Financially Motivated Threat Actor Pistachio Tempest

Pistachio Tempest (formerly DEV-0237) is a group associated with impactful ransomware distribution. Microsoft has observed Pistachio Tempest use varied ransomware payloads over time as the group experiments with new ransomware as a service (RaaS) offerings, from Ryuk and Conti to Hive, Nokoyawa, and, most recently, Agenda and Mindware. Pistachio Tempest’s tools, techniques, and procedures have also shifted over time, but are primarily marked by their use of access brokers to gain initial access via existing infections from malware such as Trickbot and BazarLoader. After gaining access, Pistachio Tempest uses other tools in their attacks to complement their use of Cobalt Strike, such as the SystemBC RAT and the Sliver framework. Common ransomware techniques (such as using PsExec to deploy ransomware widely in environments) are still a major part of the Pistachio Tempest playbook. The outcomes also remain the same: ransomware, exfiltration, and extortion.