New Threat Actor DevMan Allegedly Targets Multiple Entities in Alliance with Qilin & Apos Ransomware Groups
PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.
Summary
This advisory outline recent developments concerning a new threat actor (TA) operating under the alias DevMan and their affiliation with Qilin & Apos ransomware groups. The TA was first identified from the Qilin Data Leak Site (DLS), where they claimed joint responsibility for a ransomware attack on Taiwanese company. The same post included a link to an onion-based leak site allegedly operated by DevMan, which listed additional victims and showcased the use of Qilin and Apos ransomware strains in encrypting the victims’ network. Cyble Research & Intelligence Labs (CRIL) have since analyzed the Tactics, Techniques, and Procedures (TTPs) employed by the TA from Indicators of Attack (IoA) revealed by the TA.
Observation and Analysis
DevMan’s onion-based data leak site lists additional victims and announces the launch of a Ransomware-as-a-Service (RaaS) platform, scheduled for June 20, 2025. For three of the listed victims, the group claims they were encrypted using the Qilin ransomware variant, reinforcing the likelihood that DevMan operates as an affiliate leveraging Qilin for their own campaigns. With regards to another victim – Tawasol the group provided details of Indicators of Attack (IoA) and claiming to use Apos ransomware binaries for encrypting the victim’s network.
An interesting aspect of DevMan’s recent activity is their claim of a compromise involving a Francebased victim—the same organization previously claimed by the Lynx ransomware group in March 2025. While it is currently not possible to confirm if the data overlaps, Lynx had posted multiple data samples, whereas Qilin and DevMan only provided a single unrelated screenshot and a list of file names that could not be cross-validated. Notably, the time difference between the two claims is less than 10 days, suggesting that DevMan may have initially collaborated with Lynx for extorting the victim, but later collaborated with Qilin and maintained persistent access to victim organization’s environment to re-encrypt with Qilin variant.
Another point of interest is that the UAE-based victim is not listed on the Apos ransomware leak site, which may indicate that DevMan is still negotiating with the victim—consistent with the "Pending" status displayed on their onion leak portal.
Recently on April 7, the Taiwanese impacted organization, Optimax Technology Corp confirmed a cyber incident in a disclosure to the Taiwan Stock Exchange, stating that there was no evidence of personal data or internal document leaks, and that the event had no significant impact on the company’s operations. However, the threat actor claims to have exfiltrated 21,400 files but revealed no samples; hence, it remains to be seen whether this data will be publicly leaked.
DevMan’s Revelation about Indicators of Attack
The Indicators of Attack (IoA) revealed by DevMan with respect to their compromise of UAE-based IT & ITES company, Tawasol indicates that the intrusion began on April 6, 2025, with their Domain Controller and other critical parts of the network. DevMan leveraged a combination of compromised administrative credentials and known Microsoft vulnerabilities—notably MS17-010 (EternalBlue)—to escalate privileges and gain extensive access across the infrastructure. Their ultimate objectives was data exfiltration and widespread file encryption.
Initial Access
The attacker claims to have used valid administrative credentials that they had created themselves, suggesting that prior access had already been established, potentially through an earlier compromise or via an Initial Access Broker (IAB). However, the method used to gain that initial foothold is not disclosed. With the newly created account, the threat actor utilized the CrackMapExec (CME) tool over SMB to successfully authenticate and gain access to the Domain Controller (DC01)
Network Reconnaissance
Following the compromise of DC01, the attacker conducted internal reconnaissance using CME tool and scanned mapped IP ranges within the environment. This enabled the identification and compromise of five additional machines, including a mix of end-user systems, servers, and backup infrastructure—as inferred from the host naming conventions. The compromised systems provided the actor with lateral movement capabilities and broader control over the network.
Privilege Escalation, Defense Evasion and Exfiltration
The threat actor allegedly exploited the EternalBlue vulnerability (MS17-010) to escalate privileges to SYSTEM level on the Domain Controller (DC01), granting them full administrative control over the network. To evade detection, the attacker utilized Metasploit to run the tasklist command and verify the absence of any antivirus or endpoint protection software, ensuring a clear path for continued operations. Following privilege escalation and defense evasion, DevMan used PowerShell to systematically locate and exfiltrate sensitive files, including .txt, .docx, .pdf, and .xlsx formats. In total, the attacker reportedly exfiltrated over 7TB of data, highlighting the scale and precision of the operation before deploying ransomware to encrypt systems and disrupt operations.
Impact
The attacker allegedly deployed a ransomware payload named iamdidy.exe, which encrypted files across the network using the .apos extension and dropped ransom notes on all affected systems. As a result, 52 machines were rendered inoperable, critical documents were corrupted, and the organization’s entire infrastructure was effectively paralyzed, causing significant operational disruption.
Assessment of the Actor & Information
Considering DevMan’s claims and Qilins’ acceptance of the collaboration, its confirmed that an association between both exists. However, the same cannot be confirmed for Apos and Lynx, and at present it is just an assumption. The Indicators of Attack (IoA) revealed by them also portray onesided claims with no confirmations from the victim organizations. Further, even though the Taiwanese victim organization did confirm a cyber incident, the same could not be attributed to DevMan or Qilin in absence of valid proofs. Preliminarily, we assess the reliability of DevMan as F - Reliability cannot be judged. This will be updated in case further evidence emerge.
Based on our overall analysis of the claims and acceptance by Taiwanese entity about a cybersecurity incident impacting their infrastructure, we assess the credibility of the threat actor’s claims as 2 – Probably true
"Assessment of the source/threat actor & information" - NATO's Admiralty Code
This section includes our researchers/analysts' assessment based on NATO's admiralty code rating system. This rating system provides our researchers with a standard method to assess the reliability of the Source or Threat Actor/group being covered in cybercrime advisory, the credibility of actor's claims or information derived from our sources.
The following table is referenced by researchers while assigning the ratings:
Reliability of Source/Threat Actor | Credibility of Information/Threat Actor's claims |
A - Completely reliable | 1 - Confirmed by other sources |
B - Usually reliable | 2 - Probably true |
C - Fairly reliable | 3 - Possibly true |
D - Not usually reliable | 4 - Doubtful |
E - Unreliable | 5 - Improbable |
F - Reliability cannot be judged | 6 - Truth cannot be judged |
The above assessment ratings will be assigned based on the parameters described by NATO's admiralty code rating system as follows:
"Reliability of Source/Threat Actor"
A - Completely reliable: No doubt of authenticity, trustworthiness, or competency; has a history of complete reliability
B - Usually reliable: Minor doubt about authenticity, trustworthiness, or competency; has a history of valid information/claim most of the time
C - Fairly reliable: Doubt of authenticity, trustworthiness, or competency but has provided valid information/claim in the past
D - Not usually reliable: Significant doubt about authenticity, trustworthiness, or competency but has provided valid information/claim in the past
E - Unreliable: Lacking in authenticity, trustworthiness, and competency; history of invalid information/claim
F - Reliability cannot be judged: No basis exists for evaluating the reliability of the source/actor
"Credibility of information/Threat Actor's claims"
1 - Confirmed by other sources: Confirmed by other independent sources; logical in itself; Consistent with other information/claim on the subject
2 - Probably True: Not confirmed; logical in itself; consistent with other information/claim on the subject
3 - Possibly True: Not confirmed; reasonably logical in itself; agrees with some other information/claim on the subject
4 - Doubtful: Not confirmed; possible but not logical; no other information/claim on the subject
5 - Improbable: Not confirmed; not logical in itself; contradicted by other information/claim on the subject
6 - Truth cannot be judged: No basis exists for evaluating the validity of the information/claim
Conclusion
As of now, the DevMan onion leak site is offline, and it remains unclear whether the group will continue to collaborate with or publish victim data under the Qilin branding. Notably, DevMan appears to have ties to at least three ransomware groups—Lynx, Qilin, and Apos—highlighting the ongoing trend of affiliate operators moving across multiple Ransomware-as-a-Service (RaaS) ecosystems, a pattern observed by researchers in previous years.
While DevMan's IoA provides valuable insight into the attack paths and tooling used, but with no artifacts to validate their claims. Hence, the MITRE techniques listed in this advisory should not be considered exhaustive, and continued monitoring is warranted to track the threat actors' evolution and potential resurfacing under other affiliations.
