Follow on X RSS Feed
Ransomware

Threat Actor Azote Group Expands Nitrogen Ransomware Campaign Targeting IT and Finance

Cybersec Sentinel

3 min read
Threat Actor Azote Group Expands Nitrogen Ransomware Campaign Targeting IT and Finance

Threat Group: Azote Group / UNC4696
Threat Type: Ransomware (Double Extortion), Initial Access Broker
Exploited Vulnerabilities: Malvertising, DLL Sideloading, Vulnerable Drivers, Social Engineering
Malware Used: NitrogenLoader, NitrogenInstaller, NitrogenStager, Sliver, Cobalt Strike, BlackCat/ALPHV, KeeLoader
Threat Score: 🔥 Critical (9.1/10) – Due to its modular, evasive attack chain, and confirmed links to multiple ransomware deployments including ALPHV/BlackCat.
Last Threat Observation: May 21, 2025

Overview

Nitrogen ransomware, attributed to UNC4696 (also known as the Azote Group), is a persistent and evolving threat. First observed in late 2023 and significantly active since September 2024, the campaign specializes in initial access via sophisticated malvertising campaigns. Victims are tricked into downloading trojanized software installers, typically IT and networking tools, hosted on cloned websites delivered via search engine ads.

The Nitrogen infection chain is modular and includes NitrogenLoader, NitrogenInstaller, and NitrogenStager components. These establish persistence, command-and-control channels, and deploy payloads like Sliver and Cobalt Strike. Eventually, access is sold to affiliates or ransomware is deployed directly. ALPHV/BlackCat ransomware is the most frequently observed final stage, although a standalone Nitrogen ransomware variant with a .NBA extension and readme.txt note has also been reported.

UNC4696 is also linked to the KeeLoader malware campaign (a trojanized KeePass installer), suggesting a broader arsenal targeting privileged IT users.

Key Details

Delivery Method: Malvertising for tools like WinSCP, Advanced IP Scanner, KeePass, PuTTY, and AnyDesk; payloads delivered as ZIPs or ISOs using DLL sideloading.

Target: IT, finance, manufacturing, construction, and nonprofit sectors in the US, UK, Canada, Europe, and Africa.

Functions:

  • Trojanized software bundles distribute NitrogenLoader (e.g., python312.dll).
  • NitrogenInstaller establishes persistence using Registry Run keys and Scheduled Tasks.
  • NitrogenStager initiates second-stage payloads (Cobalt Strike, Meterpreter, Sliver).
  • KeeLoader exfiltrates KeePass databases.
  • Ransomware payloads use .NBA extension and drop readme.txt ransom notes.

Obfuscation:

  • Packed DLLs with custom exports.
  • Stack strings, anti-debugging, VM-aware behaviors.
  • Exploits vulnerable drivers (e.g., truesight.sys) to disable AV/EDR.
  • Clears logs, manipulates BCD to inhibit recovery.

Attack Vectors

  1. Initial Access: Victims click poisoned ads (e.g., on Bing/Google) and download ISO/ZIP bundles containing renamed executables and malicious DLLs (e.g., setup.exe sideloading python312.dll).
  2. Persistence: NitrogenInstaller creates Run keys like HKCU\...\Run\Python and Scheduled Tasks (e.g., "OneDrive Security") to launch pythonw.exe from uncommon paths.
  3. Staging: NitrogenStager (e.g., python.311.dll) connects to C2 and downloads Cobalt Strike or Sliver payloads.
  4. Post-Exploitation: Payloads inject into legitimate processes (e.g., gpupdate.exe) and use XOR-encrypted configs (e.g., 0x2e key). Common watermark ID: 678358251.
  5. Final Payload: BlackCat/ALPHV is deployed, or Nitrogen ransomware encrypts files with .NBA extension.

Known Indicators of Compromise (IoCs)

File Hashes (SHA256)

  • fa3eca4d53a1b7c4cfcd14f642ed5f8a8a864f56a8a47acbf5cf11a6c5d2afa2
  • 55f3725ebe01ea19ca14ab14d747a6975f9a6064ca71345219a14c47c18c88be
  • 278f22e258688a2afc1b6ac9f3aba61be0131b0de743c74db1607a7b6b934043
  • 83a13d14e1cbc25e46be87472de1956ac91727553bb3f019997467b2bab2658f
  • bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c

File Hashes (SHA1)

  • 363068731e87bcee19ad5cb802e14f9248465d31

File Hashes (MD5)

  • f53fa44c7b591a2be105344790543369

Domains

  • ftp-winscp[.]org
  • advanced-ip-scan[.]org
  • keeppaswrd[.]com
  • aenys[.]com
  • allpcsoftware[.]com
  • wireshhark[.]com
  • xn--wnscp-tsa[.]net (IDN for wìnscp[.]net)
  • puttty[.]org
  • pse[.]ac

IP Addresses

  • 194.169.175[.]132
  • 194.180.48[.]169
  • 193.42.33[.]14
  • 141.98.6[.]195
  • 192.168.101[.]XXX

Mutex

  • nvxkjcv7yxctvgsdfjhv6esdvsx

Registry Keys

  • HKEY_USERS\{User_SID}\Software\Microsoft\Windows\CurrentVersion\Run\Python

Scheduled Tasks

  • OneDrive Security

File Names

  • python312.dll
  • msi.dll
  • python.311.dll
  • python311.dll
  • pythonw[.]exe
  • Intel64.exe
  • tcpp.exe
  • IntelGup.exe

File Paths

  • C:\StorageReport\tcpp.exe

Ransom Notes

  • readme.txt

File Extensions

  • .NBA

Cobalt Strike XOR Keys

  • 0x2e

Cobalt Strike Watermarks

  • 678358251 (S+sMUHERQLpRZukekGExAw==)

Mitigation and Prevention

User Awareness:

  • Avoid downloading from search engine ads.
  • Recognize spoofed domains and lures.

Email Filtering & Antivirus:

  • Enable sandboxing for attachments.
  • Detect DLL sideloading patterns.

Endpoint Protections:

  • Detect pythonw.exe launched from suspicious paths.
  • Block vulnerable driver loads (e.g., truesight.sys).

Two-Factor Authentication (2FA):

  • Mandatory for all remote and privileged access.

SIEM Monitoring:

  • Watch for registry Run keys and new scheduled tasks.
  • Alert on bcdedit.exe execution, event log clearing.

Regular Updates & App Whitelisting:

  • Patch OS and apps.
  • Whitelist approved apps and block unsigned Python runtimes.

Risk Assessment

Nitrogen represents a hybrid threat acting both as an Initial Access Broker and standalone ransomware operator. Its stealth, modularity, and links to multiple payloads make it a significant threat to all sectors. Its evasion of traditional defenses through DLL sideloading and driver exploitation demands advanced behavioral defenses.

Conclusion

Nitrogen ransomware, under the control of UNC4696, exemplifies a modern adversary’s operational versatility. It abuses trust in common software, executes stealthy and modular infections, and integrates with prominent RaaS ecosystems like ALPHV. Organizations must combine education, endpoint controls, and layered telemetry analysis to effectively defend against this threat.

Sources:

The DFIR Report - Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/

Cybersecurity News - Nitrogen Ransomware Actors Attacking Organization With Cobalt Strike & Erases Log Data

Nextron Systems - Nitrogen Dropping Cobalt Strike – A Combination of “Chemical Elements”

ANY.RUN - Nitrogen Ransomware Exposed: New Threat to Finance Industry

OTX AlienVault - Indicators of Compromise.