temporary registry sessions then rapidly deletes entries while bypassing file locks.

Details

Hybrid data-extortion-first with encryption in majority of attacks; dedicated TOR leak sites with countdown timers. Notes threaten data disclosure and tool destruction. Version 1.0 ransom range $60,000 to $2,500,000 with median $450,000 to $800,000; version 2.0 escalation to $1,000,000 to $91,000,000 range with median $1M to $7M.

Details

Volume Shadow Copy deletion via command-line tools through Inhibit System Recovery (T1490). Registry entry deletion within milliseconds. Log file tampering through Indicator Removal on Host (T1070).

Indicators of Compromise (IOCs)

Detection opportunities exist through behavioral analysis of Windows Restart Manager abuse, rapid registry patterns, deterministic filename artifacts, and abnormal SMB administrative share enumeration.

INDICATOR

DETAILS

File Hashes

SHA256: df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403 (Version 1.0 primary)
SHA256: 018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8 (Version 1.0 secondary)
MD5: e84270afa3030b48dc9e0c53a35c65aa (Version 1.0 primary)

Domains/URLs

qljmlmp4psnn3wqskkf3alqquatymo6hntficb4rhq5n76kuogcv7zyd.onion (TOR leak site version 1.0)
wugurgyscp5rxpihef5vl6b6m5ont3b6sezhl7boboso2enib2k3q6qd.onion (TOR leak site version 2.0)
devman@cyberfear.com (victim contact)
TOX ID: 9D97F166730F865F793E2EA07B173C742A6302879DE1B0BBB03817A5A04B572FBD82F984981D

File Paths

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 (temporary Windows Restart Manager sessions)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (registry persistence)

File Extensions

.DEVMAN (Version 1.0)
.devmanv1 (Version 1.0 variant)
.devman1 (Version 2.0)
.yAGRTb (variant)
e47qfsnz2trbkhnt.devman (deterministic encrypted ransom note from builder flaw)

Process Indicators

Hardcoded mutex hsfjuukjzloqu28oajh727190 (high-confidence detection indicator)
README.devmanv1.txt, README.txt, README.yAGRTb.txt (ransom notes)
Abnormal SMB traffic targeting administrative shares
Large-volume exfiltration to mega.nz

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

N/A

N/A

N/A

Operations currently rely on phishing campaigns, RDP brute-force attacks, credential stuffing, and user execution rather than specific vulnerability exploitation. No CVE associations currently identified across NIST NVD or CISA KEV Catalog.

Additional Attack Vectors: Exploitation of unpatched edge-facing services including VPN gateways, remote management interfaces, and Microsoft Exchange servers without specific CVE targeting documented. Windows Restart Manager API exploitation for file lock bypass represents legitimate API abuse.