Nitrogen

Nitrogen is a malware family/name associated with both an initial access malware/loader and a later ransomware operation. Reporting states that Nitrogen first surfaced in 2023 as an initial access malware used in malvertising-driven intrusions, including campaigns abusing Google and Bing search ads and fake software download sites impersonating products such as AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP. In those campaigns, victims downloaded trojanized ISO installers containing install.exe and a sideloaded malicious DLL (msi.dll, referred to as NitrogenInstaller). The chain installed the expected legitimate application to reduce suspicion, deployed a malicious Python package, created a registry Run key named Python for persistence, executed a malicious pythonw.exe every five minutes, and launched NitrogenStager via python.311.dll. NitrogenStager then contacted command-and-control infrastructure and deployed Meterpreter and Cobalt Strike Beacons. Sophos assessed this activity as staging for ransomware deployment, and Trend Micro previously linked a similar ad-driven intrusion chain to BlackCat/ALPHV ransomware. The campaign primarily targeted technology and non-profit organizations in North America, and other reporting also places Nitrogen among payloads used in malvertising against business users.

Multiple sources state that the threat actors behind Nitrogen later evolved into an independent ransomware operator by mid-2024. The ransomware strain is described as derived from leaked Conti 2 builder code and associated with double-extortion attacks. The group has been linked primarily to Eastern European infrastructure and has listed victims across sectors including manufacturing, business services, technology, hospitality, education, utilities, finance, and media. Reported victim geography includes a strong concentration in the United States, with additional victims in Canada, Portugal, Taiwan, and France. Public reporting cites organizations such as Foxconn, ENENSYS Technologies, PCCA, Coweta County School System, SRP Federal Credit Union, and Red Barrels as victims or claimed victims. Foxconn confirmed that several North American factories were affected by a cyberattack after Nitrogen listed the company on its leak site; Nitrogen claimed to have stolen about 8 TB of data and more than 11 million files, including confidential documents, project materials, and drawings tied to major customers.

Nitrogen ransomware includes a VMware ESXi-targeting variant. High-confidence reporting from Coveware and Veeam states that this ESXi encryptor contains a critical cryptographic implementation flaw that corrupts the public key used during encryption, including reports that part of the public key is overwritten with zeros or otherwise overwritten on the stack. As a result, encrypted ESXi files can become permanently unrecoverable, and decryption is impossible even for the operators with the private key. Several reports explicitly warn that paying the ransom will not restore affected ESXi data. The ransomware has also been described as sharing code lineage with Babuk-related codebases in some detections. Reported ransom note filenames include READ_ME_.TXT and readme.txt. ATT&CK-style behaviors attributed to the ransomware operation include PowerShell use, scheduled tasks, LSASS memory credential dumping, RDP, SMB/Windows Admin Shares, automated collection, automated exfiltration, and exfiltration over command-and-control channels.

Reported indicators associated with Nitrogen include the YARA rule nitrogen.yar and MD5 hashes 1b637a43abca552acaee11c01913db18, 3139c8e0d0dd9683ebfecdb2e4f1b6bb, 3dbd3c04b1acab0b70546e48d39247b7, 7e043d880dcf7889c6767ab97764769c, 834d94cf35d9417aa93a5cb350a756e9, and a9297a8acbee74ba0169333ee38be2ef. In the initial access/malvertising context, Nitrogen has been associated with fake software sites, compromised WordPress-hosted landing pages, geographic filtering, trojanized ISO installers, malicious DLL sideloading, Python-based persistence, Meterpreter, and Cobalt Strike.