ShellCodeX
Tools β€’ Events β€’ News β€’ Insights
Threat Group Profile

nitrogen

Dormant / historical
Victim claims 2
First seen May 2026
Last activity 03 Jun 2026
Tracked since β€”

Group overview

Nitrogen began as a malware loader in 2023 used to deliver BlackCat/ALPHV ransomware, then evolved into a fully independent ransomware operator by mid-2024, operating its own strain derived from leaked Conti 2 builder code and conducting double-extortion attacks primarily linked to Eastern European infrastructure.

Preferred targets

Manufacturing Β· 1

Most targeted countries

US Β· 1 TW Β· 1

Tactics & techniques (MITRE ATT&CK)

Initial Access

Drive-by Compromise

Execution

Command and Scripting Interpreter Command and Scripting Interpreter: PowerShell User Execution: Malicious File

Persistence

Scheduled Task/Job Scheduled Task/Job: Scheduled Task

Privilege Escalation

Exploitation for Privilege Escalation

Defense Evasion

Obfuscated Files or Information System Binary Proxy Execution

Credential Access

OS Credential Dumping: LSASS Memory

Discovery

System Service Discovery Process Discovery

Lateral Movement

Remote Services: Remote Desktop Protocol Remote Services: SMB/Windows Admin Shares

Victim Claims Timeline

Back to radar
Pyramid
πŸ‡ΊπŸ‡Έ US www.pyramidmg.com
FOXCONN
πŸ‡ΉπŸ‡Ό TW Manufacturing www.foxconn.com