{
	"id": "abbca2e1-a683-4278-96cb-6616db5a776c",
	"created_at": "2026-04-06T00:11:37.238989Z",
	"updated_at": "2026-04-10T13:13:09.149566Z",
	"deleted_at": null,
	"sha1_hash": "3307b6faa9118e66d311ddb5f22a4dc56b2b4d38",
	"title": "Keymous+ Threat Actor Profile | NETSCOUT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1100428,
	"plain_text": "Keymous+ Threat Actor Profile | NETSCOUT\r\nArchived: 2026-04-05 17:51:29 UTC\r\nArbor Networks - DDoS Experts\r\nDDoS campaign with evolving partnerships\r\nExecutive Summary\r\nBetween February and September 2025, NETSCOUT’s ATLAS telemetry confirmed 249 distributed denial-of-service (DDoS) attacks attributed to the threat actor Keymous+ targeting organizations across 15 countries and 21\r\nindustry sectors. Although the group’s individual attacks peaked at 11.8Gbps, collaborative efforts with partners\r\nreached 44Gbps, demonstrating significantly enhanced disruptive capability.\r\nGovernment agencies, hospitality and tourism, transportation and logistics, financial services, and\r\ntelecommunications face the highest risk. Morocco, Saudi Arabia, Sudan, India, and France have experienced the\r\nmost frequent attacks.\r\nKeymous+ uses widely available DDoS-for-hire services and compromised devices, making its tactics accessible\r\nand repeatable. In April 2025, the group announced a partnership with threat actor DDoS54, with observed joint\r\noperations demonstrating a nearly 4x increase in attack bandwidth from 11.8Gbps to 44Gbps.\r\nNETSCOUT continues monitoring this evolving threat and will provide updates as the situation develops.\r\nKey Findings\r\nhttps://www.netscout.com/blog/asert/keymous-threat-actor-profile\r\nPage 1 of 5\n\nObserved activity: February through September 2025\r\nConfirmed attacks: 249 events, over 39 distinct active days\r\nTarget scope: 60 organizations across 21 industries in 15 countries\r\nAttack types:\r\nReflection/amplification: chargen, CLDAP, DNS, memcached, NTP, NetBIOS, rpcbind, SNMP,\r\nL2TP, WS-DD\r\nDirect floods: DNS query, UDP, TCP\r\nInfrastructure:\r\n42,000+ average unique source IPs per attack (ranging from tens of thousands to hundreds of\r\nthousands); distributed across Tor, public cloud, VPNs, access networks, and proxies\r\nPeak observed bandwidth: 11.8Gbps (individual); 44Gbps (collaborative)\r\nPartnership noted: Public collaboration with DDoS54 announced April 12, 2025\r\nObserved DDoS Campaigns\r\nTargeting Analysis\r\nTop targeted industries:\r\nGovernment (administration and public sector)\r\nHospitality and tourism\r\nTransportation and logistics\r\nFinancial services (including banking and mortgage)\r\nNetwork and telecommunications\r\nMost-targeted countries:\r\nMorocco\r\nSaudi Arabia\r\nSudan\r\nIndia\r\nFrance\r\nThe campaign’s broad targeting across multiple sectors and geographies suggests opportunistic attacks rather than\r\nfocused operations, potentially indicating DDoS-for-hire activity. However, the concentration on Middle Eastern\r\nand North African countries (Morocco, Saudi Arabia, Sudan) may also suggest regional geopolitical motivations.\r\nOperational Timing Patterns\r\nAnalysis of Keymous+ attack timing reveals human-directed operations with strategic precision. The group\r\nconcentrated more than 30 percent of attacks during a single hour (06:00 UTC), corresponding to 07:00-09:00\r\na.m. across Morocco, Saudi Arabia, and Sudan. This timing maximizes disruption when government agencies\r\nopen, financial markets begin trading, transportation systems enter peak scheduling, and hotel systems process\r\nmorning bookings. Security operations center (SOC) teams are still mobilizing while legitimate traffic surges,\r\nmaking attack isolation significantly more difficult.\r\nhttps://www.netscout.com/blog/asert/keymous-threat-actor-profile\r\nPage 2 of 5\n\nThe attack distribution shows clear operational discipline: sustained baseline activity (5 to 10 attacks) punctuated\r\nby coordinated surges (as many as 79 attacks). The complete absence of activity during specific hours could\r\nindicate various operational constraints, from resource limitations to infrastructure availability windows.\r\nKey temporal indicators:\r\nPrimary strike window: 06:00 UTC (79 attacks) targeting morning operational surge across critical\r\nsectors\r\nSecondary peaks: 01:00, 10:00, 12:00 UTC (22–32 attacks) maintaining pressure during business hours\r\nOperational gaps: Hours 4, 8, 9, 22, and 23 UTC show zero activity\r\nSector optimization: Peak times align with maximum telecommunications strain as all targeted\r\ninfrastructure simultaneously experiences demand spikes\r\nAttack Infrastructure and Distribution\r\nKeymous+ attacks utilized diverse infrastructure spanning Tor exit nodes, public cloud instances,\r\ncompromised Internet of Things (IoT) devices, commercial VPN/proxy services, and directly infected\r\nhosts. The scale and variety of sources, ranging from tens of thousands to hundreds of thousands of unique\r\nIPs per attack, indicates the group leveraged multiple botnet infrastructures and DDoS-for-hire platforms\r\nduring the campaign.\r\nMost source IPs appear to be spoofed, leveraging modern DDoS-for-hire platforms that offer simple\r\ndropdown menus to spoof Autonomous System Numbers (ASNs) and IP addresses from major service\r\nproviders and cloud platforms. Whether Keymous+ directly managed these resources or obtained them\r\nthrough third-party services remains unconfirmed.\r\nObserved source categories:\r\nTor exit nodes\r\nPublic cloud instances\r\nCompromised consumer and IoT devices\r\nCommercial VPN and proxy services\r\nDirect-path traffic from infected hosts\r\nTactics, Techniques, and Procedures\r\nKeymous+ demonstrates operational flexibility via varied attack methods and durations.\r\nPrimary techniques observed:\r\nReflection/amplification attacks exploiting chargen, CLDAP, DNS, memcached, NTP, NetBIOS,\r\nrpcbind, SNMP, L2TP, and WS-DD protocols\r\nDirect flooding via DNS queries, UDP, and TCP\r\nIP spoofing across major service providers and cloud platforms\r\nCoordinated multivector attacks combining different methods\r\nhttps://www.netscout.com/blog/asert/keymous-threat-actor-profile\r\nPage 3 of 5\n\nAttack durations and packet rates vary significantly between incidents, suggesting the group adapts tactics\r\nbased on target defenses and desired impact. The combination of readily available DDoS-for-hire tools\r\nwith custom attack patterns indicates both opportunistic and targeted operations.\r\nPartnership with DDoS54\r\nOn April 12, 2025, Keymous+ publicly announced a partnership with threat actor DDoS54. NETSCOUT\r\nobserved elevated traffic volumes and increased vector complexity beginning immediately thereafter.\r\nNotable Collaborative Operation (April 13–14)\r\nPeak bandwidth: 44Gbps\r\nPacket rate: 4.23mpps\r\nPacket size: ~1,312 bytes\r\nAttack vectors: CLDAP amplification, DNS amplification, UDP flooding (notably UDP/443)\r\nDuration: ~11 minutes\r\nDistribution: Wide deployment using reflectors and amplification infrastructure (CLDAP, DNS,\r\nSNMP, L2TP)\r\nAssociated Threat Actors\r\nBeyond the confirmed DDoS54 partnership, open-source intelligence suggests potential connections\r\nbetween Keymous+ and the following threat actors:\r\nNoName057(16)\r\nDark Storm Team\r\nAnonymous Gaza\r\nThese associations remain unverified by NETSCOUT telemetry. Only the DDoS54 collaboration has been\r\nconfirmed via both public announcement and observed joint operations.\r\nConclusion\r\nFrom February to September 2025, Keymous+ executed 249 DDoS attacks across 15 countries, targeting\r\n21 industries with conventional yet effective methods. Its operational model, leveraging widely available\r\nDDoS tools, diverse infrastructure, and a partnership with DDoS54 that amplified attack bandwidth to\r\n44Gbps, underscores a growing threat.\r\nThe group’s broad, opportunistic targeting suggests expanding operations, requiring organizations to\r\nprepare for sustained attacks at increasing scale. To stay ahead, explore NETSCOUT’s Arbor solutions for\r\ngaining visibility, blocking malicious traffic, and mitigating these evolving DDoS campaigns.\r\nMitigation Strategy: Arbor Solutions from NETSCOUT\r\nTo help organizations defend against campaigns such as those operated by Keymous+ and its collaborators,\r\nNETSCOUT offers the following layered solutions:\r\nhttps://www.netscout.com/blog/asert/keymous-threat-actor-profile\r\nPage 4 of 5\n\n1. Arbor Sightline: Real-time visibility and anomaly detection using flow telemetry across service\r\nproviders and enterprises\r\n2. Arbor Edge Defense (AED): Inline, always-on protection that blocks both inbound DDoS and\r\noutbound threat communications\r\n3. Arbor Threat Mitigation System (TMS): High-throughput scrubbing that removes malicious\r\ntraffic before it hits business-critical services\r\n4. Arbor ATLAS Intelligence Feed (AIF): Live global threat intelligence tailored to Arbor solutions,\r\nupdating blocklists and detection logic in near real time\r\nExplore NETSCOUT’s Arbor solutions for gaining visibility, blocking malicious traffic, and\r\nmitigating evolving DDoS campaigns.\r\nPosted In\r\nArbor Networks - DDoS Experts\r\nAttacks and DDoS Attacks\r\nDDoS Tools and Services\r\nSource: https://www.netscout.com/blog/asert/keymous-threat-actor-profile\r\nhttps://www.netscout.com/blog/asert/keymous-threat-actor-profile\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.netscout.com/blog/asert/keymous-threat-actor-profile"
	],
	"report_names": [
		"keymous-threat-actor-profile"
	],
	"threat_actors": [
		{
			"id": "b05a0147-3a98-44d3-9b42-90d43f626a8b",
			"created_at": "2023-01-06T13:46:39.467088Z",
			"updated_at": "2026-04-10T02:00:03.33882Z",
			"deleted_at": null,
			"main_name": "NoName057(16)",
			"aliases": [
				"NoName057",
				"NoName05716",
				"05716nnm",
				"Nnm05716"
			],
			"source_name": "MISPGALAXY:NoName057(16)",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9fe6924d-bce6-4b56-9717-fe611932baec",
			"created_at": "2026-03-24T02:00:04.642588Z",
			"updated_at": "2026-04-10T02:00:03.993986Z",
			"deleted_at": null,
			"main_name": "Keymous+",
			"aliases": [
				"keymous",
				"Keymous Plus"
			],
			"source_name": "MISPGALAXY:Keymous+",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434297,
	"ts_updated_at": 1775826789,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3307b6faa9118e66d311ddb5f22a4dc56b2b4d38.pdf",
		"text": "https://archive.orkl.eu/3307b6faa9118e66d311ddb5f22a4dc56b2b4d38.txt",
		"img": "https://archive.orkl.eu/3307b6faa9118e66d311ddb5f22a4dc56b2b4d38.jpg"
	}
}