Devman Decoded: From DragonForce Affiliate to Rust-Based RaaS

Table of Contents

• Executive Overview
• Evolution: The "Rust" Pivot (Devman 2.0)
  • Phase 1: The DragonForce Legacy (C++)
  • Phase 2: The Rust Rewrite (September 2025)
• Technical Deep Dive: Evasion and Execution
  • BYOVD (Bring Your Own Vulnerable Driver)
  • Windows Restart Manager Abuse
  • The SAP Zero-Day (CVE-2025-31324)
• The Virtualization Kill Chain (ESXi)
• Victimology and Operations
• Detection and Hunting
  • YARA Rule
  • Key IOCs
• Conclusion

Executive Overview

In the volatile threat landscape of 2025, few threat actors have pivoted as aggressively as the Devman cartel. Originally identified as a "white-label" affiliate of the DragonForce and Qilin ecosystems, Devman has rapidly matured into a standalone Ransomware-as-a-Service (RaaS) operation with a distinct technical identity.

For defenders, Devman represents a convergence of three dangerous trends: the shift to memory-safe languages (Rust), the weaponization of enterprise zero-days (SAP NetWeaver), and the "living-off-the-land" destruction of virtualization layers (VMware ESXi). This combination makes Devman particularly challenging to detect and contain, as it leverages trusted system components and targets infrastructure that often lacks endpoint detection coverage.

This analysis breaks down the technical anatomy of Devman—from its C++ origins to its modern Rust architecture—and provides actionable intelligence for detection and response teams.

Evolution: The "Rust" Pivot (Devman 2.0)

Devman's lifecycle is distinctively split into two phases. Understanding this lineage is critical for attribution and forensic analysis, as artifacts from both generations may appear in compromised environments.

Phase 1: The DragonForce Legacy (C++)

Early 2025 variants were essentially rebranded DragonForce payloads, themselves derived from leaked Conti v3 source code. These binaries relied on standard mutex patterns like Global\Fxo16jmdgujs437 and utilized a hybrid HC-256 / ChaCha20 encryption stream.

Key Characteristics of v1.0:

• Language: C++ with heavy code reuse from Conti leak
• Encryption: Hybrid HC-256 / ChaCha20 stream cipher
• Mutex: Global\Fxo16jmdgujs437
• File Marker: xcrydtednotstill_amazingg_time!!

However, this phase was plagued by "builder bugs," including a notorious flaw where the malware encrypted its own ransom notes, rendering them unreadable. This operational embarrassment likely accelerated the decision to rebuild from scratch.

Phase 2: The Rust Rewrite (September 2025)

To resolve stability issues and target cross-platform environments, the operators launched Devman 2.0, rewritten entirely in Rust. This architectural decision provided several operational advantages:

Cross-Platform Targeting: A unified codebase targeting Windows, Linux, and ESXi eliminates the need for separate development teams and reduces builder complexity.

Memory Safety: Rust's ownership model eliminates entire classes of vulnerabilities (buffer overflows, use-after-free) that defenders might otherwise exploit to crash or analyze the malware.

Performance: The Rust variant utilizes AES-256-CTR for file encryption and RSA-4096 for key exchange, offering significant speed advantages via intermittent encryption—encrypting only 20% of large files while still rendering them unrecoverable.

Cryptographic Implementation (v2.0):

• Symmetric Encryption: AES-256-CTR (intermittent mode for files >1MB)
• Asymmetric Encryption: RSA-4096 for session key wrapping
• Intermittent Ratio: 20% of file content encrypted

Technical Deep Dive: Evasion and Execution

Devman employs high-friction tactics to blind defenses before encryption begins. These techniques represent a synthesis of leaked ransomware tradecraft and novel evasion methods.

BYOVD (Bring Your Own Vulnerable Driver)

Devman neutralizes EDR agents by abusing legitimate, signed kernel drivers—a technique known as BYOVD (Bring Your Own Vulnerable Driver). The group has been observed deploying truesight.sys and rentdrv2.sys, both of which are legitimately signed but contain exploitable vulnerabilities.

Attack Flow:

1. The ransomware drops a vulnerable driver to disk
2. The driver is loaded into the kernel via standard Windows APIs
3. The malware exploits known vulnerabilities in the driver to gain kernel-level code execution
4. Protected processes (e.g., MsMpEng.exe, SentinelAgent.exe) are terminated from kernel mode, bypassing user-mode protections

This technique is particularly effective because the drivers are legitimately signed, bypassing Driver Signature Enforcement (DSE) without requiring a kernel exploit or test-signing mode.

Observed Vulnerable Drivers:

• truesight.sys (TrueSight kernel driver)
• rentdrv2.sys (RentDrv kernel driver)

Windows Restart Manager Abuse

Inheriting code from Conti, Devman interacts with the Windows Restart Manager API to maximize encryption coverage. The Restart Manager is a legitimate Windows component designed to minimize reboots during software installation by gracefully closing applications that hold file locks.

Technique Details:

1. The malware queries for processes holding open handles on target files (databases, mail stores, documents)
2. It uses the Restart Manager to request these applications close gracefully
3. If graceful termination fails, processes are forcefully terminated
4. Files are then encrypted without lock conflicts

Forensic Artifact:

Registry artifacts associated with this activity can be found at:

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000

This registry key will contain information about the Restart Manager session, including the list of files and processes involved in the operation.

The SAP Zero-Day (CVE-2025-31324)

One of Devman's most distinct differentiators is its aggressive exploitation of CVE-2025-31324, a critical vulnerability in SAP NetWeaver Visual Composer. This represents a significant escalation in targeting, as SAP systems often contain the most sensitive enterprise data.

Vulnerability Details:

• Affected Component: SAP NetWeaver Visual Composer
• Vulnerable Endpoint: /developmentserver/metadatauploader
• Root Cause: Missing authentication on file upload functionality
• CVSS Score: 10.0 (Critical)

Exploitation Flow:

1. Attackers identify exposed SAP NetWeaver instances via internet scanning
2. A malicious JSP web shell (e.g., cache.jsp) is uploaded to the /developmentserver/metadatauploader endpoint without authentication
3. The web shell executes OS commands as the sidadm user (SAP system administrator)
4. Attackers gain immediate access to ERP data, supply chain information, and financial records
5. The ransomware payload is deployed after data exfiltration

Impact: This grants immediate access to the "crown jewels" of enterprise data before the ransomware is even deployed, enabling double-extortion scenarios with maximum leverage.

The Virtualization Kill Chain (ESXi)

Like many modern ransomware groups, Devman targets the hypervisor layer to encrypt multiple virtual machines simultaneously. The Linux/ESXi variants (ELF binaries) use native ESXi command-line tools to prepare the environment—a classic "living-off-the-land" approach that minimizes detection opportunities.

Stage 1: Enumeration

The malware enumerates all virtual machines on the host:

vim-cmd vmsvc/getallvms

This returns a list of all registered VMs with their VMIDs, names, and configuration paths.

Stage 2: Termination

Running VMs are forcefully terminated to release file locks on virtual disk files:

esxcli vm process kill --type=force --world-id=<WORLD_ID>

The --type=force flag ensures immediate termination without graceful shutdown, preventing any in-guest defensive measures from executing.

Stage 3: Encryption

The malware targets virtual disk formats specifically:

• .vmdk (Virtual disk files)
• .vmx (VM configuration files)
• .vmsn (Snapshot state files)
• .nvram (BIOS/UEFI state files)

By targeting these specific extensions, Devman ensures VMs cannot be recovered or started without paying the ransom.

Stage 4: Defacement

The ESXi web interface is defaced by overwriting the default index.html with the ransom note, ensuring administrators see the demand immediately upon accessing the management console.

Victimology and Operations

Devman operates on a "Big Game Hunting" philosophy, deliberately targeting organizations with the resources to pay substantial ransoms.

Revenue Thresholds: The operators explicitly target organizations with annual revenue exceeding $100 million. Smaller organizations are typically ignored as not worth the operational risk.

Geographic Targeting: Western targets are prioritized, with a particular focus on North American and European enterprises. A notable case was the April 2025 attack on the French transport company Doumen, which caused significant logistics disruptions across multiple European supply chains.

Exclusion Rules: Consistent with many Eastern European ransomware operations, strict rules prohibit targeting:

• CIS (Commonwealth of Independent States) countries
• Healthcare institutions serving children
• Critical infrastructure that could cause loss of life

These exclusions likely serve both ideological and practical purposes, reducing the risk of aggressive law enforcement response from Russian authorities.

Detection and Hunting

For security teams, the following indicators and detection rules provide high-fidelity alerts for Devman activity.

YARA Rule

The following YARA rule detects both Rust and C++ variants based on unique string artifacts:

rule RANSOM_Devman_Indicators {
    meta:
        description = "Detects Devman Ransomware (Rust/C++ variants)"
        author = "Threat Intelligence Team"
        severity = "High"
        last_modified = "2026-01-21"

    strings:
        $ext1 = ".devman" wide ascii
        $ext2 = ".devmanv1" wide ascii
        $note = "README.devman" wide ascii
        $mutex = "Global\\Fxo16jmdgujs437" wide ascii
        $marker = "xcrydtednotstill_amazingg_time!!" ascii
        $cmd_shadow = "vssadmin delete shadows /all /quiet" ascii

    condition:
        uint16(0) == 0x5A4D and // MZ Header (Windows PE)
        (
            $mutex or
            ($marker) or
            (2 of ($ext*, $note, $cmd_shadow))
        )
}

Key IOCs

File Extensions:

• .devman
• .devman1
• .devmanv1

Ransom Notes:

• README.devmanv1.txt
• README.devman.txt

Vulnerable Drivers (verify via hash):

• truesight.sys
• rentdrv2.sys

Network Indicators:

• Unexpected traffic to Tor nodes from server infrastructure
• HTTP requests to /developmentserver/metadatauploader on SAP servers
• Large outbound data transfers preceding encryption activity

Registry Artifacts:

• HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000

Process Indicators:

• Unexpected driver loading events for truesight.sys or rentdrv2.sys
• Mass process termination of security tools
• esxcli or vim-cmd execution on ESXi hosts

Conclusion

Devman is not just another ransomware "rebrand." The move to Rust and the integration of zero-day exploits like the SAP NetWeaver vulnerability signal a mature, well-resourced development team with access to premium exploit chains.

Key Defensive Priorities:

1. Patch SAP NetWeaver: CVE-2025-31324 provides unauthenticated access to critical enterprise systems. Immediate patching or isolation of vulnerable instances is essential.

2. Harden ESXi Management Interfaces: Restrict SSH and web management access to dedicated management networks. Monitor for suspicious esxcli and vim-cmd activity.

3. Implement Driver Blocklists: Deploy Windows Defender Application Control (WDAC) or similar solutions to block known vulnerable drivers (truesight.sys, rentdrv2.sys).

4. Monitor for BYOVD Activity: Alert on unexpected kernel driver loading, particularly for drivers not part of standard enterprise software deployments.

5. Segment Critical Infrastructure: Ensure SAP systems, hypervisors, and backup infrastructure are not directly accessible from general corporate networks.

The convergence of memory-safe development, enterprise zero-days, and hypervisor targeting in a single operation represents the current state-of-the-art in ransomware. Defenders must prioritize these vectors to stay ahead of the threat.

---