What’s in a name?
Group names and logos aren’t always significant, but sometimes the branding will offer clues to the group’s intentions, locations and member identities. Nitrogen doesn’t give us much to work with here.
It’s hard to say why the group chose the name Nitrogen. There doesn’t seem to be anything fun or interesting behind this name. It may be meant to project an image of being invisible and everywhere, or cold and methodical, or something else. Maybe it doesn’t mean anything.
The minimalist logo looks like a stock image with some design elements, and we can speculate on what this means. Other groups we’ve profiled have crazy brand designs with bugs and mythical creatures and cool retro fun. Lockbit paid people to tattoo its logo onto themselves (gross). Nitrogen doesn’t seem to care about things like that, which could mean the group doesn’t prioritize long-term brand recognition. Maybe the group has a planned exit strategy, or it recognizes that ransomware brands do not last long. Rebranding and changing domains is easier with a simple logo image because you don’t have a bunch of style elements to clean up and/or put on a new server.
A simple design could also be an intentional statement that the group isn’t into marketing. It wants to operate quietly and not be bothered with showing off its brand. If the group is operating as a RaaS, why aren’t they trying to get attention?
As a reminder, this is all speculation.
Location and identities
There’s no public, authoritative attribution of Nitrogen to a specific country or region. Open-source reporting links Nitrogen activity to the broader Eastern-European area, but researchers could not confirm a location. Most Nitrogen ransomware command-and-control servers are in Bulgaria and the Netherlands, but the group could be decentralized and attacking from different locations.
There is also no direct evidence linking Nitrogen to specific individuals, though researchers suspect the current group may include former Blackcat operators.
Origin story
Malware developer and loader operator
Nitrogen malware activity was first detected by researchers in the summer of 2023. The malware was designed to access a system and establish persistence so that a threat actor could carry out a stealthy attack. The Nitrogen group developed and sold the malware, and sometimes helped manage the malvertising campaigns for buyers.
Nitrogen loader malware is a small piece of code that was bundled with application installers for utilities like Advanced IP Scanner, Slack, WinSCP, AnyDesk, Cisco AnyConnect, PuTTY, and other applications. These applications were selected because they are more likely to be downloaded by IT teams and other technical users.