{ "id": "e4fb6495-b5e4-4257-b21f-33ce179a4ea9", "created_at": "2026-04-06T00:15:21.690399Z", "updated_at": "2026-04-10T03:34:24.387683Z", "deleted_at": null, "sha1_hash": "da5fc0f85ac954c58d4b1a636fa34695e23eaa6a", "title": "Dark Web Profile: Killnet - Russian Hacktivist Group - SOCRadar® Cyber Intelligence Inc.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 92914, "plain_text": "Dark Web Profile: Killnet - Russian Hacktivist Group -\r\nSOCRadar® Cyber Intelligence Inc.\r\nPublished: 2022-12-16 · Archived: 2026-04-05 15:55:30 UTC\r\nBy SOCRadar Research\r\nThe ongoing conflict between Ukraine and Russia has attracted the attention of various cybercriminal groups and\r\npushed them to get involved in this cyber warfare. According to CyberKnow’s research, over 190 threat actor\r\ngroups actively play a role during Ukraine-Russia cyber warfare.\r\nSome groups have aligned with one side of the conflict and are using their skills to support their chosen faction.\r\nKillNet is one of the groups that has played a significant role and is known for its DDoS activities in the interests\r\nof Russia.\r\nWho is Killnet?\r\nKillnet threat actor card\r\nKillnet is a pro-Russian hacktivist group known for its DDoS campaigns against countries supporting Ukraine,\r\nespecially NATO countries since the Russia-Ukraine war broke out last year. DDoS is the primary type of cyber-attack that can cause thousands of connection requests and packets to be sent to the target server or website per\r\nminute, slowing down or even stopping vulnerable systems.\r\nWhile Killnet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several\r\nhours or even days. It is known that KillMilk, its founder, left the group in July 2022, and its new leader is a\r\nhacker using the name Blackside. However, KillMilk is still related to the group and shares Killnet’s\r\nannouncements on his telegram channel, as seen below.\r\n‘OFFICIAL KILLNET CHANNEL’ shared by Killnet in their Telegram group:\r\nKillnet Telegram Post\r\nHow Did Killnet DDoS Service Become a Hacktivist Group?\r\nUntil the Russia-Ukraine war, Killnet was known as the name of a DDoS attack tool that only subscribers could\r\nrent and use. With the crisis in Russia and Ukraine, Killnet emerged as a hacker group and continued its attacks\r\nunder the name “Killnet.”\r\nAfterward, the Killnet hacker group carried out many attacks to support Russia and fight for Russia’s interests.\r\nThey targeted countries that supported Ukraine in the war between Russia and Ukraine. For months, the Killnet\r\ngroup has attacked the countries that support Ukraine, and their political interests are against the Russian\r\ngovernment.\r\nhttps://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/\r\nPage 1 of 7\n\nThey do not seem interested in financial gain; they aim to harm web services by disrupting them with mainly\r\nDDoS attacks.\r\nFigure 2: KillMilk Telegram Link\r\nKillnet Grows\r\nThe group has continued its operations for over a year and has become a serious cyber threat. With the\r\nencouragement from Killnet service users, which reached tens of thousands of subscribers, they formed subgroups\r\nunder the name “Cyber Special Forces of the Russian Federation.”\r\nThe group also started another hacker group called LEGION in April 2022 and continued its DDoS attacks from\r\nthere. Other groups were observed under the LEGION group, each carrying out different attacks. In July 2022, the\r\ngroup announced that LEGION had been disbanded and would be relaunched as LEGION 2.0. There are more\r\nthan a thousand estimated group members with all these related groups.\r\nKillnet mentioned in a post on their Telegram channel that their birth date is November 13, 2021.\r\nHowever, they announced that they became a hacktivist group on February 23, 2022.\r\nKillnet’s Relationship with Other Hacker Groups\r\nA group formerly known as XakNet announced that it had merged with Killnet, targeting critical infrastructures.\r\nAnother group, later known as F**kNet, also expressed its intention to work with Killnet, targeting the public and\r\nprivate sectors in countries that support Ukraine.\r\nA former member of Killnet, now the leader of the Zarya group, also mentioned that other hacker groups act\r\nparallel with them and defend Russia’s interests in an interview. He named groups like XakNet, Beregini,\r\nCyberArmy, Anonymous Russia, RaHDit, DPR Joker, NoName057, and Zsecnet.\r\nThe Hacker also said that Anonymous Russia and the Zarya group were founded by hackers who left the Killnet\r\ngroup. Other hackers also joined Zarya from Killnet.\r\nIn the same interview, Zarya’s leader also explained the reasoning behind the creation of small groups by dividing\r\nKillnet. Smaller groups are easier to manage, and it is more difficult for the enemy to understand from whom to\r\nattack. He also revealed that Zarya was previously a part of the Killnet team but is now an independent entity.\r\nSOCRadar Threat Actors Module provides detailed information on threat actors, IoCs, and exploited\r\nCVEs.\r\nKillnet’s Targets and Operations\r\nKillnet has attacked many European and Western countries, including Ukraine, since February 2022. The US,\r\nthe UK, Germany, Italy, Romania, Lithuania, Estonia, and Poland are among these. Attacks on US airports,\r\nthe Eurovision contest website, and more than a thousand websites in Lithuania were worth mentioning. There\r\nwere also attacks on railways and government portals in the Czech Republic.\r\nCountries affected by Killnet (Source: SOCRadar)\r\nhttps://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/\r\nPage 2 of 7\n\nIn April 2022, Killnet focused entirely on supporting Russian geopolitical interests worldwide. They claimed to\r\nhave carried out more than 550 attacks between late February and September. Only 45 of these attacks were\r\ndirected against Ukraine, less than 10% of the total attacks.\r\nYou can find previous attacks of Killnet on SOCRadar’s research article published on July 28, 2022.\r\nKillnet’s Recent Cyber Attacks\r\nMay 2022: \r\nKillnet attacked Romanian government websites.\r\nThey attacked Italy and managed to block a few websites, while the attack on the CSIRT site was unsuccessful.\r\nKillnet hacked Istituto Superiore di Sanità and the Automobile Club of Italy websites in the same attack. The\r\nItalian Senate website was also hacked and closed for an hour. The attack was not as devastating as predicted.\r\nJune 2022:\r\nThe group targeted Norwegian organizations through various DDoS attacks. Also, the group took responsibility\r\nfor the DDoS attack through the Lithuanian government and private institutions.\r\nAugust 2022:\r\nThe group and its founder, called “KillMilk,” claimed responsibility for a cyber-attack on the American defense\r\ncontractor Lockheed Martin as a retaliation for the HIMARS systems supplied by the US to Ukraine.\r\nSeptember 2022:\r\nKillnet announced that it had attacked 23 websites of 4 ministries and agencies in Japan, including e-Gov, a\r\nportal site for administrative information administered by the Digital Agency, and eLTAX, a local tax website\r\nadministered by the Ministry of Internal Affairs and Communications.\r\nOctober 2022:\r\nSeveral US airport websites were attacked.\r\nKillnet posted a list of several government websites they would target in the coming days beneath an image of a\r\nnuclear explosion behind the Statue of Liberty.\r\nAlleged targets are listed below:\r\nAlabama\r\nAlaska\r\nConnecticut\r\nColorado\r\nDelaware\r\nFlorida\r\nHawaii\r\nhttps://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/\r\nPage 3 of 7\n\nIdaho\r\nIndiana\r\nKansas\r\nKentucky\r\nMississippi\r\nNovember 2022: \r\nOn the Killnet Telegram channel, the group shared a post that said, “We have gained strength and now we are able\r\nto reduce the traffic of drug addicts to sellers’ websites to zero! Not without your help, of course, comrades!”\r\nKillnet threat actors hacked Russia’s largest dark web drug site. They published dealers’ and drug addicts’ data,\r\nstorage locations, etc.\r\nIn a mail from a Latvian State Revenue Service employee, they announced they have VPN access to corporate\r\ngovernment networks and downloaded 200 gigabytes of documents.\r\nKillnet hacker group declared that they attacked western governments’ and companies’ websites. They have\r\nposted a gateway to a government portal for authentication and access to various web resources in their\r\nTelegram group.\r\nThe White House announced that it has temporarily closed its official website and Starlink API. Experts stated it\r\nis a critical target because the Ukrainian army uses Starlink\r\nKillnet posted an announcement on its Telegram channel, asking all hackers for help attacking and targeting\r\nPoland. They said several of the targets would be inoperable for four days. Following this announcement, Warsaw\r\nAirport, Gdansk Airport, and Rzeszow Airport became victims of cyberattacks.\r\nDecember 2022:\r\nIn a post, the Killnet group mentioned a new project called Infinity. They plan to launch the project sometime this\r\nwinter-spring, which is getting a lot of attention at this stage.\r\nThey have also published a post asking President Putin for nuclear strikes on the capitals of Ukraine’s allies on the\r\nKillnet telegram channel:\r\nAnother critical piece of intelligence about the Killnet group is that some members said they attacked the Bankers\r\nAutomated Clearing Service (BACS), the London Stock Exchange, and the Prince of Wales official website.\r\nKillnet stated that the “royal official site” was not working. “Perhaps this is due to the supply of high-precision\r\nmissiles to Ukraine,” the group said.\r\nKillmilk, a senior member of the Killnet group, has threatened the US Congress with the sale of the health and\r\npersonal data of the American people because of the Ukraine policy of the US Congress.\r\nJanuary 2023:\r\nhttps://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/\r\nPage 4 of 7\n\nIn late January 2023, KillNet shared that it was targeting Germany via the Passion Botnet with the hashtag\r\n#ГерманияRIP.\r\nA day after the announcement, the group posted screenshots showing that they had denied access to several\r\nGerman websites, including the Cabinet of Germany (Bundesregierung) and the Federal Ministry of the Interior\r\n(Bundesministerium des Innern und für Heimat).\r\nKillnet shared a list of other German websites they targeted on the same day, categorized by industry:\r\nThe NetSide and SARD Telegram groups also shared that they had hacked the admin panels of hundreds of\r\nwebsites to support Killnet and posted the credentials on Killnet’s page:\r\nIt is noteworthy that NetSide and SARD make such posts at regular intervals.\r\nAt the end of the month, Killnet shared that they carried out a massive Layer 7 DDoS attack on several\r\nhealthcare organizations all over the US. In addition, according to the Daily Mail, hospitals in the Netherlands\r\nreportedly experienced a DDoS attack from Russian hacking groups.\r\nFebruary 2023:\r\nFebruary started with a stunning announcement and a call to action; Killnet posted an announcement message\r\nurging anyone interested in attacking the United States to contact the administrator of the Infinity hacker group:\r\nSecurityScorecard has shared a list of public IP addresses known to belong to Killnet so that cybersecurity\r\npersonnel can block them:\r\nAnonymous posted a news article from gazeta.ru on its Telegram channel about an interview with KillMilk, the\r\nleader of KillNet. According to KillMilk’s interview, the Ukrainian hacking group Phoenix teamed up with the\r\nRussian group KillNet to take revenge for the arrest of their accomplices by the SBU (Security Service of\r\nUkraine):\r\nKillnet in 2023\r\nSince the end of January, Killnet has been actively targeting healthcare organizations. In their telegram post, they\r\nshared that the corporate entrances and websites of various hospitals were down and that this attack was a joint\r\noperation.\r\nSome of those mentioned in KillNet’s Telegram post are hacker groups, and some are known as DDoS-as-a-Service providers.\r\nKillnet was recently observed operating with the Passion Botnet, a group that offers DDoS-as-a-Service. The\r\norigin of Passion is unknown, but they have become more active lately, especially at the beginning of 2023. They\r\nhave a history of targeting individuals and organizations against Russia’s invasion of Ukraine, using techniques\r\nlike defacement and denial of service.\r\nAlso, other groups affiliated with Killnet offer DDoS as a Service model, such as AKL Client, Infinity Stresser,\r\nand MistNet.\r\nhttps://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/\r\nPage 5 of 7\n\nKillnet’s cooperation with multiple DDos-as-a-Service providers may indicate that it will be more active in future\r\nevents.\r\nProminent Characteristics \u0026 TTPs\r\nBy observing Killnet’s attacks and behavior to date, some inferences could be made about whether they are\r\napplied repetitively or consistently.\r\nDue to its motivation and determination to defend Russia, the group chose its targets among NATO-linked\r\ncountries. It is also a potential threat to countries whose political interests contradict Russia.\r\nThey prefer DDoS attacks against their targets. Victims can recover their systems from attacks, which\r\nusually take 1-3 days, with appropriate measures in a matter of hours.\r\nThey target governments’ or public institutions’ websites. This way, they think that they signal to the\r\nvictims that the victims chose the “wrong side.”\r\nThey announce their attacks and targets on Telegram channels.\r\nKillnet is also associated with other hacker groups that have common goals with them or act in Russian\r\ninterests. They have been collaborating with XakNet and F**kNet, and the additional threat actors\r\naforementioned.\r\nMITRE Map\r\nReconnaissance  Resource Development\r\nCredential\r\nAccess \r\nImpact\r\nT1595: Active Scanning\r\nT1583: Acquire\r\nInfrastructure\r\nT1110: Brute\r\nForce\r\nT1498: Network Denial\r\nof Service\r\nT1589: Gather Victim Identity\r\nInformation\r\nT1584: Compromise\r\nInfrastructure\r\nT1489: Service Stop\r\nPrimary Killnet Tactics\r\nBrute-force dictionary attacks against:\r\nSSH (port 22) primarily targets the root account\r\nMinecraft and TeamSpeak servers\r\nDDoS attacks on the OSI model:\r\nlayer 4 (SYN flood attacks)\r\nlayer 7 (high volume POST/GET requests) to cause resource exhaustion and system failure.\r\nIn various Telegram groups, they collaborate with the members who are instructed to use IP stresser-for-hire tools\r\nsuch as Crypto Stresser, DDG Stresser, Instant-Stresser, and Stresser.ai. Moreover, several scripts are used during\r\ntheir attacks. Some of them are CC-attack, MDDoS, Low Orbit Ion Cannon (LOIC), KARMA, and Dummy.\r\nHow to Prevent a Killnet Attack\r\nhttps://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/\r\nPage 6 of 7\n\nFirstly, we need to pay attention to two main defense tactics. One is enforcing strong password policies that can\r\nwithstand basic brute-force credential attacks, and the second is to have a proper strategy for fighting off DDoS\r\nattacks.\r\nThe other defensive tactics are listed below:\r\nPurchase DDoS mitigation services from an Internet Service Provider (ISP), Content Delivery Network\r\n(CDN), or Web-Application Firewall (WAF) provider.\r\nDeploy multi-factor authentication (MFA) mechanism for all remote accesses\r\nUse blocklisting known Killnet-related IoC, such as IP addresses used by Killnet attacks.\r\nEnable the DMZ (Demilitarized Zone) for internet-facing entities.\r\nEmploy DDoS protection via web bot detection techniques.\r\nReduce attack surfaces and make it easier with ASM (Attack Surface Management) platforms.\r\nGet the CTI (cyber threat intelligence) feeds that monitor dark web information to identify and predict\r\npotential threats and provide actionable intelligence data for your organization.\r\nConfigure web servers and APIs with security modules to optimize performance during a web traffic spike.\r\nPerform stress tests on all critical services for their ability to handle resource exhaustion attacks\r\nCreate and practice IRP (Incident Response Plan) for the worst case, which resulted in temporary\r\ndowntime.\r\nLearn What Hackers Talk About Your Company With SOCRadar\r\nThe fact that Telegram is a legit messaging app used by millions gave hackers a chance to conceal themselves and\r\nfollow their malicious agenda. More and more threat actors use Telegram for communication and announcements,\r\nand it has become the main hub for threat actors.\r\nSource: https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/\r\nhttps://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/" ], "report_names": [ "dark-web-profile-killnet-russian-hacktivist-group" ], "threat_actors": [ { "id": "0bce7575-ba34-4742-afb7-a4d3ade12dbe", "created_at": "2023-11-14T02:00:07.091122Z", "updated_at": "2026-04-10T02:00:03.448867Z", "deleted_at": null, "main_name": "XakNet", "aliases": [ "UAC-0100", "UAC-0106" ], "source_name": "MISPGALAXY:XakNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "76d871c3-96cd-41d3-8889-f0396e480e91", "created_at": "2023-11-14T02:00:07.093421Z", "updated_at": "2026-04-10T02:00:03.449641Z", "deleted_at": null, "main_name": "Zarya", "aliases": [ "UAC-0109" ], "source_name": "MISPGALAXY:Zarya", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "9a11c31f-ebed-4b8d-9a5a-b3c842bfe293", "created_at": "2024-09-20T02:00:04.58523Z", "updated_at": "2026-04-10T02:00:03.700883Z", "deleted_at": null, "main_name": "RaHDit", "aliases": [ "Russian Angry Hackers Did It" ], "source_name": "MISPGALAXY:RaHDit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b05a0147-3a98-44d3-9b42-90d43f626a8b", "created_at": "2023-01-06T13:46:39.467088Z", "updated_at": "2026-04-10T02:00:03.33882Z", "deleted_at": null, "main_name": "NoName057(16)", "aliases": [ "NoName057", "NoName05716", "05716nnm", "Nnm05716" ], "source_name": "MISPGALAXY:NoName057(16)", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434521, "ts_updated_at": 1775792064, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/da5fc0f85ac954c58d4b1a636fa34695e23eaa6a.pdf", "text": "https://archive.orkl.eu/da5fc0f85ac954c58d4b1a636fa34695e23eaa6a.txt", "img": "https://archive.orkl.eu/da5fc0f85ac954c58d4b1a636fa34695e23eaa6a.jpg" } }