Skip to main content
Mallory
Back to threat actors
5 malware families

DEV-0230

Also known asDEV-0230

DEV-0230 is a Microsoft-tracked cybercriminal ransomware affiliate described as one of the most prolific and successful Conti affiliates. Microsoft states that DEV-0230 was responsible for developing the leaked "Conti Manual" published in August 2021. The actor also developed and deployed the FiveHands and HelloKitty ransomware payloads, and later shifted to deploying QuantumLocker. Microsoft reports that DEV-0230 often gained initial access via BazaLoader. Based on the provided content, DEV-0230 operated within the broader ransomware-as-a-service ecosystem around Conti and related payloads.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
BazarDEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS.1May 26, 2026
ContiBased on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload.1May 26, 2026
FIVEHANDSOne of the most prolific and successful Conti affiliates—and the one responsible for developing the “Conti Manual” leaked in August 2021—is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads...1May 26, 2026
HELLOKITTYThis activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193’s BazaLoader infrastructure.1May 26, 2026
QuantumLockerSimilarly, DEV-0230 shifted to deploying QuantumLocker around April 23, 2022.1May 26, 2026
ACTIVITY FEED

Recent activity

2 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

2 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.