3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Karabakh Hacking Team

Karabakh Hacking Team

ID: 25adbb7a464df3f92ecb04395b01569901952
Hacktivist Group Hacktivism
Threat types: Hacktivism, Intrusion
Azerbaijan
Updated: 2026-03-15
Created: 2026-03-15
Progress: 70% Completeness: 70% Freshness: 70%
Operation zone:
Aliases Limited alias preview
KHT
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Karabakh Hacking Team is an Azerbaijani nationalist, conflict-linked hacktivist brand most visibly associated with the 2020 Nagorno-Karabakh war. Public reporting links it to Armenian website defacements, propaganda-centered content replacement, and claims of access to Armenian government documents via MulberryGroupware.


Technique Technique name Tactics Evidence
T1595 Active Scanning TA0043
  • 2020-09-30 — INFERENCE (confidence: medium): The breadth of reported website compromises implies prior identification of exposed Armenian public-facing services and soft web targets. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2020-10-03 — Report.az stated that KHT and AntiArmenia.Org broke into the Armenian government's MulberryGroupware v1 and v2 electronic document management system. · ref
  • 2022-10-21 — A later Azerbaijani military publication repeated the claim that KHT compromised Armenia’s electronic document management system during the war. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2020-09-30 — INFERENCE (confidence: low-medium): Some public-facing website takeovers may have involved weak or compromised administrative credentials rather than only software exploitation. · ref
T1491.001 Internal Defacement TA0040
  • 2020-09-28 — ASPI documented a site shown with Azerbaijani flag imagery and text claiming it was hacked by Karabakh Hacking Team. · ref
  • 2020-09-28 — Axar.az reported Armenian websites were altered to display Azerbaijani slogans and imagery after KHT-linked compromise claims. · ref
T1565.001 Stored Data Manipulation TA0040
  • 2020-09-28 — Website content replacement with slogans, speeches, and national imagery is consistent with stored data manipulation during defacement operations. · ref
T1005 Data from Local System TA0009
  • 2020-10-03 — Public reporting described KHT-linked acquisition and publication of Armenian government documents, consistent with collection of locally accessible files from compromised systems. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-15T03:51:10+00:00

Karabakh Hacking Team — Azerbaijani nationalist / conflict-linked hacktivist brand

Classification: TLP:WHITE — Open Source Intelligence (OSINT)

Category: Cyber / Hacktivism / Conflict-linked nationalist collective - Origin: Azerbaijan (assessed)

Author: iQBlack CTI Team


Executive Summary

Karabakh Hacking Team (KHT) is best assessed as an Azerbaijani nationalist hacktivist brand active in the information and cyber layer of the Armenia–Azerbaijan conflict, with its clearest public visibility during the September–October 2020 Nagorno-Karabakh war. Open-source reporting consistently links the name to website defacements, public propaganda, selective leak claims, and at least one publicly claimed compromise of the Armenian government’s electronic document management environment. The actor appears less like a long-lived, technically transparent intrusion set and more like a wartime mobilization brand that combined cyber disruption, symbolic messaging, and psychological pressure.


Public reporting most strongly supports three activity types. First, KHT publicly claimed and was externally reported as responsible for mass compromise and defacement of Armenian websites, including media outlets and official sites, where hacked pages were altered to display Azerbaijani state messaging, national symbols, and references to President Ilham Aliyev. Second, KHT was publicly associated with claims of access to Armenian government documents through compromise of MulberryGroupware v1/v2. Third, the group used Telegram-centered propaganda distribution to turn website compromises into narrative events rather than purely technical intrusions.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Karabakh Hacking Team

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Karabakh Hacking Team


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-15T03:52:52+00:00

IOC Appendix — Karabakh Hacking Team (TLP:WHITE)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-15T03:53:06+00:00

OSINT Library — Karabakh Hacking Team


2020-09-28 — ASPI / International Cyber Policy Centre — “Snapshot of a shadow war: a preliminary analysis of Twitter activity linked to the Azerbaijan–Armenia conflict”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/1
Address Verification SOCMINT
t.me/kar****************** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.