🇮🇷 IR

DarkBit

Also known asdarkbitdev_1084

DarkBit is an Iran-linked threat actor and hacktivist front tracked by Microsoft as DEV-1084. Reporting in the provided content links DarkBit to Iranian state-aligned activity and specifically associates it with the MOIS-linked MuddyWater espionage group (also referenced as MERCURY and now Mango Sandstorm). The content states that DEV-1084 partnered with MERCURY/MuddyWater in destructive attacks against the Technion Israel Institute of Technology in February 2023, and that the activity targeted both on-premises and cloud environments. The group launched in 2023 and has been described as either a subgroup of MuddyWater or a newly observed intrusion set conducting post-intrusion and destructive operations; the exact relationship is stated as unclear. The content also identifies DarkBit as an example of an Iranian fake hacktivist persona used for plausible deniability and psychological impact, and notes that Iranian groups increasingly use hacktivist fronts such as DarkBit to claim responsibility for destructive operations. DarkBit has been associated with ransomware/destructive activity, and the provided content notes that Profero developed a decryptor for DarkBit ransomware. Known aliases in the content are DEV-1084 and DarkBit.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0040

Impact

1 technique

T1485

Data Destruction

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

sentinelone blogNews

Feb 28, 2026

SentinelOne Intelligence Brief: Iranian Cyber Activity Outlook

Iran-aligned ‘hacktivist’ persona used for plausible deniability and psychological impact; associated in this brief with disruptive/destructive activity branding rather than a clearly delineated APT unit.

risky biz rssNews

Aug 13, 2025

Risky Bulletin: Crypto-thieves turn their sights to Open VSX

Ransomware operations, possibly linked to Iranian espionage activities.

web archiveNews

Dec 6, 2024

How Microsoft names threat actors - Microsoft Defender XDR | Microsoft Learn

Iran-linked threat actor cluster listed in Microsoft's naming taxonomy mapping.

bushidotoken blogNews

Nov 2, 2024

Top 10 Cyber Threats of 2023

DEV-1084, in partnership with Iranian APTs, conducted destructive attacks disguised as ransomware, targeting Israeli organizations and aiming for destruction and disruption.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.