3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
RootSec

RootSec

ID: 15df8c520255aa33f1e054bf9db3d21c67947
Hacktivist Group Data Leak Channel Hacktivism
Threat types: Hacktivism, DDoS Attack, Data Leak
Unknown ISR, MAR
Updated: 2026-03-04
Created: 2026-02-17
Progress: 81% Completeness: 86% Freshness: 70%
Operation zone: Israel, Morocco
Aliases Limited alias preview
RootSec MA
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

RootSec is referenced in OSINT as a hacktivist-facing label associated primarily with DDoS/service disruption, external defacement, and periodic credential/data exposure claims.


Technique Technique name Tactics Evidence
T1498 Network Denial of Service TA0040
  • 2025-01-01 — Public security reporting references DDoS assaults associated with 'RootSec MA' campaigns. This supports modeling RootSec-linked activity as disruption-oriented (DDoS). · ref
  • 2025-07-01 — Ecosystem reporting describes hacktivist activity as dominated by DDoS during conflict-driven spikes. INFERENCE (confidence: medium): RootSec co-occurs in the same ecosystem and is likely to leverage similar disruption methods. · ref
T1491.002 External Defacement TA0040
  • 2025-01-01 — Public reporting references defacements in Morocco attributed at campaign level to 'RootSec MA'. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2025-06-18 — Public reporting references 'account hijacking' behavior. INFERENCE (confidence: medium): account hijacking implies use of compromised credentials/valid sessions. · ref
T1110.003 Password Spraying TA0006
  • 2025-07-01 — INFERENCE (confidence: low): where leaked email/password sets are referenced, follow-on account compromise commonly uses credential stuffing/password spraying patterns. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-18T19:35:12+00:00

RootSec — Hacktivist brand associated with DDoS/defacement and data-leak claims

Classification: TLP: WHITE - Open Source Intelligence (OSINT)

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — RootSec


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — RootSec


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-18T19:36:30+00:00

IOC Appendix — RootSec

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-18T19:36:44+00:00

OSINT Library — RootSec


2025-06-18 — CloudSEK — “Part 1: The Iran–Israel Cyber Standoff — The Hacktivist Front”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/4
Address Verification SOCMINT
t.me/Roo****** Restricted Not integrated
t.me/roo****** Restricted Not integrated
t.me/rea********* Restricted Not integrated
Address Verification SOCMINT
github.com/R00***************** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.