{
	"id": "1026c39d-6e5c-49a8-a8c8-d0982bf7c810",
	"created_at": "2026-04-06T00:14:49.354213Z",
	"updated_at": "2026-04-10T13:13:01.302952Z",
	"deleted_at": null,
	"sha1_hash": "218a5471042efe8f6ab48f8c57b1bc63e53e849d",
	"title": "Pro-Kremlin Hacktivist Groups Seeking Impact By Courting Notoriety",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54164,
	"plain_text": "Pro-Kremlin Hacktivist Groups Seeking Impact By Courting\r\nNotoriety\r\nBy Flashpoint Intel Team\r\nPublished: 2022-10-26 · Archived: 2026-04-05 15:59:49 UTC\r\nRussia’s February invasion of Ukraine has led to the emergence of a wide range of pro-Kremlin hacktivist groups.\r\nThe loudest and most active of these groups has been “Killnet,” a former DDoS-as-a-service group, which has\r\nconducted mostly distributed denial of service attacks against Ukrainian and Western targets. \r\nWhile some groups (including one called “XakNet”) have consistently denied that they are working together with\r\nthe Russian government, even in the face of evidence, other cyber threat groups have been openly seeking\r\nopportunities for cooperation. A group called “RahDIt,” for instance, claimed to have shared data on alleged\r\n“Ukrainian agents” with Russian security services. At the very least, we can confidently say that the groups are\r\nenthusiastically supporting the Russian government’s objectives in Ukraine, and they seem to be receiving support\r\nfrom government-linked actors in return.\r\nhttps://www.youtube.com/watch?v=FMFUi091JeY\r\nSeptember interview with hacktivist group Killnet.\r\nThese newfound relationships go beyond helping Russia with their own propaganda operations, also alluding to\r\nbehind-the-scenes coordination between the government and these hacktivist groups that may aid their own\r\nrecruitment for followers and members. It is critical that organizations understand both sides of this alliance in\r\norder to ensure they are getting the most out of their intelligence to properly protect their assets and personnel.\r\nThe hacktivist family tree\r\nMost other hacktivist groups are associated with Killnet to varying degrees, although some have distinct identities,\r\nsuch as the “XakNet” group, a group of self-confessed “patriotic hackers” active since the 2008 Russia-Georgia\r\nwar, who were linked to Russia’s military intelligence by Mandiant, or “RahDIt,” a hack-and-leak group whose\r\nmain project is a website sharing personal information on alleged Ukrainian agents and enemies of Russia. \r\nRecommended Reading: An Exclusive Interview with XakNet by Cyber Shafarat\r\nInstead of choosing and working on their victims strategically, as would often happen with disruptive cyber\r\nattacks, these groups have in common the tendency to instead pay close attention to the news cycle and focus on\r\nless sophisticated attacks or data leaks. In the approximately eight months since the outbreak of the Russia-Ukraine war there have been several prominent examples of this. \r\nKillnet targeted the Eurovision Song Contest in Italy in May when it became clear that Ukraine was a clear\r\nfavorite to win the contest. Several groups took part in an attack against Lithuanian networks at the time when the\r\nBaltic country was accused of “blockading” the Russian exclave of Kaliningrad in June. RaHDIt released\r\nhttps://flashpoint.io/blog/pro-kremlin-hacktivist-groups/\r\nPage 1 of 3\n\ninformation allegedly stolen from the Ukrainian military, to support Russian claims that Russia’s military setback\r\nin Ukraine was partly due to a more active US involvement in the war. Killnet gave credence to claims made by\r\npro-Kremlin commentators and Russia’s Security Council, that the Security Service of Ukraine is aiding drug\r\ntrade inside Russia. \r\nSoftball Interviews\r\nThe role of these groups seems to be partly to help a “shock and awe” form of information warfare, suggesting to\r\nWestern audiences that their home networks are vulnerable and will be attacked if their countries continue\r\nsupporting Ukraine. However, the hacktivist groups also play an important role in Russia’s domestic propaganda,\r\nas evidenced by the frequent appearances of some of them in Kremlin-connected media. \r\nKillnet and its founder, the threat actor using the alias “Killmilk”, have been interviewed by the state-controlled\r\nRT media outlet three times since March. Killmilk also gave an interview to the Kremlin-friendly “Lenta” and\r\n“Gazeta” news sites in April and August respectively and the minor “Dontimes” portal in September. In the\r\ninterviews, Killnet representatives talk about the group’s origins, goals and recent attacks, and are in general\r\nportrayed as patriotic activists. \r\nRaHDIt, similarly, gave several interviews to Russian media outlets. Like Killnet, the group was interviewed by\r\nDontimes – in August – and has also become somewhat of a regular interlocutor of the state-owned RIA news\r\nagency, which quoted the group at least five times in June and July alone. Similarly to Killnet’s appearances,\r\nRaHDIt’s claims were handled uncritically in these reports, allowing the collective to appear as righteous cyber\r\nwarriors. In one of the RIA interviews, RaHDit even offered advice on cyber hygiene, explaining that household\r\nappliances can be used to spy on people. \r\nXakNet has been less forthcoming in mainstream media. However, the group has been interviewed by electronic\r\nplatforms such as “Russian OSINT”, which focuses on Russian-speaking cyber underground, and “Cyber\r\nShafarat”, another blog focused on illicit communities, where they mostly talked about their origins and recent\r\nattacks. \r\nMore PR Than APT\r\nApart from the propaganda value, these appearances can also hint at a closer alignment with state structures, due\r\nto the tight control, by the government, of some of the media outlets that published these interviews, which carry a\r\nsignificant PR-value for the groups (and thus opportunities to recruit followers and members). \r\nApart from pro-Kremlin media, the activity of hacktivist groups was also repeatedly extolled in chat channels\r\nlinked to the Wagner Group, a private military company operating in Ukraine. RaHDIt, for instance, was praised\r\nby mercenaries claiming that their list of alleged Ukrainian agents helped them to do “filtration” work in the\r\nterritory controlled by Russia in Ukraine. \r\nPro-Kremlin hacktivist groups have so far been louder than they have been disruptive. Nonetheless, their value is\r\npartly in shaping the conversation, domestically and internationally. They have been vessels of pro-Kremlin\r\npropaganda, relying on their own tens of thousands of followers on social media, as much as they have been\r\nhelping to influence the conversation domestically by talking about cunning attacks on targets in a hostile West, or\r\nhttps://flashpoint.io/blog/pro-kremlin-hacktivist-groups/\r\nPage 2 of 3\n\nby “exposing” material that underpins the Kremlin’s domestic talking points. They have also helped in the\r\n“branding” of the war for domestic audiences, by creating symbols and memes that have been shared by Russian\r\ninternet users.\r\nProactively address risk with Flashpoint\r\nAny organization’s security capabilities are only as good as its threat intelligence. Flashpoint’s suite of tools offer\r\nyou a comprehensive overview of your threat landscape and the ability to proactively address risks and protect\r\nyour critical data assets. To unlock the power of great threat intelligence, get started with a free trial.\r\nSource: https://flashpoint.io/blog/pro-kremlin-hacktivist-groups/\r\nhttps://flashpoint.io/blog/pro-kremlin-hacktivist-groups/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://flashpoint.io/blog/pro-kremlin-hacktivist-groups/"
	],
	"report_names": [
		"pro-kremlin-hacktivist-groups"
	],
	"threat_actors": [
		{
			"id": "0bce7575-ba34-4742-afb7-a4d3ade12dbe",
			"created_at": "2023-11-14T02:00:07.091122Z",
			"updated_at": "2026-04-10T02:00:03.448867Z",
			"deleted_at": null,
			"main_name": "XakNet",
			"aliases": [
				"UAC-0100",
				"UAC-0106"
			],
			"source_name": "MISPGALAXY:XakNet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b4a6d558-3cba-499c-b58a-f15d65b7a604",
			"created_at": "2023-01-06T13:46:39.346924Z",
			"updated_at": "2026-04-10T02:00:03.295317Z",
			"deleted_at": null,
			"main_name": "Killnet",
			"aliases": [],
			"source_name": "MISPGALAXY:Killnet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9a11c31f-ebed-4b8d-9a5a-b3c842bfe293",
			"created_at": "2024-09-20T02:00:04.58523Z",
			"updated_at": "2026-04-10T02:00:03.700883Z",
			"deleted_at": null,
			"main_name": "RaHDit",
			"aliases": [
				"Russian Angry Hackers Did It"
			],
			"source_name": "MISPGALAXY:RaHDit",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434489,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/218a5471042efe8f6ab48f8c57b1bc63e53e849d.pdf",
		"text": "https://archive.orkl.eu/218a5471042efe8f6ab48f8c57b1bc63e53e849d.txt",
		"img": "https://archive.orkl.eu/218a5471042efe8f6ab48f8c57b1bc63e53e849d.jpg"
	}
}