Threat Group Profile
nitrogen
Dormant / historical
Victim claims
2
First seen
May 2026
Last activity
03 Jun 2026
Tracked since
β
Group overview
Nitrogen began as a malware loader in 2023 used to deliver BlackCat/ALPHV ransomware, then evolved into a fully independent ransomware operator by mid-2024, operating its own strain derived from leaked Conti 2 builder code and conducting double-extortion attacks primarily linked to Eastern European infrastructure.
Preferred targets
Manufacturing Β· 1
Most targeted countries
US Β· 1
TW Β· 1
Tactics & techniques (MITRE ATT&CK)
Initial Access
Drive-by Compromise
Execution
Command and Scripting Interpreter
Command and Scripting Interpreter: PowerShell
User Execution: Malicious File
Persistence
Scheduled Task/Job
Scheduled Task/Job: Scheduled Task
Privilege Escalation
Exploitation for Privilege Escalation
Defense Evasion
Obfuscated Files or Information
System Binary Proxy Execution
Credential Access
OS Credential Dumping: LSASS Memory
Discovery
System Service Discovery
Process Discovery
Lateral Movement
Remote Services: Remote Desktop Protocol
Remote Services: SMB/Windows Admin Shares