Skip to main content
Mallory
Back to threat actors
2 malware familiesExploits CVEs in the wild

DEV-0365

Also known asDEV-0365

DEV-0365 is a Microsoft-tracked cybercriminal activity group and subgroup of DEV-0193 (Trickbot LLC). Microsoft describes it as providing infrastructure as a service for cybercriminals, most notably "Cobalt Strike Beacon as a service." MSTIC tracks DEV-0365 as a large cluster of cybercriminal activity involving Cobalt Strike infrastructure, with behavior and unique identifying characteristics suggesting the infrastructure was created or managed by a distinct set of operators. Microsoft reported that DEV-0365 infrastructure overlaps with multiple cybercriminal campaigns, including activity linked to BazaLoader, Trickbot, and human-operated ransomware operations such as Conti. Infrastructure associated with DEV-0365 was also linked by Microsoft to exploitation activity around CVE-2021-40444, where custom Cobalt Strike Beacon loaders communicated with overlapping infrastructure. Alias mentioned in the content: dev_0365.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0011
Command and Control
1 technique
T1071
Application Layer Protocol
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Cobalt StrikeThis industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks. Within this category ... attackers using off-the-shelf tools, such as Cobalt Strike...2May 26, 2026
SliverSliver is an open-source cross-platform C2 framework written in Golang and designed for organizations to perform security testing.2Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2021-40444Microsoft MSHTML Remote Code Execution VulnerabilityIn the wildEvidence1

In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

3 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.