Skip to content
Ransomware group

Nitrogen

Nitrogen is a malware family and associated threat operation that first appeared in 2023 as an initial access malware/loader used to deliver BlackCat/ALPHV ransomware, and later evolved into an independent ransomware operator by mid-2024.

Profile source: Mallory opens in a new tab

Nitrogen

Family profile

Nitrogen is a malware family and associated threat operation that first appeared in 2023 as an initial access malware/loader used to deliver BlackCat/ALPHV ransomware, and later evolved into an independent ransomware operator by mid-2024. Reporting describes Nitrogen as providing initial access to victim environments and, in later activity, operating its own ransomware strain derived from leaked Conti 2 builder code. The group has conducted double-extortion attacks and has been linked primarily to Eastern European infrastructure.

As an initial access malware, Nitrogen has been distributed through malvertising and search-engine ad campaigns on Google and Bing that impersonate legitimate software such as AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP. Victims are redirected to fake software download sites, often via compromised WordPress pages and geographic filtering, and download trojanized ISO installers. The installer sideloads a malicious DLL (msi.dll), installs the expected legitimate application to reduce suspicion, deploys a malicious Python package, creates a registry Run key named "Python" for persistence, and launches a malicious pythonw.exe periodically. Subsequent components, including NitrogenStager, establish command-and-control communications and deploy Meterpreter and Cobalt Strike Beacons. Sophos assessed this activity as staging for ransomware deployment, and Trend Micro previously linked a similar ad-driven intrusion chain to BlackCat/ALPHV ransomware. S2W also reported AdverCRow using malvertising to gain initial access through Nitrogen.

As ransomware, Nitrogen has targeted VMware ESXi environments and broader enterprise victims. Multiple reports state that its ESXi variant contains a critical cryptographic implementation flaw: part of the encryption public key is overwritten with zeros or otherwise corrupted during encryption, causing files to be encrypted with an invalid public key that has no corresponding private key. As a result, decryption is impossible even for the operators, making ransom payment ineffective for affected ESXi victims. This flaw has been described by Coveware and Veeam, with analysis tying the ransomware to leaked Conti 2 builder code. Nitrogen has also been associated with codebase overlap noted in ClamAV detections alongside Babuk-related families.

Victim and targeting reporting indicates activity against organizations in manufacturing, business services, technology, hospitality, education, utilities, finance, and media, with the United States most represented in observed victim listings. Specific reporting says the campaign has targeted technology and non-profit organizations in North America, as well as North American financial institutions, mechanical and industrial firms. Foxconn publicly confirmed a cyberattack affecting several North American factories after Nitrogen claimed responsibility on its leak site, alleging theft of about 8 TB of data and more than 11 million files, including confidential technical records, project materials, and drawings tied to major customers such as Apple, Intel, Google, Nvidia, Dell, and AMD. Reported Nitrogen victims also include ENENSYS Technologies, PCCA, Coweta County School System, SRP Federal Credit Union, and Red Barrels.

Known ransomware artifacts and indicators mentioned in the content include ransom note filenames READ_ME_.TXT and readme.txt, a YARA rule reference nitrogen.yar, and MD5 hashes 1b637a43abca552acaee11c01913db18, 3139c8e0d0dd9683ebfecdb2e4f1b6bb, 3dbd3c04b1acab0b70546e48d39247b7, 7e043d880dcf7889c6767ab97764769c, 834d94cf35d9417aa93a5cb350a756e9, and a9297a8acbee74ba0169333ee38be2ef. ATT&CK-style behaviors referenced for Nitrogen include PowerShell use, scheduled tasks, LSASS memory credential dumping, RDP, SMB/Windows Admin Shares, automated collection, automated exfiltration, and exfiltration over command-and-control channels.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Md5

6 total
  • 3dbd3c04b1acab0b70546e48d39247b7
  • 1b637a43abca552acaee11c01913db18
  • 834d94cf35d9417aa93a5cb350a756e9
  • 7e043d880dcf7889c6767ab97764769c
  • 3139c8e0d0dd9683ebfecdb2e4f1b6bb
  • a9297a8acbee74ba0169333ee38be2ef

Tox

4 total
  • 088B7708F2C1557B6023B1102FFC5C36C023FF4883CB073F26A33B73832C9268993ED58B817E
  • C1DD64D0994AEAA297225CD94D1A6842819C74319A85350913AB9A82678C001EB09B71214D66
  • 46CA5EEC55A16767B7F8293DB18F753D1BF60C536747EFD115035DDA40948427E1DDFD107F03
  • 620C7A54EC212FB482A684BA74381C3623CCE4D0E27FAE348688F65E0F0F6B6A149790D1AE7D

Reported operators

Threat actors

1 named in public reporting
AdverCRow

AdverCRow is a group named by S2W that has been active since at least June 2023, and attempts to gain initial access through malvertising and then gains initial access through the Nitrogen malware.

MITRE ATT&CK

Nitrogen in ATT&CK

26 distinct techniques

Reporting

Research mentioning Nitrogen

Jul 2
Scworld

‘Interpol’ emails spread custom ransomware with decryption key left inside | news | SC Media

Additionally, Coveware reported in February that Nitrogen’s VMware ESXi ransomware variant overwrote its public key, making decryption impossible.

Jun 16
Cysecurity News

Ransomware Gang Apologizes After Mistakenly Attacking CIS Company and Revealing Criminal Errors - CySecurity News - Latest Information Security and Hacking Incidents

In another case, Nitrogen’s tool failed due to a nearly identical error, leaving its decryption method useless.

Jun 2
Register Security

'Dumbass' criminal breaks the 'first rule of ransomware club'

Similarly, a programming mistake in Nitrogen ransomware prevents the gang's decryptor from recovering victims' files, again making paying up futile.

May 25
Cysecurity News

Foxconn Cyberattack Exposes Alleged Intel, Apple, Nvidia and Google Project Data - CySecurity News - Latest Information Security and Hacking Incidents

A wave of digital intrusion lately hit Foxconn, causing interruptions across certain segments of its North American facilities when the Nitrogen ransomware collective admitted involvement - disclosing they had infiltrated systems and extracted vast troves of confidential information.

May 14
Scworld

Foxconn factories resume operations after ransomware attack | brief | SC Media

The incident was disclosed after the Nitrogen ransomware operation claimed to have stolen 8 TB of data from the company... The Nitrogen group, which emerged in 2023, has previously used a malware loader and developed its own ransomware strain...

May 14
Security Affairs

Nitrogen Ransomware claims massive data theft from Foxconn

Foxconn confirmed that several of its North American factories were affected by a cyberattack after the Nitrogen ransomware group listed it on its Tor data leak site on March 12. The Nitrogen ransomware group claims responsibility, saying it stole around 8TB of data.

May 13
Bleeping Computer

Foxconn confirms cyberattack claimed by Nitrogen ransomware gang

The threat actors behind the Nitrogen ransomware operation first surfaced in 2023 with a malware loader using the same name that deployed BlackCat/ALPHV ransomware payloads. The cybercrime group later developed its own ransomware strain using leaked Conti 2 builder code.

May 12
The Record Media

Foxconn confirms cyberattack impacting North American factories | The Record from Recorded Future News

On Monday, the Nitrogen ransomware gang took credit for the attack, claiming to have stolen 8 terabytes of data and millions of files... Cybersecurity experts believe the Nitrogen ransomware strain was created using a builder based on the now-defunct Conti ransomware.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.