3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Z-Pentest Alliance

Z-Pentest Alliance

ID: 4324563b5322b38d31833a74c88177ab
Hacktivist Group Hacktivism
Threat types: Hacktivism, OT/ICS Intrusion
Serbia AUS, BEL, BGR, CAN, CZE, FRA, DEU, ISR, ITA, LTU, NLD, NOR, POL, PRT, ROU, ESP, TWN, UKR, GBR, USA
Updated: 2026-04-12
Created: 2026-01-20
Progress: 92% Completeness: 88% Freshness: 100%
Operation zone: Australia, Belgium, Bulgaria, Canada, Czech Republic, France, Germany, Israel, Italy, Lithuania, Netherlands, Norway, Poland, Portugal, Romania, Spain, Taiwan, Ukraine, United Kingdom, United States
Aliases Limited alias preview
Alianza Z-Pentest The Western Front Th******************** Z-********
З-****************
Showing 2 of 5 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Z-Pentest Alliance is a pro-Russia-aligned hacktivist coalition brand widely cited in OSINT for targeting critical infrastructure, especially energy and water, and for publishing OT/ICS proof-of-access artifacts to amplify psychological impact. Government and partner reporting on pro-Russia hacktivism emphasizes opportunistic abuse of exposed remote access (including VNC) to reach OT devices. Evidence strongly supports intimidation/disruption posture; true operational impact of OT manipulation claims varies and should be validated with victim telemetry. Techniques involving OT manipulation are marked as INFERENCE where not corroborated.


Technique Technique name Tactics Evidence
T1021.005 VNC TA0008
  • 2025-12-18 — Advisory on pro-Russia hacktivists highlights widespread availability of inadequately secured VNC connections used to access OT control devices; Z-Pentest is listed among actors in this trend. · ref
  • 2025-12-09 — Partner press release notes pro-Russia hacktivists capitalizing on exposed VNC to infiltrate OT control devices; Z-Pentest is included in the actor set referenced. · ref
T1210 Exploitation of Remote Services TA0008
  • 2025-12-18 — INFERENCE (confidence: medium): Abuse of remote services to access OT devices implies exploitation of remote service exposure and weak access controls. · ref
T1585.001 Social Media Accounts TA0042
  • 2025-10-07 — Threat landscape reporting assesses publication of videos showing OT tampering as a psychological impact tactic (propaganda amplification). · ref
  • 2024-01-01 — OSINT report describes Telegram-based coordination and influence amplification for Z-Pentest Alliance. · ref
T1498 Network Denial of Service TA0040
  • 2025-12-10 — DOJ release notes CARR (also known as Z-Pentest) conducted DDoS attacks alongside OT intrusions; ecosystem indicates DDoS remains a recurring capability in this space. · ref
T0889 Modify Program TA0110
  • 2024-01-01 — INFERENCE (confidence: medium; ICS ATT&CK context): OSINT report emphasizes access to and manipulation of SCADA/ICS interfaces; treat physical/operational impact as variable without telemetry. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-04-12T00:32:51+00:00

Z-Pentest Alliance — Pro-Russia-aligned Hacktivist Alliance (OT/ICS Intrusion & Disruption)

Classification: TLP: WHITE — Open Source Intelligence (OSINT)

Category: Cyber / Hybrid — Hacktivism with OT/ICS focus; intimidation and disruption

Assessed home base: Serbia-linked in self-presentation; operationally embedded in a broader pro-Russia-aligned ecosystem



Executive Summary

Z-Pentest Alliance is a pro-Russia-aligned hacktivist coalition brand frequently cited in OSINT as a high-tempo actor focused on critical infrastructure narratives and, notably, internet-exposed OT/ICS environments. Multiple OSINT sources describe a shift beyond traditional hacktivist DDoS and defacement toward unauthorized access to industrial control interfaces (HMI/SCADA) and the public release of videos to amplify psychological impact.

Government and international reporting on pro-Russia hacktivism highlights opportunistic exploitation of weak remote-access exposures (including VNC) to access OT devices and conduct disruptive operations. In this context, Z-Pentest is consistently positioned among the more prominent pro-Russia-aligned brands targeting critical infrastructure.

Confidence is high that the Z-Pentest Alliance brand is used within pro-Russia hacktivist ecosystems and is strongly associated with OT/ICS-themed intimidation and disruption narratives. Confidence is medium regarding the true operational impact of claimed OT “sabotage,” as several sources assess some claims as primarily psychological and not necessarily resulting in material operational disruption.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Z-Pentest Alliance


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Z-Pentest Alliance (OT Remote Access Abuse & Intimidation Signaling)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-23T03:57:32+00:00

IOC Appendix (TLP:WHITE) — Z-Pentest Alliance

Note: Open sources emphasize an exposure-driven OT access pattern and intimidation artifacts rather than stable malware infrastructure. This appendix prioritizes behavioral indicators and scoping cues over static IOCs.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-23T03:57:43+00:00

OSINT Library — Z-Pentest Alliance


2024-01-01 — Orange Cyberdefense (Cyber Intelligence Bureau / Epidemiology Labs) — “Z-PENTEST ALLIANCE (PDF report)”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/15
Address Verification SOCMINT
t.me/zpe************* Restricted Not integrated
t.me/ZPe************** Restricted Not integrated
t.me/Z_P********** Restricted Not integrated
t.me/Z_P****************** Restricted Not integrated
t.me/Z_P*********** Restricted Not integrated
t.me/z_p****** Restricted Not integrated
t.me/+mk************** Restricted Not integrated
t.me/c/2************ Restricted Not integrated
t.me/+pc************** Restricted Not integrated
t.me/+KX************** Restricted Not integrated
t.me/+1r************** Restricted Not integrated
t.me/+VM************** Restricted Not integrated
t.me/+XP************** Restricted Not integrated
t.me/Z_a********** Restricted Not integrated
t.me/Z_A******* Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–12 of 17 images
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Flags / Propaganda Free Preview
Flags / Propaganda
Propaganda Free Preview
Propaganda
Flag / Propaganda Free Preview
Flag / Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Alliance with Sandworm Team Free Preview
Alliance with Sandworm Team
Logo Free Preview
Logo
Showing 4 of 17 images in preview mode. Additional evidence is restricted for Analyst and Premium plans.