{ "id": "75705158-2429-4797-a249-1eb4b2304aab", "created_at": "2026-04-06T00:22:31.663188Z", "updated_at": "2026-04-10T03:37:09.340366Z", "deleted_at": null, "sha1_hash": "d7e789df3f936f75f0ca3754eb88ad435f71c2b2", "title": "Hacktivists Collaborate with GRU-sponsored Threat Actors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3507180, "plain_text": "Hacktivists Collaborate with GRU-sponsored Threat Actors\r\nBy Mandiant\r\nPublished: 2022-09-23 · Archived: 2026-04-02 11:29:00 UTC\r\nWritten by: Mandiant Intelligence\r\nUPDATE (April 2024): The Telegram front personas detailed in this blog post were previously attributed to\r\nAPT28 based on a case of cohabitation, where APT28 and APT44 were both operating in the same network. Re-analysis of the relevant incident data allowed us to parse the two sets of overlapping activity, and link the intrusion\r\nactivity claimed by these Telegram accounts to APT44 (aka Sandworm Team) with high confidence. The blog post\r\nhas been amended to reflect this updated attribution. \r\nFor an updated assessement of the relationship betweeen APT44 and its Telegram personas, including new\r\nfindings, please see the following report: “APT44: Sandworm Unearthed”.\r\nExecutive Summary\r\nMandiant is tracking multiple self-proclaimed hacktivist groups working in support of Russian interests.\r\nThese groups have primarily conducted distributed denial-of-service (DDoS) attacks and leaked stolen data\r\nfrom victim organizations. Although some of these actors are almost certainly operating independently of\r\nthe Russian state, we have identified multiple so-called hacktivist groups whose moderators we suspect are\r\neither a front for, or operating in coordination with, the Russian state.\r\nWe assess with moderate confidence that moderators of the purported hacktivist Telegram channels\r\n“XakNet Team,” “Infoccentr,” and “CyberArmyofRussia_Reborn” are coordinating their operations with\r\nRussian Main Intelligence Directorate (GRU)-sponsored cyber threat actors. Our assessment is based in\r\npart on the deployment of GRU-sponsored APT44 tools on the networks of Ukrainian victims, whose data\r\nwas subsequently leaked on Telegram within 24 hours of wiping activity by APT44, as well as other\r\nindicators of inauthentic activity by the moderators and similarities to previous GRU information\r\noperations.\r\nThe war in Ukraine has also presented novel opportunities to understand the totality, coordination, and\r\neffectiveness of Russia cyber programs, including the use of social media platforms by threat actors.\r\nAdditionally, platforms such as Telegram were being used pre-invasion to influence perception of the\r\nimpending Russian military movements and have been employed heavily by both Ukraine and Russia to\r\ninfluence both international and domestic audiences.\r\nThreat Detail\r\nMandiant is tracking multiple groups claiming to be hacktivists that have targeted Ukraine since the start of the\r\nRussian invasion in early 2022. In particular, Mandiant has focused on analyzing a set of self-proclaimed\r\nhacktivist groups: XakNet Team, Infoccentr, and CyberArmyofRussia_Reborn. Through our analysis, Mandiant\r\nhttps://www.mandiant.com/resources/blog/gru-rise-telegram-minions\r\nPage 1 of 9\n\nhas identified new evidence connecting the moderators of these groups to the Russian state, including timeline\r\nanalysis of intrusions and leaks from Ukrainian organizations. In addition to data from Mandiant’s collection, we\r\nwant to thank our partners Security Service of Ukraine (Cyber Department) and Trellix, for their contributions in\r\nsupport of this analysis.\r\nMandiant has also identified limited links between XakNet Team and the pro-Russia so-called “hacktivist” group\r\nKillNet, and we assess with moderate confidence that XakNet and KillNet have directly coordinated some of their\r\nactivity. However, we note that the two appear to conduct aligned but separate missions, based on the observed\r\nactivity claimed by each of the \"hacktivist\" groups. While we continue to separately investigate KillNet, this\r\nreport's scope is limited to the three groups we have currently identified as linked to the GRU.\r\nFigure 1: Suspected false hacktivist fronts leaked data likely stolen from APT44 wiper victims\r\nAPT44 Wiped Ukrainian Victims Shortly Before Data Leaked on Social Media\r\nWe assess with moderate confidence that threat actors operating the Telegram channels XakNet Team, Infoccentr,\r\nand CyberArmyofRussia_Reborn are coordinating their operations with GRU-sponsored APT44. This assessment\r\nis based primarily on Mandiant’s direct observations of the deployment of wipers used by APT44 on the networks\r\nof multiple Ukrainian organizations and the subsequent leaks of data by threat actors claiming to be hacktivists\r\nlikely originating from those entities on Telegram within 24 hours. We identified at least 16 data leaks from these\r\ngroups, four of which coincided with wiping attacks by APT44.\r\nMandiant has only observed the use of CADDYWIPER and ARGUEPATCH by APT44.\r\nhttps://www.mandiant.com/resources/blog/gru-rise-telegram-minions\r\nPage 2 of 9\n\nIn two incidents, Mandiant observed APT44 conduct wiper attacks, which were followed, within 24 hours,\r\nby data from the victims being leaked on Telegram. In both instances APT44 deployed ARGUEPATCH,\r\nwhich dropped CADDYWIPER.\r\nTwo additional waves of CADDYWIPER attacks against multiple Ukrainian organizations were followed,\r\nwithin 24 hours, by leaks of data from Ukrainian entities onto Telegram. In these cases, Mandiant cannot\r\nconfirm that the organization whose data was leaked were victims of the waves of coordinated wiper\r\nactivity; however, the timing supports an assessment that they were coordinated.\r\nIn one XakNet data leak, Mandiant discovered a unique technical artifact from an APT44 intrusion. This indicates\r\nAPT44 had access to the same parts of the network the leak was sourced from.\r\nXakNet Activity Consistent with Historical APT44 Information Operations\r\nThe three channels we identify in this report have claimed activity leveraging traditional hacktivist tactics, such as\r\nusing distributed denial-of-service (DDoS) attacks, website defacements, and hack-and-leak activity to target their\r\nvictims. Furthermore, XakNet’s active solicitation of media coverage, in tandem with its self-promoted narrative\r\nof being a group comprised of Russian patriotic volunteers, suggests two possible influence objectives: the groups\r\npromote Russian interests abroad through their threat activity, and they promote the idea of average Russians\r\nsupporting the government to domestic audiences through their claims to be patriotic volunteers amplified by the\r\nRussian media and elsewhere online.\r\nThe Russian intelligence services have an extensive history of using false hacktivist personas to support\r\ninformation operations and disruptive and destructive cyber activity. For example, this is a particularly well-established tactic of APT44 in activity targeting Ukraine and elsewhere, prominently including its use in the 2014\r\ncompromise, defacement, data leak, and destruction of the Ukrainian Central Election Commission’s network and\r\nwebsite, which was claimed by the pro-Russia “hacktivist” group CyberBerkut. However, its most famous\r\ninstance may be the Guccifer 2.0 false persona leveraged to interfere in the 2016 U.S. presidential election. U.S.\r\nDepartment of Justice indictments related to Russia’s targeting of the 2016 U.S. presidential election have\r\nindicated that multiple GRU units were involved in that activity, including the unit to which APT44 is attributed\r\nby multiple governments (Unit 74455). We note this in recognition that it is possible multiple units within the\r\nGRU have likewise been involved in the activity outlined in this report.\r\nAlthough we assess with moderate confidence that moderators respectively behind XakNet Team, Infoccentr, and\r\nCyberArmyofRussia_Reborn are at least coordinating with the GRU, we currently reserve judgement as to the\r\ncomposition of these groups and their exact degree of affiliation with the GRU. However, at a minimum, this\r\ncoordination is consistent with frequent GRU tactics. While the exact nature of the relationship is unclear, it likely\r\nfalls into one of two general possibilities:\r\nGRU officers may directly control the infrastructure associated with these actors and their activities may be\r\na front for GRU operations, similar to the relationship between the GRU and the false persona Guccifer\r\n2.0.\r\nThe moderators respectively running these Telegram channels may directly coordinate with the GRU;\r\nhowever, the moderators may be Russian citizens who are not Russian intelligence officers. There are\r\nmultiple possible configurations through which this dynamic could manifest, including but not limited to\r\nhttps://www.mandiant.com/resources/blog/gru-rise-telegram-minions\r\nPage 3 of 9\n\ninitial GRU support for third parties to establish the channels or subsequent links established after initial\r\nchannel creation.\r\nA review of these channels’ activity shows on-platform engagement by hundreds of users. In either of the above\r\noutlined scenarios, it seems likely that some or all the users engaged with these channels are Russian-speaking\r\ncivilians who are not intelligence officers. It is possible that the hundreds of users engaged with these channels are\r\ninauthentic, though we judge that to be unlikely.\r\nFigure 2: XakNet Telegram post in which the group disputed pervious public statements from Mandiant\r\nhighlighting possible links between XakNet and the Russian Government. The third paragraph reads: “But in\r\nreality, everything is very simple. IB [information security] does not exist. Everything can be hacked. You can\r\ncontinue to conduct your super-cool investigations without any proof.”\r\nXakNet Team Moderators Likely Operate at Behest of the Kremlin\r\n“XakNet Team” is a Russian-language Telegram channel of a self-proclaimed hacktivist group that has conducted\r\nthreat activity against Ukraine, including DDoS attacks, compromises and data leaks, and website defacements.\r\nThe group claims to be comprised of Russian patriotic volunteers who formed the group in response to the\r\nAnonymous collective’s declaration of war against Russia. The XakNet Team moderators advertise multiple\r\ndomains and social media channels that we have determined are all controlled by the same group of threat actors.\r\nThe XakNet Team moderators also claimed involvement in one of the more notable information operations\r\nobserved so far in the conflict, when, in early March, a Ukrainian news organization’s news ticker was defaced\r\nduring a live TV broadcast with a fake message of Ukraine’s capitulation to Russia attributed to President\r\nZelenskyy.\r\nhttps://www.mandiant.com/resources/blog/gru-rise-telegram-minions\r\nPage 4 of 9\n\nWe assess with moderate confidence that the moderators of the XakNet Team channel are directly supported by\r\nAPT44, based on XakNet’s leak of a technical artifact APT44 employed during the compromise of a Ukrainian\r\nnetwork. Given the unique nature of this technical artifact, we assess with moderate confidence that the\r\nmoderators of XakNet Team either are GRU intelligence officers or work directly with the GRU APT44 operators\r\nconducting on-net operations.\r\nCyberArmyofRussia_Reborn\r\nCyberArmyofRussia_Reborn is a Telegram channel Mandiant has tracked since mid-April 2022. Mandiant\r\nassesses with moderate confidence that the moderators of CyberArmyofRussia_Reborn are at least coordinating\r\nwith APT44 due to the timing of the leaks and the group’s connection to Xaknet, although the exact nature of the\r\nrelationship is currently unclear. The channel’s apparent goals include defamation, obtaining press, and\r\ninfluencing policy. CyberArmyofRussia_Reborn moderators have leaked data from victims in at least the\r\nfollowing industries: data services, local governments, and national governments, and the actors have claimed to\r\ndegrade or deny services within a victim organization through DDoS or denial-of-service (DoS) attacks.\r\nIn at least one-third of the data leaks Mandiant identified from CyberArmyofRussia_Reborn, we directly or\r\nindirectly observed APT44 intrusion operations on the same Ukrainian victim's networks within 24 hours\r\npreceding the leaks.\r\nIn several instances, we observed the moderators on this channel leak data in bulk including all files within\r\na given extension or directory, and/or all files within a given date range. We identified the moderators\r\nleaking the following types of information from victims:\r\nFiles/Personally Identifiable Information (PII)\r\nGeneral military documents\r\nDomestic policies and documents\r\nhttps://www.mandiant.com/resources/blog/gru-rise-telegram-minions\r\nPage 5 of 9\n\nFigure 3: Screenshot of example instructions for running DDOS scripts on Windows provided to their members\r\nhttps://www.mandiant.com/resources/blog/gru-rise-telegram-minions\r\nPage 6 of 9\n\nFigure 4: New logo for the CyberArmyofRussia_Reborn, the text of which reads “People’s Cyber Army” with a\r\nquote notably used by Russia’s President Putin “If a fight is inevitable, you must strike first”\r\nInfoccentr\r\nOn March 4, a Telegram channel for “Infoccentr” was created, which appears to be dedicated to pro-Russia\r\ninformation operations and to fight against anti-Russian or pro-Ukrainian social media and other information\r\nchannels. Mandiant assesses with moderate confidence that the moderators of the Infoccentr channel are at least\r\ncoordinating with APT44 due to the timing of the leaks and the group’s connection to XakNet, although we have\r\nnot yet determined the exact composition of the group. In at least one instance, data that was initially leaked on\r\nthe Infoccentr Telegram page was reposted by XakNet within a few minutes. It is possible this was a coincidence,\r\nbut the close timing of the repost could indicate a closer relationship.\r\nhttps://www.mandiant.com/resources/blog/gru-rise-telegram-minions\r\nPage 7 of 9\n\nFigure 5: Infoccentr Telegram page in which the group introduces itself as an “Information and Coordination\r\nCenter” and announces its operations against Ukraine and Western supporters\r\nOutlook\r\nMandiant is continuing to explore the relationship between the respective moderators of XakNet Team, Infoccentr,\r\nand CyberArmyofRussia_Reborn. Identifying the connections between so-called hacktivists and Russian\r\nespionage or attack groups can help victims assess risk when compromised, allow customers to prepare for the\r\npotential leak of their data, and potentially mitigate some effects. While we assess with moderate confidence that\r\nAPT44 at least coordinates with the moderators of at least the three channels we identified in this report,\r\npotentially sharing or driving operations, it is also possible that the GRU or other Russian Intelligence Services\r\nhttps://www.mandiant.com/resources/blog/gru-rise-telegram-minions\r\nPage 8 of 9\n\nare also coordinating with other self-professed hacktivist groups to target entities both within and surrounding\r\nUkraine. As we continue to expand our knowledge of the actors behind recently emerged and longstanding\r\nchannels such as KillNet, FromRussiaWithLove (FRWL), DeadNet, Beregini, JokerDNR (alternate spelling:\r\nJokerDPR), and RedHackersAlliance, Mandiant will continue to update our assessment on associations and\r\ndrivers behind the actions and activities of these groups.\r\nRussia’s February 2022 invasion of Ukraine created unprecedented circumstances for cyber threat activity. This\r\nlikely is the first instance in which a major cyber power potentially has conducted disruptive attacks, espionage,\r\nand information operations concurrently with widespread, kinetic military operations in a conventional war. We\r\nhave never previously observed such a volume of cyberattacks, variety of threat actors, and coordination of effort\r\nwithin the same several months. We assess with high confidence that Russian cyber espionage and attack\r\noperations, while already a serious threat to Ukrainian organizations, pose an elevated risk to Ukraine as long as\r\nRussia continues its invasion.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/gru-rise-telegram-minions\r\nhttps://www.mandiant.com/resources/blog/gru-rise-telegram-minions\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.mandiant.com/resources/blog/gru-rise-telegram-minions" ], "report_names": [ "gru-rise-telegram-minions" ], "threat_actors": [ { "id": "0bce7575-ba34-4742-afb7-a4d3ade12dbe", "created_at": "2023-11-14T02:00:07.091122Z", "updated_at": "2026-04-10T02:00:03.448867Z", "deleted_at": null, "main_name": "XakNet", "aliases": [ "UAC-0100", "UAC-0106" ], "source_name": "MISPGALAXY:XakNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "132e1e0f-8725-42cb-8c2d-d2f3ebb1f005", "created_at": "2023-12-08T02:00:05.758552Z", "updated_at": "2026-04-10T02:00:03.495698Z", "deleted_at": null, "main_name": "UAC-0118", "aliases": [ "FRwL", "FromRussiaWithLove" ], "source_name": "MISPGALAXY:UAC-0118", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434951, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d7e789df3f936f75f0ca3754eb88ad435f71c2b2.pdf", "text": "https://archive.orkl.eu/d7e789df3f936f75f0ca3754eb88ad435f71c2b2.txt", "img": "https://archive.orkl.eu/d7e789df3f936f75f0ca3754eb88ad435f71c2b2.jpg" } }