3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Pro‑Palestine Hackers Movement

Pro‑Palestine Hackers Movement

ID: 29a0765877c8ff945846d15b13866e4784732
Hacktivist Group DDoS Crew Hacktivism
Threat types: Hacktivism, Defacement, Intrusion, DDoS Attack, Data Leak
Palestine
Updated: 2026-04-09
Created: 2026-02-19
Progress: 89% Completeness: 88% Freshness: 90%
Operation zone:
Aliases Limited alias preview
PPHM PPHM Hacker Pr*****************************
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: unknown
Actor Techniques page ATT&CK® Diagram

Technique Technique name Tactics Evidence
T1498 Network Denial of Service TA0040
  • 2025-01-12 — Reporting attributes DDoS impacts in Italy to PPHM as part of the broader ecosystem; mentions DDoSia tooling. · ref
  • 2024-12-03 — Radware reporting describes PPHM operations including DDoS in pro‑Palestinian hacktivist activity. · ref
  • 2025-01-22 — Orange Cyberdefense dossier characterizes PPHM with DDoS as a primary operation type. · ref
T1491 Defacement TA0040
  • 2024-12-03 — Radware reporting lists defacement among PPHM operation types. · ref
  • 2025-01-22 — Orange Cyberdefense dossier describes defacement activity and propaganda‑driven impact. · ref
T1566 Phishing TA0001
  • 2025-01-22 — Orange Cyberdefense dossier describes social engineering/phishing narratives (e.g., posing as journalists) to deliver malicious apps or solicit information. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2025-01-22 — Orange Cyberdefense dossier references vulnerability exploitation and mentions Metasploit in the group’s ecosystem/tool references. · ref
T1036 Masquerading TA0005
  • 2025-01-22 — Reporting describes impersonation/social engineering and fake apps presented as legitimate; mapped as masquerading behavior. · ref
T1204 User Execution TA0002
  • 2025-01-22 — Distribution of malicious apps implies victim installation/execution; mapped as user execution where lures drive execution. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2025-01-22 — Orange Cyberdefense dossier mentions data exfiltration and alleged monetization via leaks; no public technical artefacts for channels. · ref
T1071 Application Layer Protocol TA0011
  • 2025-01-22 — Spyware/malware claims imply C2 likely over common web protocols; mapped at a high level due to lack of infrastructure IOCs. · ref
T1583 Acquire Infrastructure TA0042
  • 2025-01-12 — Use of DDoS platforms (e.g., DDoSia) implies infrastructure acquisition/coordination; limited direct attribution of infrastructure. · ref
  • 2024-07-23 — NETSCOUT documents coalition-driven DDoS campaigns and membership lists including PPHM; suggests coordinated DDoS infrastructure/volunteer tooling. · ref
T1590 Gather Victim Network Information TA0043
  • 2025-01-22 — Campaign-based targeting of high-profile services implies basic victim service discovery; no explicit recon TTPs published. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-20T04:08:37+00:00
Pro‑Palestine Hackers Movement (PPHM)

Classification: TLP:WHITE / OSINT / Analytical Product

Author: iQBlack CTI Team



Executive Summary

Pro‑Palestine Hackers Movement (PPHM) appears in OSINT as a decentralized, geopolitically‑motivated hacktivist collective active since October 2023, aligned with pro‑Palestinian narratives and broader anti‑Western hacktivist ecosystems. Its publicly described activity centers on disruptive operations (notably DDoS and website defacement), with occasional claims and reporting that extend into data leaks and opportunistic exploitation of exposed systems. The most detailed public characterization links the collective to a wider coalition referred to as the “Holy League” and to collaboration with multiple hacktivist brands operating on Telegram and adjacent ecosystems.

Operationally, the group’s value proposition is visibility: high‑tempo disruption paired with propaganda amplification across social channels. Where OSINT alleges deeper capabilities (mobile spyware, OT/ICS exploitation, bespoke toolchains), those elements should be treated as higher‑risk but unevenly evidenced and are best handled as capability hypotheses until corroborated by technical artefacts (samples/IOCs) or victim‑side telemetry.

  • Type: Hacktivist collective / movement‑style branding (decentralized).
  • Stated motivation: Support for the Palestinian cause; opposition to Israel and perceived allied states/organizations.
  • Operational model: Coalition‑aligned, campaign‑driven, with coordination and amplification via Telegram and X (Twitter) per OSINT reporting.
  • Assessed home base: Unclear / transnational (OSINT describes geographically dispersed members and affiliated groups).
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Pro‑Palestine Hackers Movement (PPHM) Situation OverviewPro‑Palestine Hackers Movement (PPHM) is assessed as a movement‑branded pro‑Palestinian hacktivist collective active since October 2023, operating primarily through disruptive campaigns (DDoS, defacement) amplified via Telegram and X. Open sources also associate the brand with a broader coalition (“Holy League”) and multiple collaborating hacktivist groups. The most credible near‑term

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Pro‑Palestine Hackers Movement (PPHM) (TLP:WHITE)Scope: This playbook focuses on high‑probability PPHM‑aligned activity patterns: (1) DDoS against public‑facing services, (2) defacement attempts against web stacks/CMS, and (3) opportunistic phishing/social‑engineering during geopolitical campaigns. It is optimized for SOC/DFIR teams operating standard enterprise telemetry (WAF/CDN logs, web server logs, IAM/SSO logs, EDR, email security).Operational Assumptions: PPHM

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-20T04:07:08+00:00


Status: No high‑confidence, uniquely attributable domains/IPs/hashes were identified in the reviewed open sources for this deliverable.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-20T04:08:04+00:00

Curated open sources used to build this profile. Each entry includes publication/observed date, publisher, title, and URL.

Tags: #hacktivism #DDoS #defacement #HolyLeague #PPHM

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/7
Address Verification SOCMINT
x.com/PPH*** Restricted Not integrated
Address Verification SOCMINT
t.me/fre*************** Restricted Not integrated
t.me/fre********************** Restricted Not integrated
t.me/pph******** Restricted Not integrated
t.me/pph******* Restricted Not integrated
Address Verification SOCMINT
www.instagram.com/pph****** Restricted Not integrated
Address Verification SOCMINT
pphmnews.com Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–1 of 1 images
Logo / Avatar Free Preview
Logo / Avatar