{ "id": "12849f9e-bb31-4cd6-bcd1-4bdcef1925ca", "created_at": "2026-04-06T00:18:54.778596Z", "updated_at": "2026-04-10T03:34:24.378522Z", "deleted_at": null, "sha1_hash": "c75fc62f54534f215b5add299c5484bf35e3b28d", "title": "Evolution of KILLNET from Hacktivism to Private Hackers Company and the Role of Sub-groups - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1031814, "plain_text": "Evolution of KILLNET from Hacktivism to Private Hackers\r\nCompany and the Role of Sub-groups - CYFIRMA\r\nArchived: 2026-04-05 18:15:34 UTC\r\nPublished On : 2023-05-12\r\nINTRODUCTION\r\nKILLNET is a prominent pro-Russian ‘hacktivist’ group that has been operating actively since the start of the\r\nRussia-Ukraine conflict. The group began its operations in February 2022, and has since been involved in\r\nprimarily conducting Distributed Denial of Service (DDoS) attacks. Additionally, the group has established a\r\nsemi-formal organizational structure with a significant presence on the messaging app; Telegram. KILLNET’s\r\nwell-developed organizational structure demonstrates a strong command and control mechanism, with different\r\nlevels of superiority, command lines, and tasking. The group comprises several subgroups, which are allegedly\r\ninvolved in attacks against multiple NATO and anti-Russian countries. Despite uncertainties surrounding their\r\ntechnical skills and sophistication, they are still considered a threat, due to the continuous addition of new sub-groups, specialists, and most importantly, recent changes in the shift in motivation, from hacktivism towards\r\nbuilding a financially motivated hacker company.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 1 of 18\n\nExecutive Summary\r\nRecently KILLNET creator; ‘KillMilk’, announced that they were building a global team of operators from the\r\ndarknet and special services members, with financially motivated destructive capabilities. Their operation went\r\nfull circle from offering services to hackers and competing businessmen, to taking orders from private and state\r\npersons, along with defending the interests of the Russian Federation. This report focuses on analyzing KILLNET,\r\nSubgroups, capabilities, and recent development in the group’s motive.\r\nKey Points\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 2 of 18\n\nThe KILLNET operation has come full circle, evolving from a service provider for hackers and competing\r\nbusinesses, to a private military hacker’s company that now takes orders from both private individuals and\r\nstate entities, along with defending the Russian Federation’s interests.\r\nRansom Distributed Denial of Service (RDDoS) attacks are possibly the next move of KILLNET and their\r\nassociates, considering their capability and the recent shift in motivation.\r\nInitial days KILLNET and associates used tools from GitHub Repositories, along with custom-built tools\r\nto conduct DDoS attacks. Now they have specialists, who can build a botnet for the group.\r\nSelf-destruction attacks are not possible on KILLNET, as the owners of the largest botnets are Russians,\r\nand they have a block at the level of settings for attacks in Russia or the CIS.\r\nAlong with the DDoS campaign, KILLNET and its associate groups are also engaged in social engineering\r\ncampaigns for credential harvesting.\r\nKILLNET now has access to Titan Stealer and a new botnet; ‘TESLA’, built by RADIS, a commander of\r\none of the KILLNET sub-groups; As a result, the group’s attack capability is expected to be greatly\r\nimproved.\r\nKILLNET adopted a tactic of operating through multiple groups, which creates a sense of disarray and\r\nunpredictability, and makes it harder for the targets to prepare for or defend against attacks. KILLNET has\r\nmastered the art of division of groups to conduct effective campaigns.\r\nEXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW\r\nImpact Assessment\r\nEven though KILLNET attacks are short-lived, there is always a question on their destructive capabilities. Their\r\nimpact can be significant, with potential consequences, including disruption of services, financial losses, data\r\nleaks, and damage to reputation.\r\nVictimology\r\nKILLNET and its affiliates have a primary focus on targeting NATO and countries that are politically and\r\nideologically opposed to the Russian administration. Their objective is to disrupt the overall ‘ecosystem’, by\r\ntargeting critical infrastructure, such as airports, banks, hospitals, intelligence services, transport systems, public\r\nservices, and private organizations. The group’s strength lies not in their technical capabilities or sophistication,\r\nbut rather in their ability to launch coordinated large-scale attacks on their targets. RDDoS attacks are possibly the\r\nnext move of KILLNET and associates, considering their capability, and the recent shift in their motivation.\r\nKILLNET was involved in selling the cyber tool -DDOS/Stressor in underground forums, before turning itself\r\ninto a hacktivist group. Their objective was to attack critical infrastructure and government websites, who oppose\r\nthe Russian invasion of Ukraine. The group is primarily targeting Ukraine and NATO nations through DDoS\r\nattacks. The initial KILLNET telegram channel was banned by the app administration in June 2022, but the group\r\nwas able to re- establish its presence with another name (killnet_reservs). The group is supported by many pro-Russian Telegram channels, which helped them to regain the totality of their audience to the new channel, just\r\nfour days after the ban. Thereafter, they created backup channels and aggressively helped like- minded thought\r\nleaders to create their own groups under the KILLNET umbrella.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 3 of 18\n\nKILLNET adopted a tactic of operating through multiple groups. Breaking people into groups and tying their\r\nleader to lead them is much easier to manage, when participants are in large numbers. Secondly, it is more\r\neffective in terms of conducting information war. Psychologically, the division of groups has a significant impact\r\non the target, as it becomes difficult for them to understand when and from whom to expect an attack. The use of\r\nmultiple groups creates a sense of disarray and unpredictability, making it harder for the targets to prepare for or\r\ndefend against attacks, and KILLNET mastered the art of division of groups to conduct effective campaigns.\r\nKILLNET operated through many groups, some of them are inactive or decommissioned or disappeared or\r\nrebranded or merged with other groups. Presently KILLNET operates through the following groups: ZARYA,\r\nPhoenix, Infinity Hackers By, Legion, Anonymous Russia, Anonymous Sudan, and UserSec. We will discuss the\r\nsub-groups in the following sections.\r\nZARYA\r\nZarya is a notorious hacking group that specializes in breaking into state and strategic facilities. The group is best\r\nknown for its successful attacks on SBU, the Security Service of Ukraine. The founder and commander of Zarya is\r\nHash or Heshi (https[:]//t[.]me/H45H13), who was originally a member of the KILLNET hacktivist movement.\r\nHash established the Zarya hacker group, under the KILLNET umbrella to pursue his vision towards the\r\nmovement. The group’s primary objective is to steal internal documents from their targets, including plans,\r\nprojects, mail, correspondence, and employee lists.\r\nAs per Hash, compromised data is not shared with the Kremlin directly, they have reasons to believe that Kremlin\r\nrepresentatives are part of their official Telegram channel. Zarya conducts attacks on critical infrastructure with\r\ntwo main objectives:\r\nToestablishcontrol,notnecessarilytoshutsomethingdownbuttohave that capability, in case they need it.\r\nTogainaccesstotheinformationnetworkofthetargetedenterpriseand extract information for as long as\r\npossible.\r\nZarya collaborates with other hacking groups, including Beregini, XakNet, Cyber Army, Anonymous Russia,\r\nRaHDit, Joker DPR, NoName057, and Zsecnet, along with KILLNET. While still part of KILLNET, Zarya was\r\nthe only unit that focused exclusively on hacking targets and did not participate in DDoS campaigns or had limited\r\nexposure to such attacks.\r\nPhoenix\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 4 of 18\n\nInitially, Phoenix was located in Ukraine and specialized in hacking smartphones and legalizing stolen iPhones, by\r\nunlocking them. In November 2021, Security Service of Ukraine (SBU) announced the capture of five members\r\nof the group, led by Chapaevv (https[:]//t[.]me/chapaev_901). After that, Chapaevv re-established Phoenix to take\r\nrevenge on SBU for the arrest of five of his people, by supporting the Russian Federation. They anonymously\r\nparticipated in attacks organized by KILLNET on Western organizations in the summer of 2022.\r\nIn February 2023, Phoenix officially became part of KILLNET.\r\nChapaevv claimed that they are constantly developing new DDoS attack methods, and that even Cloudflare and\r\nGoogle services cannot protect their targets. As per Chapaevv, Phoenix includes dozens of botnets, hundreds of\r\nhacker commanders, and thousands of fighters, attacking assigned targets. The method they use is a simple and\r\naffordable HTTP GET request. As part of this method, a file, image, script, or any other information is requested\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 5 of 18\n\nfrom the site server to display in the browser. The group makes millions of such requests per second, which\r\nparalyzes the operation of the web resource infrastructure.\r\nPhoenix uses its own botnets in its operations. They claim that their pool of devices is approaching the level of\r\nMirai (one of the most famous and largest botnets in the world, which, according to some reports, includes 900\r\nthousand devices), which can generate 50 GBPS to 500 GBPS traffic.\r\nRecently, we observed Phoenix establishing alliances with other like-minded groups choosing the path of\r\nKILLNET to grow its group’s strength. They are also looking for opportunities to monetize their capability\r\nthrough PHOENIX DEFENSE and other sub-groups, by providing DDoS-as-a-service and sharing compromised\r\ndata.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 6 of 18\n\nAnonymous Russia\r\nThe group known as Anonymous Russia operates in a decentralized manner, with anyone being able to claim\r\naffiliation with them. While typically anti- political, Anonymous Russia supports the Russian invasion of Ukraine,\r\nand targets those who support Ukraine. Their campaign began in July 2022, and is associated with numerous\r\nattacks coordinated by KILLNET, including those against Lockheed Martin, the European Parliament, US\r\nairports, US government websites, and the #RIPGermany campaign.\r\nFollowing the arrest of Arseniy Eliseev, the administrator of the Anonymous Russia Telegram channel in Belarus,\r\nRADIS took on the responsibility of leading the group and its operations. RADIS has immense respect towards\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 7 of 18\n\nKillMilk for his work and support during RADIS’s difficult times. After the disastrous arrest of an earlier\r\nadministrator, getting the aggressive and trustable RADIS to lead the Anonymous Russia group suggests that most\r\nof the KILLNET sub-groups have tremendous respect for KillMilk, with him reciprocating this support in turn.\r\nRADIS is also the creator of TESLA-BOT, which provides DDoS-as-a-Service, which may be one of the reasons\r\nRADIS was brought on board to lead Anonymous Russia.\r\nInfinity Hackers BY\r\nInfinity Hackers BY is a new group that debuted in public space in collaboration with KILLNET. The team was\r\ncreated by immigrants from the little-known hacker forum Infinity. They claim to be from Belarus. Recently, the\r\ngroup claimed to have conducted a successful cyberattack against the IRS. The group also manages the Infinity\r\nforum created by KILLNET.\r\nAnonymous Sudan\r\nOn January 18th, 2023, Anonymous Sudan began its operations with the objective of launching cyber-attacks\r\nagainst any country opposing Sudan. The group is motivated to defend Islam and to show the world that Sudan\r\nshould not be underestimated, as there are individuals who will protect it through their cyber capabilities. It\r\nappears that the group is influenced and inspired by the operations of KILLNET.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 8 of 18\n\nFrom the second week after its establishment, the group started supporting KILLNET operations. On 19th\r\nFebruary 2023, KILLNET made its association with Anonymous Sudan official.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 9 of 18\n\nThe group claims that the Sudanese pirates support Russian pirates for their support of Sudan earlier. Anonymous\r\nSudan carried out a series of Distributed Denial of Service (DDoS) attacks against Swedish, Dutch, Australian,\r\nFrance, and German organizations purportedly in retaliation for anti-Muslim activity that had taken place in those\r\ncountries.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 10 of 18\n\nIt looks like it uses paid DDoS services to conduct its operations, along with taking assistance from like-minded\r\ngroups like KILLNET. Using paid services points out that the group is well-financed to conduct its operation\r\npossibly from pro-Islamic groups. The group is also engaged in hacking, data exfiltration, and data leaks, along\r\nwith DDoS attacks.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 11 of 18\n\nGitHub Repositories used by KILLNET and Associates\r\nDuring the initial days, KILLNET and associates used open-source tools to conduct their operations, before\r\nsourcing the right talent and developing their own tools and botnets.\r\nObserved GitHub repositories:\r\nhttps[:]//github[.]com/Leeon123/CC-attack.git\r\nhttps[:]//github[.]com/HyukIsBack/KARMA-DDoS\r\nhttps[:]//github[.]com/firstapostle/Aura-DDoS\r\nhttps[:]//github[.]com/Bionec/mhddos_p.git\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 12 of 18\n\nBotnet and Stealer Association\r\nAs mentioned earlier, KILLNET and associates developed botnets and stressors, using open-source GitHub\r\nrepositories. They also collaborate with DDoS-as-a-Service providers, and stressor developers to achieve their\r\ngoals.\r\nSome of the key players are Mirai Botnet (https[:]//t[.]me/botnet_banda), Passion Botnet\r\n(https[:]//t[.]me/PassionBotnet), Tesla-Botnet (https[:]//t[.]me/teslaBotnet) built by RADIS, MistNet\r\n(https[:]//t[.]me/MistNet), SkyNet Botnet (https[:]//t[.]me/xSkynet) and Godzilla-BotNet\r\n(https[:]//t[.]me/xGodzillAxNewSxPoweRxProofs). Most of them are DDoS-as-a Service providers. Some of them\r\nare built and managed by KILLNET associates, like Tesla-Botnet. Passion Botnet and MistNet are directly\r\nassociated with KILLNET and engaged in DDoS campaigns.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 13 of 18\n\nEven though these DDoS service providers do not trigger novel or exceedingly large attacks, their strength relies\r\non collective and coordinated attacks to generate massive traffic, capable of disrupting the operations of the target.\r\nThe Passion DDoS platform is one of the DDoS-as-a-service providers which is closely associated with\r\nKILLNET. Recently, they launched an updated version of their platform with enhanced L4 and L7 attack\r\ncapabilities, which are highly effective against DDoS mitigation providers, such as CloudFlare and Google Shield.\r\nDuring a demonstration, Passion DDoS showcased its power, with attack traffic peaking at 27.2 GB per second\r\nand 3.11 million packets. The platform also claims to have much more powerful attack capabilities through other\r\nmethods.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 14 of 18\n\nHacktivists usually avoid using public services because they can be expensive, and their capabilities may not be\r\nsufficient. However, some groups possess personal botnets that enable them to launch customized attacks. For\r\ninstance, KILLNET offers such services, and Phoenix and Anonymous Russia are also expanding in this direction.\r\nRecently Titan Stealer also got associated with KILLNET. These collaborations only add more destructive\r\nknowledge and power to the KILLNET arsenal, assisting in building destructive forces like PMC KILLNET –\r\nPRIVATE MILITARY HACKER COMPANY.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 15 of 18\n\nRecent Development in the KILLNET\r\nEven after the announcement of stopping being a hacktivist and becoming a private Russian hacker company,\r\nKILLNET associates like ANONYMOUS RUSSIA and UserSec continued their hacktivist campaigns. Parallelly,\r\nKILLNET also announced that they were building a global team of operators from the darknet and special-services members by rebranding to ‘PMC KILLNET’, which aims to provide various services including\r\ndestruction, production of UAVs, and means of tracking and suppression of drones, development of robotic\r\nsystems, and software development, (the ‘destruction’ services include actions such as misinformation, impact on\r\nnetwork infrastructure, and reputation killing). PMC KILLNET additionally planned to update the list of its\r\nservices, as it acquires specialists and expands partnerships in the CIS and abroad. This shift in motivation from\r\nhacktivism to becoming a destructive cybercrime organization will be an interesting development to watch out for,\r\nto understand emerging threats from the evolving threat landscape.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 16 of 18\n\nConclusion\r\nIt is evident that KILLNET is becoming increasingly powerful and effective by forming alliances with like-minded partners and skilled individuals. The implications of this new development are intriguing, and it remains\r\nto be seen how this transformation will impact NATO and anti-Russian forces. It is also uncertain whether\r\nKILLNET’s associates will continue with hacktivism or regroup or rebrand themselves. However, it is apparent\r\nthat pro-Russian hacktivism, spearheaded by KILLNET, is growing in volume and strength with the emergence of\r\nmultiple sub-groups.\r\nCurrently, the group might not be of much interest from a cyber security standpoint but changes in group\r\nmotivation and their association with like- minded groups might make them dangerous in the coming days.\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 17 of 18\n\nSource: https://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nhttps://www.cyfirma.com/?post_type=out-of-band\u0026p=17397\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.cyfirma.com/?post_type=out-of-band\u0026p=17397" ], "report_names": [ "?post_type=out-of-band\u0026p=17397" ], "threat_actors": [ { "id": "e53fc09e-24cc-40d4-b38d-7e2d6dbe81d8", "created_at": "2023-03-17T02:01:50.851615Z", "updated_at": "2026-04-10T02:00:03.362605Z", "deleted_at": null, "main_name": "Anonymous Sudan", "aliases": [], "source_name": "MISPGALAXY:Anonymous Sudan", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0bce7575-ba34-4742-afb7-a4d3ade12dbe", "created_at": "2023-11-14T02:00:07.091122Z", "updated_at": "2026-04-10T02:00:03.448867Z", "deleted_at": null, "main_name": "XakNet", "aliases": [ "UAC-0100", "UAC-0106" ], "source_name": "MISPGALAXY:XakNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "76d871c3-96cd-41d3-8889-f0396e480e91", "created_at": "2023-11-14T02:00:07.093421Z", "updated_at": "2026-04-10T02:00:03.449641Z", "deleted_at": null, "main_name": "Zarya", "aliases": [ "UAC-0109" ], "source_name": "MISPGALAXY:Zarya", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a3917c91-ec7d-485f-8784-bfb1b1a78359", "created_at": "2023-11-08T02:00:07.13872Z", "updated_at": "2026-04-10T02:00:03.424164Z", "deleted_at": null, "main_name": "UserSec", "aliases": [], "source_name": "MISPGALAXY:UserSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "9a11c31f-ebed-4b8d-9a5a-b3c842bfe293", "created_at": "2024-09-20T02:00:04.58523Z", "updated_at": "2026-04-10T02:00:03.700883Z", "deleted_at": null, "main_name": "RaHDit", "aliases": [ "Russian Angry Hackers Did It" ], "source_name": "MISPGALAXY:RaHDit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b05a0147-3a98-44d3-9b42-90d43f626a8b", "created_at": "2023-01-06T13:46:39.467088Z", "updated_at": "2026-04-10T02:00:03.33882Z", "deleted_at": null, "main_name": "NoName057(16)", "aliases": [ "NoName057", "NoName05716", "05716nnm", "Nnm05716" ], "source_name": "MISPGALAXY:NoName057(16)", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434734, "ts_updated_at": 1775792064, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c75fc62f54534f215b5add299c5484bf35e3b28d.pdf", "text": "https://archive.orkl.eu/c75fc62f54534f215b5add299c5484bf35e3b28d.txt", "img": "https://archive.orkl.eu/c75fc62f54534f215b5add299c5484bf35e3b28d.jpg" } }