The cybersecurity landscape has witnessed a dramatic escalation in pro-Russian hacktivist activities since the onset of 2025, with emerging alliances between established and newly formed groups launching increasingly sophisticated attacks against Western infrastructure.
These cyber operations, driven by geopolitical tensions surrounding the Russia-Ukraine conflict, have evolved from simple website defacements to coordinated campaigns targeting critical infrastructure across Europe and North America.
The hacktivist ecosystem has undergone significant transformation following the decline of KillNet, which previously dominated the pro-Russian cyber scene.
New groups have emerged to fill this vacuum, including IT Army of Russia, which surfaced in March 2025, and TwoNet, which began operations in January 2025.
These organizations have quickly established themselves as formidable threats, conducting distributed denial-of-service attacks, exploiting SQL injection vulnerabilities, and targeting industrial control systems with unprecedented coordination.
Intel 471 analysts identified a concerning trend in the formation of strategic alliances between these groups, particularly evident in the coordinated #OpLithuania campaign launched in May 2025.
This operation involved seven distinct hacktivist groups, including Dark Storm Team, ServerKillers, NoName057(16), and Z-PENTEST ALLIANCE, targeting Lithuanian financial institutions and government infrastructure following the country’s calls for increased sanctions against Russia.
.webp)
The technical sophistication of these attacks has reached alarming levels, with groups deploying advanced tools and methodologies previously associated with state-sponsored actors.
The current leader in this space, NoName057(16), operates the DDoSia project, a sophisticated crowdsourced attack platform developed in the Go programming language.
This system utilizes a client identifier tracking mechanism to monitor volunteer contributions, incentivizing participation through cryptocurrency rewards for top performers.
Advanced Attack Infrastructure and Methodologies
The technical arsenal employed by these groups demonstrates a concerning evolution in hacktivist capabilities.
The DDoSia project exemplifies this advancement, functioning as a distributed attack platform where volunteers download and execute builds in their local environments.
The system’s architecture includes:-
// Simplified DDoSia client structure
type DDoSClient struct {
ClientID string
Target string
Method string
}Recent attacks have achieved unprecedented scale, with Cloudflare recording a 7.3 terabits per second DDoS attack in May 2025, consisting primarily of UDP packets.
These groups have also demonstrated capabilities in targeting operational technology environments, successfully manipulating water treatment facility control systems and forcing critical infrastructure to manual operation modes, highlighting the serious implications of their expanding technical proficiency.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
