DEV-0270

Last Updated Apr 28, 2026

Also known as: Nemesis Kitten, Storm-0270, DEV-0270

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.

🌍 Country Iran

📝 Last Updated Apr 28, 2026

Introduction

Activities and Tactics

Country of Origin: 🇮🇷 Iran

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Ransomware Vulnerability Matrix observations

Category	Vendor	Product	CVEs
Network Edge	Fortinet	FortiOS	CVE-2019-5591

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

Information pending cataloguing.

Attribution and Evidence

Country of Origin: Iran Additional attribution information pending cataloguing.

References

References pending cataloguing.

Source Attribution

Structured source: MISP Galaxy

Data sourced from MISP Galaxy threat-actor cluster (CC0 licensed)

View upstream source record

License: CC BY-NC-SA 3.0

Additional source provenance

malpedia Source record Dataset
misp galaxy Dataset
BushidoUK Ransomware Vulnerability Matrix Vulnerability observations were reviewed from the BushidoUK Ransomware Vulnerability Matrix (https://github.com/BushidoUK/Ransomware-Vulnerability-Matrix). The matrix is used here as a secondary ransomware exploitation reference, not as sole attribution evidence. Repository Dataset

Source and license policy

🔍 Quick Filters

Top Countries

Risk Distribution

High

161

Critical

Low

Medium