Manatee Tempest (formerly DEV-0243) is a threat actor that is a part of the ransomware as a service (RaaS) economy, partnering with other threat actors to provide custom Cobalt Strike loaders. In Manatee Tempest’s initial partnerships with another threat actor, Mustard Tempest, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional Manatee Tempest ransomware payloads developed in-house, such as PhoenixLocker and Macaw. Around November 2021, Manatee Tempest started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload is likely an attempt to avoid attribution to their group, which could discourage payment due to their sanctioned status.
The 2025 Microsoft Digital Defense Report is now available! Read the report
Financially Motivated Threat Actor Manatee Tempest
Follow Microsoft Security