Menu
Browse

Cyber Threat Actor: Nemty

Aliases: 10 aliases
Actor Type Location Known Incidents
 Icon
Criminal
2 incidents
Profile

The threat actor operates under multiple aliases including @n0w1337, n0w1337, Sharpboys, c0mrade, Nemty, Prince, Pr0digy, pr0jekkt, and pr0j3kt. Public reporting associates these aliases with distinct but overlapping operations: the "Anonymous Sudan" collective conducts DDoS attacks primarily against Western entities, while "Play" and "Royal" ransomware groups execute data theft and encryption campaigns. Anonymous Sudan targets government, media, and critical infrastructure sectors in Israel, the US, and Europe, explicitly citing political motives such as protesting US foreign policy in Sudan or Quran desecration incidents in Sweden. Play ransomware focuses on municipal governments (Oakland, Lowell), financial institutions (Globalcaja Bank), and maritime logistics (Royal Dirkzwager), employing double extortion tactics by leaking stolen employee passports, contracts, and financial documents. Royal ransomware similarly targets US local governments (Dallas), healthcare networks (Morris Hospital), and educational institutions (Lake Dallas Independent School District, Montana State University), exfiltrating sensitive data like Social Security numbers and medical records.

Technical patterns include Anonymous Sudan's use of volumetric DDoS attacks to disrupt services like Microsoft Outlook, Israeli news portals, and Scandinavian Airlines' systems, while Play and Royal leverage ransomware payloads with data exfiltration capabilities. Play exploits vulnerabilities such as ProxyNotShell in Microsoft Exchange and uses Cobalt Strike for post-compromise activity, as observed in attacks on CH Media and Coldiretti. Royal employs callback phishing schemes impersonating software vendors to gain initial access, as seen in the Dallas intrusion. Microsoft attributes email breaches at US State and Commerce Departments to Chinese state-linked Storm-0558 actors using forged authentication tokens, though this group's connection to the aliases isn't explicitly stated. Some analysts suggest Play's operational overlap with Hive and Nokoyawa ransomware groups, while US officials confirm Storm-0558's affiliation with China. Anonymous Sudan's potential Russian nexus is debated, with researchers noting discrepancies between its stated Sudanese alignment and technical indicators.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
84 sources