On 2026-06-05
Cybersecurity

The 120-Hour Threat: the timeline of a Devman 2.0 intrusion from VPN to Domain Admin

Summary

Key points

  • Initial Access via Vulnerable Perimeter: The intrusion began with a compromised VPN appliance. While logging deficiencies obscured the exact entry mechanism, strong evidence suggests the Devman 2.0 operators leveraged a Remote Code Execution (RCE) exploit to hijack a valid account. 
  • Living Off the Land & Open-Source Tooling: The attackers maintained a low profile by abusing a pre-existing RMM tool (AnyDesk) to stage their payloads. They heavily relied on a suite of open-source tools for network discovery, credential access, and exfiltration. 
  • Aggressive Credential Scavenging: The threat actors didn’t stop at dumping LSASS memory with Mimikatz. They actively hunted for plaintext credentials by manually looting browser histories, accessing Google Password Manager pages, searches in mailbox, and scouring local files and intranet sites. 
  • Clever Masquerading for Persistence: Lateral movement was conducted primarily via RDP. To maintain access, the attackers created a new highly privileged domain account deceptively named fortibackup to blend in with normal administrative activity. 
  • Significant OpSec Failures: The attackers’ impatience led to critical operational security mistakes. They left behind an rclone configuration file containing the plaintext credentials to their Mega drop-zone, and deployed C2 implants (Sliver and Meterpreter) that were either misconfigured or remained completely dormant;
  • Impact & Swift Containment: While the group successfully exfiltrated a large amount of sensitive data to the Mega cloud platform, their ultimate goal of deploying ransomware was thwarted. Swift isolation triggered by the EDR solution successfully neutralized the threat before the encryption phase could begin.

Introduction and Threat Landscape

During July 2025 the Airbus Protect Incident Response team responded to a significant data breach, which we attributed with a high level of confidence to ransomware group Devman 2.0. This incident occurred within legacy IT systems where EDR coverage was only partially deployed. 

 

Even if the scenario is a classical ransomware attack, the threat actor showed interesting behavior, and some tricks or mistakes that are less common.

Devman 2.0 intrusion from VPN to Domain Admin

If you are suffering from a cyber attack:

Devman 2.0 is a threat actor that has rapidly gained attention in the cybersecurity landscape. Initially emerging as an affiliate of other established Ransomware-as-a-Service (RaaS) operations, the group has since evolved, developing and deploying its own custom ransomware. The ‘2.0’ designation signifies the launch of Devman’s own RaaS programme, which they actively market to other cybercriminals. Devman’s initial approach is known to utilise the ransomware variants of other prominent groups such as Qilin, APOS, and DragonForce.

Since Devman’s emergence they have shown themselves to be a more active Threat Actor, highlighted in May 2025 when the number of alleged Victims reached 13 placing the group just behind the leading ransomware groups. By July 2025 they had claimed responsibility for 54 alleged victims. Targeted industries are diverse with seemingly no link between one another, they include fashion, IT, pest control, transport and media.

Devman 2.0 intrusion from VPN to Domain Admin

However, their rules of engagement (ROE) for interested affiliates using their Ransomware as a Service (RaaS) provides some indication for who they would, and would not target. In their ROE they specifically mention that “ANY target outside of the CIS (Commonwealth of Independent States) region” are viable targets and they specifically highlight “Critical Infrastructure is allowed and even encouraged”. Their ROE provides clues as to who the group would target; this currently aligns with the victims seen. Geographically Devman have not limited themselves other than avoiding targets within CIS; victims can be identified in Spain, South Africa, Singapore, Thailand and France to name a few.

Devman 2.0 intrusion from VPN to Domain Admin

Devman’s cyberattack on Thailand Ministry of Labour where the group claim to have stolen 300GB of data and to have encrypted 2000 laptops and dozens of servers for a ransom of $15 million showcases their general approach when targeting victims.

Devman’s motivation for their attacks appears to be solely focussed on monetary gain. The use of double extortion techniques ensure they are financially rewarded for their efforts by encrypting victim data and stealing it for leverage. 

During the month of February 2026, only two victims were reported on their “Wall of Shame”. Since then, no more activity has been detected, and the website is down. From 6 July 2025 to 4 February 2026, 129 distinct victims were reported.

 

Anatomy of the Intrusion 

The intrusion began with a seemingly legitimate connection using a valid account through the organization’s VPN. While logging limitations prevented us from definitively proving how the credentials were stolen, all breadcrumbs pointed to the VPN appliance itself—a device that had unfortunately remained unpatched against a recent wave of critical vulnerabilities.

Once inside, the threat actor wasted no time. They initiated discovery activities and leveraged RDP to move laterally across the network. Within minutes, we identified traces of Mimikatz execution as the attacker aggressively dumped credentials. Armed with these new privileges, they abused the local browser and a pre-existing AnyDesk installation to pull down a comprehensive offensive toolkit. This included the Sliver C2 framework, a targeted exploit for Veeam Backup & Replication (CVE-2023-27532), and a suite of discovery and exfiltration tools like Metasploit, NetScan, Nmap, Advanced IP Scanner, and RClone.

Shortly after staging these tools, the attacker pivoted to the Domain Controller. Here, they deployed RClone—a tool they also pushed to other network devices—and successfully exfiltrated a massive trove of sensitive data to the Mega cloud platform.

Even after the primary exfiltration, the adversary wasn’t finished. They continued to map the internal network using NetScan and Nmap, and executed SharpHound to map out Active Directory attack paths. To cement their foothold, they created deceptive local accounts and injected them directly into the “Domain Admins” group. They also deployed Meterpreter in an attempt to establish a resilient command-and-control channel.

However, their final push—a secondary attempt to run RClone on the initial ‘patient zero’ host—was the misstep that triggered the EDR solution, leading to swift containment and their ultimate eviction from the network.

Devman 2.0 intrusion from VPN to Domain Admin

If you are suffering from a cyber attack:

Day 1: The 12-Hour Sprint from VPN to Total Compromise 

The intrusion began on July 12 at 10:56 UTC, when the threat actor successfully authenticated to an application server using a valid account originating from the VPN IP range. The threat actor used valid administrator credentials obtained from the VPN configuration to access patent zero. While logging limitations prevented us from pinpointing the exact theft mechanism, the unpatched state of the edge appliance strongly points to vulnerability exploitation.

Once inside, the attacker within seconds of logging in, dropped NetScan and began aggressively mapping the network and the Active Directory.

Devman 2.0 intrusion from VPN to Domain Admin

This reconnaissance phase triggered rapid lateral movement using standard Remote Desktop Protocol (RDP), the attacker pivoted from the application server to the organization’s file server. 

Devman 2.0 intrusion from VPN to Domain Admin

One hour after the intrusion, the threat actor used Mimikatz and successfully dumped LSASS memory, compromising highly privileged accounts including the Administrator credentials.

Already holding Domain Admin privileges, the operator utilized a pre-existing AnyDesk installation on the file server to pull down part of their toolkit. This included a Sliver C2 payload named taskresolv.exe, a PowerShell script named veeam.ps1 (whose supposed purpose was to scan for Veeam servers), and an executable designed to exploit a Veeam Backup vulnerability (CVE-2023-27532). The attacker’s momentum abruptly halted here. Because the organization had already patched their Veeam infrastructure against this specific vulnerability, the exploit payload failed upon execution 

Three hours after intrusion, the threat actor made their move on the Domain Controller. The attacker stumbled upon an internally generated Active Directory audit report. They paired this with manual credential scavenging, looting an Excel file in a shared folder containing plaintext passwords.

With the network mapped, domain dominance achieved, and sensitive files located, the attacker initiated the final phase of their Day 1 sprint data exfiltration. At 18:08 UTC, they dropped Rclone on the Domain Controller with configuration files to a Mega cloud storage drop-zone. After testing the connection, they moved the Rclone operation to the file server. At 21:08 UTC—just over ten hours after their initial VPN login—the attacker successfully exfiltrated gigabytes of the organization’s data.

Days 2 & 3: Mapping the Maze and Blending In 

After successfully exfiltrating data on the first day, the attackers did not simply wait for the exfiltration to be over and moved to the next stage of their attack.

The threat actor continued their network scan activity and information gathering on every machine visited.

During the early hours of Day 2, the threat actor resumed their network discovery by launching a new wave of Netscan across multiple servers. To broaden their knowledge of the IT system they deployed Advanced IP Scanner.

The threat actor continued to search for credentials by actively searching the file server for documents containing passwords, looted browser histories, and directly accessed the victim’s Google Password Manager pages and local intranet sites. Attackers also searched actively in mailboxes using the pattern “password”. Later that night, they executed SharpHound on the file server. Showing a brief flash of operational security, they quickly deleted the tool and its generated output ZIP file to cover their tracks. 

By Day 3, the attackers focused on persistence. Operating directly on the Domain Controller, they created a new local user account. The threat actor deceptively named the account fortibackup, giving a potential hint that this VPN/Firewall device was part of the compromise chain. Later in the day, they completed their persistence strategy by adding the fortibackup account into the highly privileged “Domain Admins” group.

Devman 2.0 intrusion from VPN to Domain Admin

Day 4: A Noisy Escalation and Opsec failures

The next day the threat actor came back and was far less cautious. Beginning in the morning, the attacker launched a massive wave of logon attempts (logged as Event ID 4648) targeting over 50 different hosts across the environment. The attacker moved to a workstation where they redeployed NetScan and continued mapping the network.

While connected to the workstation the operator downloaded and installed the metasploit framework, by browsing directly from the official website of metasploit (https://www.metasploit.com). Same thing for Nmap, which was also downloaded from the official website.

Other payloads were downloaded from limewire. It seems that the attacker wanted to create a C2 channel using a meterpreter. However due to poor operational execution or misconfiguration the threat actor failed to execute their payload.

Later in the day the attacker moved to the application server to exfiltrate data using the same methodology as before with rclone. They only managed to exfiltrate some data before getting detected. Following this detection, the incident response team intervened, initiating a swift deployment of the EDR solution across unmanaged endpoints and isolation of machines with strange behavior allowed us to keep the situation under control.

While the attacker made blind attempts to maintain access on Day 5, the isolation of critical systems rendered them powerless, and they were fully evicted from the network. With the threat neutralized, our team began dissecting their toolkit.”

 

Deep dive on some interesting topics

While the initial access vector and ultimate ransomware objectives followed standard operational patterns, the threat actor exhibited several highly unusual behaviors. In the following sections, we will dissect their most notable OpSec failures, as well as the ‘quick wins’ that allowed them to rapidly escalate their privileges. 

Deep Dive 1: Aggressive Manual Scavenging

In modern ransomware intrusions, threat actors typically rely heavily on automated scripts and tools to extract credentials from memory. While this operator did utilize Mimikatz to dump LSASS memory, what stood out was their willingness to get their hands dirty. They didn’t just run scripts; they engaged in extensive, manual credential scavenging across the compromised machines. 

Once they established a foothold via RDP, the attacker actively exploited saved browser sessions to bypass authentication prompts. Forensic analysis of the Chrome execution logs revealed the attacker manually looting the victims’ Google ecosystems. They systematically accessed Gmail, Google Drive, Google Docs, and specifically targeted Google Password Manager pages to harvest stored credentials. 

Our telemetry captured the exact URLs the attacker used to hunt for secrets within the compromised email accounts:

Devman 2.0 intrusion from VPN to Domain Admin

Beyond cloud ecosystems, the operator scoured local intranet sites and shared network drives for files containing plaintext passwords. Because they had already compromised high-level administrative accounts, they had unrestricted access to sensitive departmental shares. 

This hands-on approach demonstrates a critical lesson for defenders: securing the perimeter and patching against credential-dumping tools is not enough. If users are storing plaintext passwords in shared Excel files or leaving sensitive browser sessions perpetually logged in, an attacker who slips past the initial defenses can easily find the keys to the rest of the kingdom just by opening a web browser. Administrators and users security hygiene is a must in a company and should be promoted as much as possible.

Deep Dive 2 : A Cumulation of mistakes and OpSec Failures 

Advanced Persistent Threats (APTs) are often characterized by their stealth and precision. However, cybercriminal operators—especially those rushing to monetize an intrusion—are human, prone to fatigue, impatience, and operational security (OpSec) failures. Throughout this 120-hour intrusion, the Devman 2.0 operator left a trail of sloppy mistakes that allowed our incident response team to reconstruct some of their movements. 

Our incident response team uncovered strange behavioral patterns regarding the attacker’s Command and Control (C2) infrastructure—very little of it actually worked as expected. Early in the intrusion, they downloaded a Sliver C2 binary, disguised it as taskresolver.exe, and dropped it directly into the C:WindowsSystem32 directory. We recovered its configuration, which pointed to an attacker-controlled IP (88.218.0[.]89), but the binary was never actually executed.

Later, the attacker’s attempt to deploy a Meterpreter payload revealed a notable inconsistency in their operations. Deviating from their previous staging techniques, they opted for a novel delivery method: downloading the binary directly from Limewire. (hxxps://limewire[.]com/d/Yr3IN#XBcIZ7X71p). The operator went through the effort of installing it as a new service (update.exe) to communicate outbound. However, due to severe misconfigurations, every single attempt to execute the Meterpreter payload failed.

These attempts, not necessary from our point of view, led to detection and to discover new IOCs related to this threat actor, uncovering C2 servers IP that were also used for other activities.

 

One other interesting “OpSec” failure from the attackers occurred during the exfiltration phase. The threat actor utilized Rclone to sync the victim’s sensitive data to the Mega cloud platform. However, in their rush, they forgot to remove the rclone configuration file rclone.conf. The username used for accessing the Mega account and the password were sitting here in plaintext.

It was not possible to identify if the mistake is the result of the detection and containment phase that made them forget about these files.
On the same approach the threat actor also utilized mimikatz to dump credentials on several machines. They also left the output log of their credential dumping allowing the incident response team to know exactly what access they managed to gather. 

Devman 2.0 intrusion from VPN to Domain Admin

On other servers the attacker attempted to cover their tracks but their cleanup methodology was severely lacking. Instead of using secure deletion tools, they sent their SharpHound output zip, Rclone executables and other components of their toolkits directly to the Windows Recycle Bin, allowing us to recover them.

Ultimately, the threat actor’s biggest downfall was their own greed. Despite compromising the entire domain and exfiltrating large quantities of data within the first 12 hours, they lingered in the network for three additional days. This unnecessary dwell time, spent scavenging for extra information out of pure curiosity, generated the noise that led to their detection before they could execute the final ransomware payload. 

 

Deep Dive 3: But still a successful attack with some interesting ideas

Even though the threat actor made critical OpSec mistakes, we cannot underestimate their effectiveness. They executed several highly successful, calculated maneuvers that demonstrate a strong understanding of how enterprise environments operate.

 

First is the fortibackup deception. The threat actor used a persistence mechanism that relied entirely on exploiting human assumptions—hiding in plain sight. On Day 3 of the intrusion, having already achieved broad access across the network, they needed a way to guarantee they could return if their primary entry point was terminated. Operating directly on the Domain Controller, they created a new user account.

Rather than choosing a random string or a standard generic name, the attacker named the account fortibackup. This was a calculated move to mimic a legitimate service account tied to a Fortigate firewall backup process. Later that afternoon, the attacker escalated their persistence by adding the fortibackup account directly to the “Domain Admins” group.

Another major success was their “Living Off the Land” approach. Instead of immediately dropping noisy, custom malware that might trigger antivirus alerts, the attacker leveraged what was already there. After pivoting to the file server, they discovered a pre-existing installation of AnyDesk. They hijacked this legitimate Remote Monitoring and Management (RMM) tool to securely download their offensive toolkit—including the Sliver C2 payload and Veeam exploits.

Devman 2.0 intrusion from VPN to Domain Admin

If you are suffering from a cyber attack:

Finally, the attacker’s greediness and aggressive manual scavenging paid off in a massive way. While exploring the Domain Controller on Day 1, the attacker stumbled upon an internally generated Active Directory audit report 

By simply opening this file, the threat actor was handed a comprehensive map of the network’s security posture, misconfigurations, and privilege escalation paths. They didn’t need to run loud AD enumeration tools themselves right away; the defenders had already done the hard work for them.

While the huge effort made by the threat actor on exfiltration of data clearly pointed to an extortion attempt, the attacker’s toolkit revealed their ultimate, destructive goal. Threat actors know that to successfully force a ransom payment, they must destroy an organization’s ability to recover.

To this end, the attacker dropped a PowerShell script named Veeam.ps1 onto the file server. While we were unable to recover the script itself for deep analysis, we have high confidence it was utilized to actively scan the environment and identify servers running Veeam backup software. Shortly after this reconnaissance script was executed, the attacker downloaded an exploit payload for CVE-2023-27532—a critical vulnerability in the Veeam Backup & Replication component that allows an attacker to extract encrypted credentials directly from the configuration database.

However, this is where routine IT maintenance saved the day. The threat actor attempted to fire the exploit, but the organization’s Veeam infrastructure had already been updated to a patched version. The exploit failed completely, resulting only in an application crash logged by the system. This serves as a textbook example of why timely patch management is a critical layer of defense: it directly breaks the ransomware kill chain before the encryption phase can even begin.

Conclusion

This 120-hour intrusion serves as a stark reminder of the realities of the modern threat landscape. The entire incident traces back to a single, critical vulnerability: an unpatched edge device. Today, vulnerable VPN appliances and firewalls remain the undisputed primary entry points for ransomware operators, emphasizing that perimeter hygiene is no longer optional. 

Furthermore, this case highlights the double-edged sword of partial security deployments. Because Endpoint Detection and Response (EDR) agents were not deployed across all the environment, the attacker found the blind spots necessary to map the network and successfully exfiltrate sensitive data. However, the existing EDR coverage saved the organization from a complete exfiltration and encryption. The threat actor was too confident and dropped malware on system onboarded on the EDR solution allowing detection and response.

Finally, this investigation paints a clear picture of this specific Devman 2.0 operator’s profile: a low-to-medium technical proficiency heavily propped up by a reliance on classic, open-source toolkits. While they successfully weaponized standard utilities like NetScan, Mimikatz, and Rclone, their execution crumbled when attempting more complex operations. The severe misconfiguration of their not needed C2 implants (Sliver and Meterpreter), combined with glaring OpSec failures like leaving plaintext configuration on the disk, proves that even inexperienced and sloppy attackers can cause massive damage if given the opportunity.

In the end, it was a combination of the attacker’s impatience and the defender’s swift EDR response that prevented a catastrophic ransomware deployment.

 

Lesson learned for IR team

During the critical early hours of the incident, the organization’s system administrators were unavailable, forcing our incident response team to operate almost entirely through the existing EDR solution. While EDR platforms are invaluable for immediate containment, they inherently lack the deep forensic visibility required to pull certain granular artifacts.

To bridge this visibility gap, our team attempted to dynamically push and execute Velociraptor to gather comprehensive triage data. However, this introduced a significant operational bottleneck, the EDR solution was capped on the amount of data we can download. Forcing us to split the velociraptor archive in multiple parts. This resulted in a highly manual and time-consuming process, causing significant friction during a live Incident Response engagement. .

Incident response teams must pre-engineer offline collection tools (like Velociraptor) that are explicitly configured to upload directly to a controlled, external storage bucket. The incident response team can also build a specific configuration of their collection tool to collect only the most important artefacts not covered by EDR and generate an archive as small as possible. Crucially, defenders must thoroughly test these capabilities in advance to ensure forensic data can be successfully exfiltrated even while a host remains in strict network isolation by the EDR.

 

Timeline

DayTimePhaseActivity Description
Day 100:00 – 10:55Initial AccessThreat actor gains access via VPN using valid account.
10:55 – 11:16DiscoveryExecution of Netscan, host reconnaissance, and file browsing.
11:37Lateral MovementRDP used to pivot to other hosts and the Domain Controller (DC).
12:27Credential AccessMimikatz deployed; attempted exploit of Veeam backup software.
12:58Command & ControlInstallation of the Sliver C2 framework.
18:08 – 21:08Exfiltrationrclone used to exfiltrate data from the DC and File Server.
Day 209:58DiscoveryContinued host reconnaissance and file browsing.
15:22Lateral MovementRDP activity continues; Sharphound (BloodHound) executed.
Day 314:48PersistenceNew user accounts created and added to Domain Admins.
Day 410:03DiscoverySecondary Netscan execution.
10:49Command & ControlDownload and attempted execution of Metasploit (Meterpreter).
19:06Exfiltrationrclone used to exfiltrate data from the SQL Server.
Day 508:00Lateral MovementContinued RDP activity across the network.
08:13DiscoveryContinued host reconnaissance and file browsing.

Indicators of Compromise (IOCs)

Files

FilenameDescriptionSHA256
netscan.exeNetscan tool18F0898D595EC054D13B02915FB7D3636F65B8E53C0C66B3C7EE3B6FC37D3566
sharphound.exeSharphound tool73CCEA435E12299ACF2F835B63215802EDB5896306BFAD5BEEF8F0E1EE1EF8A0
taskresolv.exeSliver C2d83feaba6db727fb56c1112ae67f8c99e6702883f09d5b9d3b195bcf909d7b5e
svcbios.exeMeterpreter655fe0cbba1aa53f91529f44eaf406ed5f26ddd1f767e5ba0432d3bf4a8b6438
update.exeMeterpreter85A8A1D042FA22CCA0476BB9FE02144205585C0F91DACCF247D9265C8D98FEB1
rclone.exerclone tool used for data exfiltration25e803d081afeb15bdba2e3cab634707dea7a999434ea751931a51e165a6c9b8

Network

IPDomainDetails
88.218.0[.]89N/ASliver C2 AS 9009(M247 Europe SRL)
hxxps://limewire[.]com/d/Yr3IN#XBclZ7X71pMetasploit’s Meterpreter Module

MITRE ATT&CK

TacticTechnique
Initial AccessT1133 - External Remote Services
ExecutionT1059.001 - PowerShellT1059.003 - Windows Command ShellT1203 - Exploitation for Client ExecutionT1569 - System Services
PersistenceT1078.002 - Domain AccountsT1136.002 - Domain Accounts
Privilege EscalationT1078.002 - Domain Accounts
Defense EvasionT1036 - Rename Legitimate UtilitiesT1070.001 - Clear Windows Event Logs
Credential AccessT1212 - Exploitation for Credential AccessT1003.001 - LSASS Memory
DiscoveryT1018 - Remote System DiscoveryT1069.002 - Domain GroupsT1087.001 - Local Account
Lateral MovementT1021.001 - Remote Desktop Protocol
Collection
Command and ControlT1219 - Remote Access Tools
ExfiltrationT1567.002 - Exfiltration to Cloud Storage

MITRE ATT&CK Tactics and Techniques

The following Techniques are from open source collections of attributed Devman activity.

120-hour threat
  • Share