{
	"id": "5e19f33c-5848-41cc-9460-7565979be700",
	"created_at": "2026-04-06T00:08:19.26279Z",
	"updated_at": "2026-04-10T03:32:13.304013Z",
	"deleted_at": null,
	"sha1_hash": "1557ff8a5bd8142c8f99fd63b591efc20b5e1435",
	"title": "Dark Web Profile: Cyber Toufan Al-aqsa",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64497,
	"plain_text": "Dark Web Profile: Cyber Toufan Al-aqsa\r\nPublished: 2023-12-20 · Archived: 2026-04-02 12:12:13 UTC\r\n1. Home\r\n2. Blog\r\n3. Threat Actor Profiles\r\n4. Dark Web Profile: Cyber Toufan Al-aqsa\r\nOn November 16 2023, a new group emerged in the intricate web of modern cyber warfare: Cyber Toufan. This\r\ngroup, shrouded in the digital shadows, has recently gained notoriety for a series of aggressive cyberattacks\r\npredominantly targeting Israeli organizations.\r\nThreat Actor card of Cyber Toufan Al-aqsa\r\nCyber Toufan’s rapid escalation in the cyber realm mirrors the intensifying geopolitical tensions in the region,\r\nparticularly between Israel and Hamas.\r\nCyber Toufan’s first post on their Telegram channel on November 18, 2023.\r\nCyber Toufan’s emergence aligns with an era where cyber warfare is becoming an increasingly prominent aspect\r\nof international conflicts.\r\nBackground and Emergence of Cyber Toufan\r\nCyber Toufan’s inception is a significant event, particularly in the context of the longstanding Israel-Hamas\r\nconflict. This group, initially unknown, has quickly made its presence felt by launching cyberattacks against a\r\nrange of Israeli organizations. The timing of their emergence is noteworthy, coinciding with heightened tensions\r\nand hostilities in the region.\r\nThe tactics and scale of Cyber Toufan’s operations bear the hallmarks of a sophisticated entity, potentially state-sponsored. Their rapid rise and effective execution of complex cyberattacks suggest a level of support and\r\nresources that are not typically available to independent hacker collectives. Cybersecurity experts and intelligence\r\nanalyses have pointed towards potential Iranian backing, given the group’s style, targets, and the geopolitical\r\nnarrative underpinning their attacks.\r\nTheir first leak was some private keys from Israeli government bodies.\r\nCyber Toufan’s initial activities have been marked by a deliberate and focused approach, targeting high-profile\r\nIsraeli entities and causing significant data breaches. Their attacks have not only led to substantial data leaks but\r\nhave also served as a form of digital retaliation, aligning with broader strategic objectives in the region.\r\nhttps://socradar.io/dark-web-profile-cyber-toufan-al-aqsa/\r\nPage 1 of 4\n\nThis background sets the stage for understanding Cyber Toufan’s operational tactics and the wider implications of\r\ntheir cyber campaigns.\r\nModus Operandi of Cyber Toufan\r\nCyber Toufan has exhibited a distinct and effective modus operandi in their cyberattacks. Their primary strategy\r\ninvolves extensive data breaches and the extraction of sensitive information, impacting both organizations and\r\nindividuals. Notable tactics include:\r\nData Extraction and Release: They have been adept at extracting large volumes of data, including personal\r\ndetails like emails, phone numbers, and business interactions. This not only disrupts the operations of targeted\r\nentities but also poses significant privacy and security risks to individuals whose data is compromised.\r\nTargeted Organizations: Their choice of targets has been strategic, focusing on Israeli companies and\r\norganizations that hold significant value or sensitive information. This includes security firms, government\r\nagencies, and commercial entities, indicating a well-thought-out approach to maximize impact.\r\nPropaganda and Psychological Warfare: Beyond technical breaches, Cyber Toufan also engages in\r\npsychological warfare, using their cyberattacks to make political statements and spread propaganda. This dual use\r\nof technical skill and psychological manipulation underscores their broader strategic objectives.\r\nAlleged Collaboration and Coordination: Reports suggest that Cyber Toufan possibly coordinating with other\r\nhacker groups and participating in larger collective operations, indicating a level of organization and collaboration\r\nunusual for independent hacking groups. Since in many hashtags and other hacker group’s posts they are also\r\ntagged and other hacker groups seem to follow their lead in some sense.\r\nNotable Attacks and Breaches by Cyber Toufan\r\nCyber Toufan’s cyberattacks have been widespread and significant, impacting a variety of Israeli and its allied\r\ncountries’ organizations. In just one month, their total leaks reached more than 100. Ransomware.live also tagged\r\nthem as a ransomware group and listed the group’s victims in its list, with 106 victims listed. Of course, although\r\na ransomware attack is not yet known, they seem to have TTPs similar to ransomware groups and the capacity to\r\ndeploy a ransomware variant if they have it.\r\nSome of the notable breaches include:\r\nMany companies were listed before the leaks, for example, Strauss’ name was listed in one of their\r\nfirst posts but the leak was published on December 19.\r\nMAX Security: A Tel Aviv-based security and risk management company, confirmed a breach that led to the\r\nexposure of user email addresses.\r\nBermad: A prominent Israeli water system provider, was purportedly targeted, aligning with heightened regional\r\ntensions and resource access issues.\r\nhttps://socradar.io/dark-web-profile-cyber-toufan-al-aqsa/\r\nPage 2 of 4\n\nOther Israeli Entities: The group claimed successful breaches of several other organizations, including OSEM (a\r\nfood company), H\u0026O (a fashion brand), Hagarin (an e-commerce brand), and various government entities.\r\nIn their first press release, they mentioned many governmental organizations.\r\nThe attacks spanned various industries, from food and fashion to critical infrastructure, demonstrating Cyber\r\nToufan’s wide-reaching capabilities. The scale and variety of these attacks underscore Cyber Toufan’s significant\r\ncapabilities and their potential impact on national security and personal privacy.\r\nAlleged State Sponsorship\r\nThe operations of Cyber Toufan, particularly their sophisticated cyberattacks, have raised suspicions of state\r\nsponsorship, with many signs pointing towards Iran. This speculation is bolstered by analyses from cybersecurity\r\nexperts, such as those at Check Point Software, who have noted similarities in tactics between Cyber Toufan and\r\nother Iran-linked groups.\r\nThe International Institute for Counter-Terrorism (ICT) also provides insights into this alleged connection,\r\nunderscoring the potential involvement of a nation-state in Cyber Toufan’s activities. The link to state sponsorship,\r\nif substantiated, reveals a deeper layer of geopolitical maneuvering, positioning Cyber Toufan within a broader\r\ncontext of regional power dynamics and state-level cyber warfare strategies.\r\nLeft: Cyber Toufan post on Radware leaks; Right: List of hacking groups operating together against\r\nIsrael as part of Anonymous Op-Israel (ICT).\r\nICT also mentioned the joint work of hacktivist/hacker groups and drew attention to this point. The various groups\r\nin the figure targeting Israel have diverse motives and behaviors. Some groups display immature, “troll-like”\r\nactions. When state-sponsored actors collaborate with these groups, it could be a strategy to disguise their\r\ninvolvement and make their actions seem less serious or organized. This approach can help obscure the true nature\r\nof state sponsorship in cyber activities, or they are simply not sponsored/fully sponsored.\r\nImpact and Consequences\r\nThe cyberattacks executed by Cyber Toufan have far-reaching consequences, both in terms of cybersecurity and\r\ngeopolitical ramifications.\r\nData Privacy and Security: The breaches have led to significant exposure of personal and sensitive data,\r\naffecting countless individuals and organizations. This raises serious concerns about data privacy and the security\r\nof personal information.\r\nEconomic and Operational Impact: Targeted attacks on key industries and infrastructure have potential\r\neconomic repercussions and can disrupt critical operations, affecting national security and the economy.\r\nGeopolitical Implications: The alleged state sponsorship of Cyber Toufan adds a layer of complexity to\r\ninternational relations, especially in the Middle East. It signifies the growing use of cyber warfare as a tool in\r\nbroader geopolitical strategies.\r\nhttps://socradar.io/dark-web-profile-cyber-toufan-al-aqsa/\r\nPage 3 of 4\n\nPsychological Impact and Propaganda: The use of cyberattacks for propaganda purposes by Cyber Toufan has a\r\npsychological impact, spreading fear and uncertainty, which is an integral part of modern warfare tactics.\r\nThe cumulative impact of these activities underscores the evolving nature of cyber threats and the need for robust\r\ncybersecurity measures globally.\r\nConclusion\r\nThe emergence and activities of Cyber Toufan in the cyber warfare landscape underscore the critical need for\r\nadvanced cybersecurity measures. Their sophisticated attacks on Israeli organizations highlight a new frontier in\r\ndigital conflict, intertwining state-sponsored operations with geopolitical agendas. To combat such threats\r\neffectively, SOCRadar’s Dark Web Monitoring is essential.\r\nSOCRadar Dark Web Monitoring\r\nThis solution comprehensively monitors dark and deep web activities, providing early warnings and actionable\r\nintelligence to prevent or mitigate cyber threats from groups like Cyber Toufan. Organizations can better protect\r\nthemselves in this evolving cyber battleground by staying vigilant and employing advanced security solutions.\r\nMITRE ATT\u0026CK TTPs of Cyber Toufan\r\nMITRE ATT\u0026CK\r\nTactic\r\nMITRE ATT\u0026CK\r\nTechnique\r\nDescription\r\nTA0040: Impact\r\nT1485: Data\r\nDestruction\r\nCyber Toufan’s attacks often involve data extraction\r\nand leaks, possibly leading to data destruction or\r\nmanipulation.\r\nTA0043:\r\nReconnaissance\r\nT1595: Active Scanning\r\nCyber Toufan likely conducts active scanning to\r\nidentify vulnerabilities in targeted organizations.\r\nTA0042: Resource\r\nDevelopment\r\nT1583: Acquire\r\nInfrastructure\r\nGiven their operational scale, they may acquire\r\ninfrastructure such as servers to support their activities.\r\nTA0005: Defense\r\nEvasion\r\nT1027: Obfuscated\r\nFiles or Information\r\nCyber Toufan might use obfuscation techniques to\r\nevade detection.\r\nSource: https://socradar.io/dark-web-profile-cyber-toufan-al-aqsa/\r\nhttps://socradar.io/dark-web-profile-cyber-toufan-al-aqsa/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://socradar.io/dark-web-profile-cyber-toufan-al-aqsa/"
	],
	"report_names": [
		"dark-web-profile-cyber-toufan-al-aqsa"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2d52f649-28b3-4ae9-9ef9-49d1bc85cf7a",
			"created_at": "2024-01-09T02:00:04.211752Z",
			"updated_at": "2026-04-10T02:00:03.514428Z",
			"deleted_at": null,
			"main_name": "Cyber Toufan",
			"aliases": [],
			"source_name": "MISPGALAXY:Cyber Toufan",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434099,
	"ts_updated_at": 1775791933,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1557ff8a5bd8142c8f99fd63b591efc20b5e1435.pdf",
		"text": "https://archive.orkl.eu/1557ff8a5bd8142c8f99fd63b591efc20b5e1435.txt",
		"img": "https://archive.orkl.eu/1557ff8a5bd8142c8f99fd63b591efc20b5e1435.jpg"
	}
}