killnet

Killnet

killnet · russia_aligned_hacktivism · active since 2022

Killnet (Killmilk / Anonymous Russia / JokerDPR / BlackSkills / ArvinClub / Phoenix Killnet / Storm-1059 / Russian Patriotic Hacktivism Collective) is the central reference cluster for understanding contemporary Russia-aligned hacktivism as distinct from Russia-aligned state-intelligence cyber operations, a politically-motivated multi-subgroup hacktivism collective that emerged approximately concurrent with Russia's February 24, 2022 invasion of Ukraine and has conducted sustained politically- motivated cyber-disruption operations against NATO-country and Western targets since.

Western analytical consensus treats Killnet as freelance hacktivism with apparent Russian state tolerance rather than direct state-tasking (operational targeting consistently aligns with Russian state foreign-policy interests but no public evidence of direct intelligence-service tasking comparable to OFAC explicit allegations against Indrik Spider / Evil Corp)

self-proclaimed founder uses "Killmilk" alias (variously reported as Russian national Nikolai Serafimov in open-source investigative reporting, formal attribution at named- Russian-national tier not formally established by Western law- enforcement)

cluster operates a multi-subgroup organizational structure including Anonymous Russia (Feb 2023+, primary DDoS operational arm) + JokerDPR (doxxing and information-operations against Western journalists / politicians / Ukrainian government officials / Western military personnel deployed to Ukraine) + BlackSkills + ArvinClub + Phoenix Killnet.

three primary tradecraft patterns: (1) distributed-denial-of-service disruption operations (defining pattern, produces brief service-availability disruption with limited sustained operational consequence using MHDDoS framework + Bobik bot + Phoenix DDoS panel + selected Mirai-variant and Meris botnet usage), (2) doxxing operations via JokerDPR subgroup, (3) information-operations and public- narrative activity via Telegram channels and social-media.

most operationally consequential operations include Lithuanian government attacks June-July 2022 (retaliation for Lithuania's EU sanctions enforcement on Kaliningrad transit), Eurovision Song Contest attacks May 2022 during Ukraine's Kalush Orchestra win, US state government website attacks October 2022 (~14 states), US airport website attacks October 10 2022 (LAX + Chicago O'Hare + Atlanta Hartsfield-Jackson + ~10 additional), US hospitals attacks January-February 2023 (HHS HC3 January 30 2023 healthcare-sector alert)

operational sophistication substantially below state-aligned Russian APT operations (APT28 / Fancy Bear, APT29 / Cozy Bear, Sandworm, Gamaredon, Turla, Star Blizzard / Callisto, Cadet Blizzard, Dragonfly, Cloud Atlas), operations remain predominantly DDoS-and-doxxing rather than persistent-access-and-data-theft tradecraft characteristic of state-aligned APT clusters.

russia_aligned_hacktivism confidence: high 33 aliases

Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited0

Killnet (also tracked as Killnet Collective, Killmilk, Anonymous Russia, JokerDPR, BlackSkills, ArvinClub, Phoenix Killnet, Storm-1059, and the broader Russian Patriotic Hacktivism Collective) is the central reference cluster for understanding contemporary Russia-aligned hacktivism as distinct from Russia- aligned state-intelligence cyber operations. The cluster emerged approximately concurrent with Russia's February 24, 2022 invasion of Ukraine and has conducted sustained politically- motivated cyber-disruption operations against NATO-country and Western targets since. Western analytical consensus treats Killnet as freelance hacktivism with apparent Russian state tolerance rather than direct state-tasking.

The cluster's operational targeting consistently aligns with Russian state foreign-policy interests (NATO country targeting, support for Russia's Ukraine invasion narrative, opposition to Western sanctions), but no public evidence of direct intelligence-service tasking comparable to the OFAC explicit allegations against Indrik Spider / Evil Corp has been disclosed. The cluster should be analytically distinguished from state-aligned Russian APT clusters covered in this corpus (APT28 / Fancy Bear, APT29 / Cozy Bear, Sandworm, Gamaredon, Turla, Star Blizzard / Callisto, Cadet Blizzard, Dragonfly, Cloud Atlas), Killnet operates without the sophisticated persistent-access-and-data-theft tradecraft characteristic of state-aligned APT operations.

The cluster operates a multi-subgroup organizational structure with affiliated and sub-cluster identities including

Anonymous Russia, emerged February 2023, primary DDoS operational arm.
JokerDPR, focused on doxxing and information-operations against Western journalists, politicians, Ukrainian government officials, and Western military personnel deployed to Ukraine.
BlackSkills.
ArvinClub.
Phoenix Killnet.
Selected additional subgroups under continued Killnet collective identity The self-proclaimed founder uses the alias "Killmilk", variously reported in open-source investigative reporting as Russian national Nikolai Serafimov, though formal attribution at the named-Russian-national tier has not been formally established by Western law-enforcement. Operationally the cluster centers on three primary tradecraft patterns: First, distributed-denial-of-service (DDoS) disruption operations, the cluster's defining operational pattern. DDoS operations have produced brief service-availability disruption against NATO-country government, healthcare, financial-services, aviation, transportation, and media targets but with limited sustained operational consequence (DDoS operations typically produce brief service-availability disruption rather than persistent harm). The cluster operates DDoS tooling including MHDDoS open-source DDoS framework, Bobik bot, Phoenix DDoS panel, Distress DDoS panel, Jameson panel, Blood panel, AKUR tool, Tesla bot, and Hammer ddos tool, alongside selective Mirai-variant and Meris botnet usage. Second, doxxing operations, JokerDPR subgroup operations have produced sustained doxxing campaigns against Western journalists, politicians, Ukrainian government officials, and Western military personnel deployed to Ukraine, publishing personal information including identities, addresses, family member details, and selected leaked communications. Third, information-operations and public-narrative activity , substantial cluster operational investment in public-facing Telegram channels, social-media operations, and Russian-patriotic- hacktivism branding. The cluster's information-operations activity has been operationally substantial relative to its DDoS operational consequence, suggesting public-facing narrative activity is a primary cluster operational objective alongside direct technical disruption.

The cluster's most operationally consequential operations include

Lithuanian government attacks (June-July 2022) in retaliation for Lithuania's EU sanctions enforcement on Kaliningrad transit.
Eurovision Song Contest attacks (May 2022) against Eurovision voting infrastructure and Italian broadcaster Rai during Ukraine's Kalush Orchestra eventual win.
US state government website attacks (October 2022) targeting approximately 14 US state government websites.
US airport website attacks (October 10, 2022) targeting LAX, Chicago O'Hare, Atlanta Hartsfield-Jackson, and ~10 additional US airports.
US hospitals attacks (January-February 2023) prompting HHS HC3 January 30, 2023 healthcare-sector alert.
Continued sustained 2023-2025 NATO-country targeting A handful of operational notes: First, the cluster represents the central reference for understanding contemporary Russia-aligned hacktivism as operationally distinct from Russia-aligned state-intelligence cyber operations. Defender threat-modeling should treat Killnet as politically-motivated disruption threat operating predominantly DDoS tradecraft, distinct from APT-tier persistent-access-and- data-theft threats from state-aligned Russian clusters. Second, operational impact has been disproportionately reputational and narrative rather than technical. DDoS operations produce brief service disruption with limited sustained harm; the cluster's primary operational impact has come from public-attention-generation and narrative-operations that contribute to broader information-warfare objectives. Defender threat-modeling should account for the information- operations dimension alongside technical-disruption tradecraft. Third, the cluster's freelance-hacktivism-with-state-tolerance analytical framing parallels broader Russia-speaking-cybercrime- and-state-security-services-intersection patterns visible across Wizard Spider / Conti (ContiLeaks contacts), Indrik Spider / Evil Corp (OFAC FSB tasking allegation), Black Basta (BlackBastaLeaks revelations), Play (selective Ukrainian targeting), and Cuba (RomCom RAT operational overlap). The collective Russia-aligned cyber-operations ecosystem represents a gray-zone analytical space where pure-financially-motivated cybercrime, pure-state-intelligence operations, and patriotic- hacktivism overlap and interact rather than operating as cleanly separated cluster categories. Fourth, the cluster's operational sophistication is substantially below state-aligned cluster operations covered in this corpus. Defender threat-modeling for Russia-aligned operations should maintain analytical separation between Killnet-tier hacktivism (DDoS-and-doxxing predominantly) and APT-tier state operations (persistent access, sophisticated implants, sustained intelligence- collection campaigns).

Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null

#{curl_path} -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1 #{curl_path} -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} >nul 2>&1 #{curl_path} -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} >nul 2>&1 #{curl_path} -s -A "*<|>*" -m3 #{domain} >nul 2>&1

curl -s -A "HttpBrowser/1.0" -m3 #{domain} curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} curl -s -A "*<|>*" -m3 #{domain}

$url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest -Uri $url -OutFile $env:TEMP\PhishingAttachment.xlsm

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"

# Add user32.dll for keybd_event Add-Type @" using System; using System.Runtime.InteropServices; public class K { [DllImport("user32.dll")] public static extern void keybd_event(byte bVk, byte bScan, uint dwFlags, UIntPtr dwExtraInfo); } "@ # Virtual key codes $VK_LWIN, $VK_R, $KEYDOWN, $KEYUP = 0x5B, 0x52, 0x0000, 0x0002 # Open Run dialog (Win+R) [K]::keybd_event($VK_LWIN, 0, $KEYDOWN, [UIntPtr]::Zero) [K]::keybd_event($VK_R, 0, $KEYDOWN, [UIntPtr]::Zero) [K]::keybd_event($VK_R, 0, $KEYUP, [UIntPtr]::Zero) [K]::keybd_event($VK_LWIN, 0, $KEYUP, [UIntPtr]::Zero) # Short delay for Run dialog Start-Sleep -Milliseconds 500 Add-Type -AssemblyName System.Windows.Forms [System.Windows.Forms.SendKeys]::SendWait("cmd /c powershell -ec " + [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('#{execution_command}')) + "{ENTER}")

Profile

Aliases

Notable Campaigns

Attribution & Reporting

Operational

Techniques Used

Detection Blind Spots

Atomic Test Plan

Tools Used