DEV-1084 is a destructive threat actor that emerged publicly in December 2022 [1], when it launched its first known attack and established a victim payment portal on the Tor network. Operating under the guise of the "DarkBit" persona, the group presents itself as a financially motivated ransomware operator. However, its operational behavior reveals a deeper strategic motive centered on disruption rather than profit. The group’s campaigns involve simultaneous on-premises encryption and the mass deletion of cloud-based resources, an irreversible act that effectively wipes out victim environments [2]. This dual approach demonstrates that the ransomware component primarily functions as a wiper and a means of misdirection, aligning DEV-1084’s activity with broader objectives of destruction and psychological impact rather than extortion.
DEV-1084’s "DarkBit" persona further complicates attribution by blending ideological narratives. In February 2023, the group modified its Tor portal to feature politically charged imagery, including the statement "Against any kind of racism, fascism, and apartheid." [1].
Evidence strongly indicates that DEV-1084 operates in close coordination with MERCURY, an Iranian state-linked group publicly attributed by U.S. Cyber Command to Iran’s Ministry of Intelligence and Security (MOIS). Microsoft’s analysis has established a technical and operational overlap between the two entities: DEV-1084’s operators have used infrastructure and tools historically associated with MERCURY, including the IP address 146.70.106[.]89, the MULLVAD VPN service, and remote access utilities such as Rport and a customized version of Ligolo. Moreover, the command-and-control domain vatacloud[.]com, leveraged in DEV-1084’s operations, has been attributed with high confidence to MERCURY operators.
In typical attack chains, MERCURY initially gains access to targets through the remote exploitation of unpatched internet-facing devices, subsequently transferring that access to DEV-1084 to conduct destructive follow-on operations [2]. This partnership reflects a division of labor commonly seen in state-aligned offensive cyber campaigns, where initial intrusion teams coordinate with specialized operators responsible for impact execution.
In this post, we will examine the activities of DEV-1084 and MERCURY, trace their coordinated attack campaigns, and analyze the tactics, techniques, and procedures (TTPs) that define their destructive operations in hybrid environments.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
2017 - MERCURY (MuddyWater) begins activity as an Iran-linked espionage APT targeting governments, telecoms, energy, and other sectors in the Middle East, Asia, Africa, Europe, and North America [3].
24 Feb 2022 - U.S. CISA advisory documents ongoing operations by Iranian government-sponsored actors, including MERCURY (MuddyWater), noting their espionage and destructive capabilities [4].
December 2022 - DEV-1084 has been active since at least December 2022, when the group set up a victim payment portal on the Tor network and targeted its first known victim.
7 Apr 2023 - Microsoft publishes "MERCURY and DEV-1084: Destructive attack on hybrid environment", describing an Iran-linked actor MERCURY collaborating with an actor Microsoft calls DEV-1084 to carry out pseudo-ransomware (DarkBit persona) incidents that are actually destructive wipers affecting cloud (Azure) resources.
MERCURY operators are assessed to have achieved initial access by exploiting known vulnerabilities in unpatched, internet-facing applications. The continued exploitation of Log4j 2 (also referred to as "Log4Shell") vulnerability (CVE-2021-44228) is specifically cited as a probable entry vector [1], even months after patches were made available.
MERCURY leveraged the Windows Command Shell to run a series of discovery and account-manipulation commands [5]:
|
cmd.exe /C whoami |
To maintain stable command-and-control channels, the actors installed several legitimate remote access tools, including Rport, Ligolo, and eHorus. Because these tools are commonly used by IT administrators for remote support, their network traffic is less likely to be flagged as suspicious, allowing the actors to blend in with normal network activity and maintain long-term, undetected access [2].
The compromise and use of valid accounts was a central and critical technique for the actors. After establishing an initial foothold, their efforts focused on stealing credentials for highly privileged accounts, including those for domain controllers and, most importantly, the Azure AD Connector account. By compromising these powerful accounts, the actors escalated their privileges from a limited beachhead to near-total control over both the on-premises Active Directory and the connected Azure cloud environment. The tool AADInternals was specifically identified as being used to steal the credentials for the Azure AD Connector account [2].
Threat actors leveraged a compromised administrator account to grant the Azure AD Connector account "Send on Behalf" SMTP permissions over a senior employee’s mailbox using the Set-Mailbox PowerShell cmdlet. With this access, they crafted and dispatched emails to recipients inside and outside the organization. Below are the logs as evidence:
|
{ |
The above log indicates that attackers have given themselves permission to send emails using the target's account [2].
|
{ |
The above log indicates that attackers successfully used the target's account to send an email [2].
The threat actors leveraged Group Policy Objects (GPOs) to interfere with security tools on targeted devices. With defenses impaired, the threat actors staged the ransomware payload within the NETLOGON shares across multiple domain controllers [2].
After establishing persistence, the threat actors conduct extensive system discovery using native Windows utilities and commands. One utility used was netstat [2]. The commands below show how netstat can be used to discover network connections and listening ports.
|
netstat -ant // Displays all active TCP network connections and listening ports |
The actors granted an existing, legitimate OAuth application the full_access_as_app permission with administrator consent, enabling unrestricted mailbox access via Exchange Web Services. They then leveraged these elevated rights to run extensive GetItem operations across numerous mailboxes in the environment. The activity included thousands of search queries, suggesting efforts to exfiltrate entire mailboxes and/or locate sensitive information within them [2].
To obfuscate the origin of their activities, the actors used the MULLVAD VPN service [2]. By routing their malicious traffic through a commercial VPN provider, they make it significantly more difficult for incident responders and law enforcement to trace the connections back to their true source infrastructure.
Adversaries often conceal their network traffic by encapsulating communications within other protocols, a technique that helps evade detection, bypass filtering, and reach otherwise inaccessible systems. The threat actors operate multiple command-and-control servers and, at times, deploy tunneling tools such as Ligolo and OpenSSH to evade detection by security teams and security solutions [2].
DEV-1084 employs DarkBit, a Golang-based ransomware that targets both Windows and VMware ESXi environments. The malware encrypts files using a combination of RSA and AES, appends the .darkbit extension to compromised data, and leaves a ransom note titled RECOVERY_DARKBIT.txt [6].
The DarkBit ransomware, deployed by DEV-1084, systematically deletes volume shadow copies from victim machines to hinder recovery efforts [6]. The command used for this purpose is:
|
vssadmin.exe delete shadow /all /Quiet |
We also strongly suggest simulating DEV-1084 and MERCURY Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for DEV-1084 and MERCURY:
|
Threat ID |
Threat Name |
Attack Module |
|
78657 |
DEV-1084 Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
71991 |
DEV-1084 Threat Group Campaign Malware Email Threat |
Network Infiltration |
|
31054 |
MuddyWater Threat Group Campaign Malware Dropper Email Threat |
Network Infiltration |
|
21216 |
Earth Vetala Campaign Malware Download Threat |
Network Infiltration |
|
63242 |
Operation Quicksand Campaign Malware Email Threat |
Network Infiltration |
|
26166 |
Operation Quicksand Campaign Malware Download Threat |
Network Infiltration |
|
21092 |
BlackWater Campaign Office Malware Email Threat |
Network Infiltration |
|
34273 |
BlackWater Campaign Office Malware Download Threat |
Network Infiltration |
|
97530 |
Earth Vetala Campaign Malware Email Threat |
Network Infiltration |
|
82018 |
MuddyWater Threat Group Campaign Malware Dropper Download Threat |
Network Infiltration |
|
97292 |
MuddyWater Threat Group Campaign Malware Email Threat |
Network Infiltration |
|
98529 |
MuddyWater Threat Group Campaign Backdoor Malware Download Threat |
Network Infiltration |
|
80189 |
MuddyWater Threat Group Campaign Backdoor Malware Email Threat |
Network Infiltration |
|
76507 |
MuddyWater Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
68541 |
MuddyWater Threat Group Campaign Downloader Download Threat |
Network Infiltration |
|
62904 |
MuddyWater Threat Group Campaign Downloader Email Threat |
Network Infiltration |
|
68108 |
MuddyWater Threat Group Campaign Malware Download Threat - 2 |
Network Infiltration |
|
43614 |
MuddyWater Threat Group Campaign RAT Email Threat |
Network Infiltration |
|
68698 |
MuddyWater Threat Group Campaign RAT Download Threat |
Network Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
DEV-1084 is also known as: Storm-1084.
MERCURY is also known as: MuddyWater, Earth Vetala, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450, Cobalt Ulster, ATK 51, T-APT-14, ITG17, Boggy Serpens, Yellow Nix, COBALT ULSTER, G0069, ATK51.
References
[1] "COBALT AZTEC," Secureworks. Accessed: Oct. 21, 2025. [Online]. Available: https://www.secureworks.com/research/threat-profiles/cobalt-aztec
[2] M. T. Intelligence, "MERCURY and DEV-1084: Destructive attack on hybrid environment," Microsoft Security Blog. Accessed: Oct. 21, 2025. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/
[3] "MuddyWater." Accessed: Oct. 21, 2025. [Online]. Available: https://attack.mitre.org/groups/G0069/
[4] "Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks," Cybersecurity and Infrastructure Security Agency CISA. Accessed: Oct. 21, 2025. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a
[5] M. T. Intelligence, "MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations," Microsoft Security Blog. Accessed: Oct. 21, 2025. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
[6] Microsoft Corporation, "Ransom:Win64/DarkBit." Accessed: Oct. 21, 2025. [Online]. Available: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win64/DarkBit&threatId=-2147126552