{
	"id": "7502a10c-f292-4650-94d9-fec8dbee63ee",
	"created_at": "2026-04-07T14:43:35.650478Z",
	"updated_at": "2026-04-10T13:12:51.080895Z",
	"deleted_at": null,
	"sha1_hash": "db984749eb39ff3f9385672f82c9b10303317f2d",
	"title": "Six-day, 14.7 Million RPS Web DDoS Attack Campaign Attributed to SN_BLACKMETA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 921879,
	"plain_text": "Six-day, 14.7 Million RPS Web DDoS Attack Campaign Attributed\r\nto SN_BLACKMETA\r\nBy Radware\r\nArchived: 2026-04-07 14:20:12 UTC\r\nRecord-breaking six-day attack campaign consisting of multiple four to 20-hour Web DDoS waves.\r\nDownload\r\nKey Attack Insights:\r\nhttps://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/\r\nPage 1 of 10\n\nWeb DDoS attack campaign lasted six days and peaked at 14.7 Million RPS\r\nFeatured multiple attack waves amounting to a total of 100 hours of attack time\r\nSustained an average of 4.5 million RPS\r\nTargeted a financial institution in the Middle East\r\nAveraged a 0.12% ratio of legitimate to malicious web requests\r\nAttributed by Radware to SN_BLACKMETA, a pro-Palestinian hacktivist with potential ties to Sudan that\r\nmay operate from within Russia\r\nPossibly leveraged the InfraShutdown premium DDoS-for-hire service\r\nThis year has been marked by a record-breaking six-day attack campaign consisting of multiple four to 20-hour\r\nWeb DDoS waves, amounting to a total of 100 hours of attack time and sustaining an average of 4.5 million RPS\r\nwith a peak of 14.7 million RPS.\r\nFigure 1: Ten waves of the Web DDoS attack campaign (source: Radware)\r\nDuring the six days, a financial institution located in the Middle East was under attack 70% of the time. While\r\nunder attack, the ratio of legitimate to malicious web requests was as low as 0.002% and averaged 0.12%.\r\nRadware’s Web DDoS Protection Services stopped more than 1.25 trillion malicious web requests while leaving\r\n1.5 billion legitimate web requests untouched.\r\nFigure 2: Statistics of the ten-wave, six-day Web DDoS attack campaign (source: Radware)\r\nhttps://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/\r\nPage 2 of 10\n\nThroughout the attack campaign, the attacker tried several times to overrun the customer's web applications but\r\nfailed to impact the services. Ultimately, after six days and 100 hours of generating malicious web requests, the\r\nattacker moved on.\r\nAttribution\r\nA few days before the attack, an actor by the name of SN_BLACKMETA announced an attack campaign on its\r\nTelegram channel mentioning the financial institution. Based on the motivation, common traits with earlier threat\r\ngroups and threats announced by the group, Radware’s Cyber Threat Intelligence (CTI) attributes the attack\r\ncampaign to the hacktivist threat group SN_ BLACKMETA. CTI assumes that the infrastructure leveraged during\r\nthe attack might be part of the InfraShutdown DDoS-for-hire service, a premium service with subscription fees\r\nthat range from $500 for a week up to $2,500 for a month.\r\nThe Rise and Unfolding of SN_BLACKMETA\r\nThe digital age has brought about complex shifts in how conflicts surface and manifest. One such emerging player\r\nin the cyber warfare landscape is the Telegram channel “𝐒𝐍_𝐁𝐋𝐀𝐂𝐊𝐌𝐄𝐓𝐀,” established on November 14,\r\n2023. The initial content on this channel set the tone for its future endeavors, featuring updates on cyberattacks\r\ntargeting Israeli and Palestinian infrastructure, primarily through distributed denial of service (DDoS) attacks.\r\nThese early posts laid a strong foundation for the group’s operations and clearly indicated their ideological stance.\r\nJust days after its inception on November 18, 2023, SN_BLACKMETA announced a significant escalation in its\r\ncyber offensive. This proclamation was not just empty rhetoric, as it was immediately followed by a series of\r\nattacks on November 22 and 24, targeting websites in Israel, Canada and Saudi Arabia. The group’s audacity and\r\nrange of targets grew, leading to notable assaults on infrastructure such as the International Airport of Azrael and\r\nthe Saudi Ministry of Defense on January 23 and 24, 2024.\r\nThe surge in activities continued into March 2024. During this period, SN_BLACKMETA executed multiple\r\nattacks including those on French infrastructure, Israel’s Smart Shooter company, Israeli telecom companies and\r\nthe Tel Aviv Stock Exchange. April saw no decline in their fervor; instead, they focused on UAE’s digital\r\ninfrastructure, Israeli scientific and technological websites, and a range of Western entities. By May and June\r\n2024, the group had broadened its target range extensively, launching cyber campaigns against tech giants and\r\nhighly visible organizations like Microsoft, Yahoo, Orange and the Internet Archive in addition to further UAE\r\ninfrastructure.\r\nAmidst this flurry of cyber activity, a pivotal figure emerged. In March 2024, the X user @Sn_darkmeta was\r\ncreated, proclaiming himself as the leader of SN_BLACKMETA. The self-styled “Great Leader DarkMeta”\r\nroutinely began his posts with big declarations. They reposted images and summaries of the actions and attacks\r\nreported on the Telegram channel, crafting a persona that bolstered the group’s visibility and ideological\r\nmessaging.\r\nhttps://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/\r\nPage 3 of 10\n\nFigure 3: Sn_darkmeta user profile on X (source: x.com)\r\nThe primary motivation driving SN_BLACKMETA’s activities is a strong pro-Palestinian ideology. The group\r\npositions its attacks as retribution for perceived injustices against Palestinians and Muslims. Their targets typically\r\ninclude critical infrastructure such as banking systems, telecommunication services, government websites and\r\nmajor tech companies, all reflecting a strategy to disrupt entities viewed as complicit in or supportive of their\r\nadversaries.\r\nhttps://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/\r\nPage 4 of 10\n\nFigure 4: Darkmeta announcing attacks targeting highly visible organizations on its SN_BLACKMETA channel (source:\r\nTelegram, Telegram)\r\nSN_BLACKMETA is not shy about publicizing its successes. It regularly updates its audience, often providing\r\nscreenshots and links to validate its claims. This transparency not only legitimizes its actions but also rallies\r\nsupport and garners attention from wider media channels. It openly encourages the publicizing of its activities to\r\nhttps://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/\r\nPage 5 of 10\n\namplify its cause, leveraging user complaints and third-party validations to substantiate the impact of its\r\noperations.\r\nInterestingly, based on observed timestamps and activity patterns, it is plausible that the actors behind these\r\nattacks may be operating in a time zone close to Moscow Standard Time (MSK, UTC+3) or other Middle Eastern\r\nor Eastern European time zones (UTC+2 to UTC+4). Their operational hours, stretching from early morning to\r\nlate evening, align well with typical active hours in these regions. Another compelling possibility, besides being\r\nlocated in the Moscow time zone, is that the group could be pro-Sudanese.\r\nIn the context of SN_BLACKMETA, the abbreviation “SN” could plausibly stand for “Sudan.” This interpretation\r\naligns not only with the group’s activity patterns and time zones but also with the content and focus of their\r\noperations.\r\nA deeper look at SN_BLACKMETA reveals striking similarities with Anonymous Sudan in terms of ideological\r\nmotivations, attack methodologies, target selections and attack patterns. Both groups are driven primarily by pro-Palestinian sentiments, anti-Western stances and reactions to geopolitical developments involving Muslim\r\ncountries. By disrupting high-impact infrastructures, they aim to create visibility for their causes and leverage\r\ntheir cyber capabilities effectively.\r\nFigure 5: Number of attacks over time and targeted countries for Anonymous Sudan and SN_BLACKMETA\r\nConsidering the number of attacks claimed per month by Anonymous Sudan and SN_BLACKMETA (see Figure\r\n5), it becomes apparent that the slowing number of claimed attacks by Anonymous Sudan coincides with an uptick\r\nin attack claims by SN_ BLACKMETA, the ending of the former separated by a single month with the initial start\r\nof the latter. When comparing the most targeted countries by both hacktivists, the top targeted countries by SN_\r\nBLACKMETA were also top targets for Anonymous Sudan. Moreover, all of the attacks claimed by SN_\r\nBLACKMETA were in countries that were also previously targeted by Anonymous Sudan. When comparing the\r\ncountries targeted by Anonymous Sudan, almost 70% of the countries Anonymous Sudan attacked were also\r\ntargeted by SN_ BLACKMETA.\r\nhttps://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/\r\nPage 6 of 10\n\nBased on an analysis of the language, style, attack methods and shared ideological motivations, it is reasonably\r\nlikely that messages on both the SN_BLACKMETA and Anonymous Sudan channels could have been posted by\r\nthe same individuals or closely collaborating individuals. The shared characteristics in style and content strongly\r\nsuggest a coordinated effort or at least a significant overlap in the operational and strategic direction of both\r\ngroups.\r\nThe Telegram channel Anonymous Sudan, according to TGStat.ru, was created from within Russia and its initial\r\nlanguage was set to Russian. While most posts by Anonymous Sudan were in Arabic and English, initial posts also\r\ncontained Russian. The SN_BLACKMETA Telegram channel has no geography or language listed, however the X\r\naccount profile in Figure 6 shows it was created in Staraya Russa, a town in Novgorod Oblast, Russia. Although\r\nSN_BLACKMETA posts some announcements to its Telegram channel in three languages (English, Arabic and\r\nRussian), other posts are just in English and Arabic (see Figure 4).\r\nFigure 6: Properties of the Anonymous Sudan Telegram channel (source: TGStat)\r\nThe motivations for a hacktivist group like SN_BLACKMETA to target organizations in the UAE can be drawn\r\nfrom a combination of political and ideological alignment with the Palestinian cause, opposition to UAE’s\r\nnormalization with Israel, and broader regional political dynamics. High-profile attacks on prominent UAE\r\norganizations provide significant opportunities for these groups to increase their reputational influence and\r\nvisibility.\r\nMoreover, SN_BLACKMETA mentions collaborations with other hacktivist groups, such as Killnet, Ghosts of\r\nPalestine and subsets of the broader Anonymous collective. These alliances enhance their capabilities and extend\r\nthe reach of their operations. By marketing tools and services like DDoS-for-hire, malware, and cyberattack\r\ntraining, they have adopted a structured approach to expanding their influence and operational capacity.\r\nTo understand the roots of SN_BLACKMETA’s potential Sudanese ties, one needs to dive into the current conflict\r\nin Sudan. The war is fundamentally a struggle over power involving former President Omar al-Bashir, who in his\r\nlater years sought to coup-proof his regime by empowering the Janjaweed as the Rapid Support Forces (RSF), a\r\nparamilitary force. This conflict erupted between the Sudanese Armed Forces (SAF) and the RSF on April 15,\r\n2023, in Khartoum, the capital of Sudan. The ongoing conflict has severely exacerbated the economic crisis in\r\nSudan, leading to widespread unemployment, devaluation of the Sudanese pound, and looting and damage to\r\ninfrastructure. It has left the population with dwindling access to goods, services and cash. A UN report alleged\r\nthat the UAE is supporting the RSF in their war against the Sudanese Armed Forces. This allegation was denied\r\nhttps://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/\r\nPage 7 of 10\n\nby the UAE but would explain the alternate motivations behind SN_BLACKMETA’s attacks against UAE\r\norganizations.\r\nInfrashutdown, the Premium DDoS-for-Hire Service\r\nOn February 24, 2024, Crush, the leader of Anonymous Sudan, announced a new DDoS service named\r\n“InfraShutdown.” Crush labeled it as “the pinnacle of bullet-proof cyber dominance,” offering DDoS attack\r\ncampaigns tailored to the needs of its global clientele with military-grade privacy. This supposedly new DDoS-for-hire service was described as “specialized in nation-state level disruptions, targeting critical infrastructures,\r\nfinancial system and telecommunication networks” in an announcement forwarded by the InfraShutdown\r\nTelegram channel that was created on February 24, 2024, coinciding with the date of the announcement. Radware\r\nCyber Threat Intelligence (CTI) published a detailed advisory about the InfraShutdown service on February 28,\r\n2024.\r\nOn its Telegram channel, Anonymous Sudan promoted this new service through advertisements and by claiming\r\ndenial of service attacks against highly visible and public targets.\r\n Figure 7:\r\nAnonymous Sudan advertises the services of InfraShutdown on its Telegram channel (source: Telegram)\r\nIn the days before and following the announcement of InfraShutdown, Anonymous Sudan claimed attacks on\r\nseveral highly visible targets in multiple countries, which were followed by proofs of impact based on messages in\r\nsocial media and industry-accepted sources that monitor network reachability and availability.\r\nIn February, Radware CTI assessed that “this announcement should not be ignored, and InfraShutdown could\r\nbecome a serious threat to the infrastructure of nations and organizations. It is still unclear whether the new\r\nservice is an evolution of the SKYNET/GODZILLA service or a breakup from the former, introducing the\r\nunderground to a new potent DDoS-for-hire service that provides improved attack vectors and an increased\r\nhttps://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/\r\nPage 8 of 10\n\ncapacity. As such, we might be looking at claimed multi-terabit-per-second volumetric attacks, Layer 4 attacks and\r\nhigh-scale RPS Web DDoS attacks. The new service differentiates itself by a high level of exclusivity for joining.”\r\nIf the actors behind SN_BLACKMETA are in any way related to or support Anonymous Sudan, the premium\r\nInfraShutdown service is highly likely to be the origin of the 14.7 million RPS, 100-hour attack campaign\r\nmentioned at the beginning of this document.\r\nReasons for Concern\r\nSN_BLACKMETA is a rising cyber threat, potentially located in Russia, fueled by a strong ideological stance and\r\na strategic approach to cyber warfare. Their operations reveal a methodical expansion of targets, sophisticated\r\npublic relations tactics, probable collaborations with other cyber groups, and a very likely connection to Sudan. As\r\nthey continue to evolve, understanding their motivations, operational patterns and affiliations is crucial for\r\ncybersecurity efforts worldwide.\r\nRecommendations\r\nMitigating attack campaigns that last several days—and sustain an average of 4.5 million RPS across 100 hours\r\nwith a peak of 14.7 million RPS—requires a capable Web DDoS mitigation infrastructure with adequate capacity.\r\nRate limiting is not a solution for the sophistication and intensity of such attacks, considering the ratio of\r\nlegitimate to malicious web requests averaged 0.12% for 70% of the time over six days. To keep the business\r\ngoing during the assaults, the mitigation solution had to be able to sustain the attack and differentiate 1.5 billion\r\nlegitimate web requests from 1.25 trillion malicious web requests.\r\nAn inability to meet both requirements while protecting against the new, intense and sophisticated Web DDoS\r\nfrom hacktivists could have severe consequences for businesses across the globe.\r\nStaying Protected\r\nEFFECTIVE DDOS PROTECTION ESSENTIALS\r\nIntelligence on Active Threat Actors – High fidelity, correlated and analyzed data for preemptive protection\r\nagainst currently active known attackers\r\nBehavioral-Based Detection - Quickly and accurately identify and block anomalies while allowing legitimate\r\ntraffic through\r\nReal-Time Signature Creation - Promptly protect against unknown threats and zero-day attacks\r\nCybersecurity Emergency Response Plan - A dedicated emergency team of experts who have experience with\r\nInternet of Things security and handling IoT outbreaks\r\nHybrid DDoS Protection – Use on-premise and cloud DDoS protection for real-time DDoS attack prevention\r\nthat also addresses high-volume attacks and protects from pipe saturation\r\nhttps://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/\r\nPage 9 of 10\n\nFor further network and application protection measures, Radware urges companies to inspect and patch their\r\nnetwork to defend against risks and threats.\r\nEFFECTIVE WEB APPLICATION SECURITY ESSENTIALS\r\nLow false positive rate - using negative and positive security models for maximum accuracy\r\nAuto-policy generation - capabilities for the widest coverage with the lowest operational effort\r\nBot protection and device fingerprinting - capabilities to overcome dynamic IP attacks and achieve improved\r\nbot detection and blocking\r\nFull OWASP Top-10 – coverage against defacements, injections, etc.\r\nFlexible deployment options – on-premises, out-of-path, virtual or cloud-based\r\nSecuring APIs - by filtering paths, understanding XML and JSON schemas for enforcement, and using activity\r\ntracking mechanisms to trace bots and guard internal resources\r\nLEARN MORE AT RADWARE’S SECURITY RESEARCH CENTER\r\nTo know more about today’s attack vector landscape, understand the business impact of cyberattacks, or learn\r\nmore about emerging attack types and tools, visit Radware’s Security Research Center. Additionally, visit\r\nRadware’s Quarterly DDoS \u0026 Application Threat Analysis Center for quarter-over-quarter analysis of DDoS and\r\napplication attack activity based on data from Radware’s cloud security services and threat intelligence.\r\nSource: https://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/\r\nhttps://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.radware.com/security/threat-advisories-and-attack-reports/six-day-web-ddos-attack-campaign/"
	],
	"report_names": [
		"six-day-web-ddos-attack-campaign"
	],
	"threat_actors": [
		{
			"id": "d93f6788-b81a-4307-9ad1-b7944ea75250",
			"created_at": "2024-11-03T02:00:03.651869Z",
			"updated_at": "2026-04-10T02:00:03.743143Z",
			"deleted_at": null,
			"main_name": "Blackmeta",
			"aliases": [
				"SN Blackmeta"
			],
			"source_name": "MISPGALAXY:Blackmeta",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e53fc09e-24cc-40d4-b38d-7e2d6dbe81d8",
			"created_at": "2023-03-17T02:01:50.851615Z",
			"updated_at": "2026-04-10T02:00:03.362605Z",
			"deleted_at": null,
			"main_name": "Anonymous Sudan",
			"aliases": [],
			"source_name": "MISPGALAXY:Anonymous Sudan",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b4a6d558-3cba-499c-b58a-f15d65b7a604",
			"created_at": "2023-01-06T13:46:39.346924Z",
			"updated_at": "2026-04-10T02:00:03.295317Z",
			"deleted_at": null,
			"main_name": "Killnet",
			"aliases": [],
			"source_name": "MISPGALAXY:Killnet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775573015,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db984749eb39ff3f9385672f82c9b10303317f2d.pdf",
		"text": "https://archive.orkl.eu/db984749eb39ff3f9385672f82c9b10303317f2d.txt",
		"img": "https://archive.orkl.eu/db984749eb39ff3f9385672f82c9b10303317f2d.jpg"
	}
}