Financially Motivated Threat Actor Periwinkle Tempest

Periwinkle Tempest (formerly DEV-0193) is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, Periwinkle Tempest managed the Ryuk ransomware as a service program before the latter’s shutdown in June 2021, and Ryuk’s successor, Conti as well as Diavol. Microsoft has been tracking the activities of Periwinkle Tempest since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. As other malware operations have shut down for various reasons, including legal actions, Periwinkle Tempest has hired developers from Emotet, Qakbot, and IcedID.

DETAILS

Also known as:

Industries targeted:

Threat Actors

Microsoft Threat Intelligence: Recent Periwinkle Tempest Articles

Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself

Learn more

HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks

Learn more

Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability

Learn more

Financially Motivated Threat Actor Periwinkle Tempest

DETAILS

Also known as:

Industries targeted:

Microsoft Threat Intelligence: Recent Periwinkle Tempest Articles

Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself

HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks

Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability

Follow Microsoft Security