Widely attributedUnknown
Vanilla Tempest
Financially motivated ransomware group formerly tracked as DEV-0832. Deploys INC ransomware primarily against the healthcare sector, receiving GootLoader hand-offs from Storm-0494 before lateral movement via RDP.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 Low0.7
Low signal strength
Mentions2
Sources2
High conf.0
Last seenMay 2026
First observed
—
Last active
—
Origin
—
Aliases
2
Techniques
0
Campaigns
0
TargetsHealthcare
RegionsGlobal
Attribution signals
2 mentions · 2 sources#1moderate
Infrastructure
security-affairs
May 2026
#2unspecified
Malware
cyberscoop
May 2026