3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
DDoS54

DDoS54

ID: 4aa2feb870de8c6bc67df3c7559c4a3539981
Cybercrime Cybercriminal DDoS-for-Hire Operator
Threat types: DDoS Attack, Hacktivism, Intrusion
Algeria DZA, MAR
Updated: 2026-02-19
Created: 2026-02-19
Progress: 72% Completeness: 73% Freshness: 70%
Operation zone: Algeria, Morocco
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

DDoS54 is an Algerian-linked hacktivist collective associated in OSINT with disruption-focused DDoS campaigns and public claims via Telegram. Reporting also links DDoS54 to collaborations with other DDoS-centric actors (e.g., Keymous+) that amplify attack scale.


Technique Technique name Tactics Evidence
T1498 Network Denial of Service TA0040
  • 2025-04-13 — DDoS54 publicly claimed a large-scale DDoS campaign affecting multiple Moroccan government websites; claim referenced as posted to the group’s Telegram channel. · ref
  • 2025-10-01 — NETSCOUT describes partnership activity involving DDoS54 contributing to collaborative DDoS operations reaching ~44 Gbps and using reflection/amplification and direct flood vectors. · ref
T1499 Endpoint Denial of Service TA0040
  • 2025-10-01 — INFERENCE (confidence: medium): Collaborative operations described by NETSCOUT (multi-vector floods and amplification) are consistent with overwhelming victim-facing endpoints and services beyond pure network saturation. · ref
T1102 Web Service TA0011
  • 2025-04-13 — DDoS54 used a Telegram channel to communicate the DDoS campaign claim and messaging (public coordination/communications pattern). · ref
  • 2024-12-30 — SOCRadar describes Telegram as a common platform for DDoS-centric hacktivist coordination, recruitment, and tooling distribution (general ecosystem context). · ref
T1583 Acquire Infrastructure TA0042
  • 2025-10-01 — INFERENCE (confidence: medium): NETSCOUT’s description of large-scale amplification/reflection vectors implies access to, or use of, third-party infrastructure (reflectors/amplifiers) typical of acquired or abused internet infrastructure. · ref
  • 2025-10-01 — Orange Cyberdefense references DDoS54 collaboration and broader operational scaling dynamics consistent with using external infrastructure and services to increase attack power. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-20T02:36:00+00:00

DDOS54 (“DDoS54”) — North Africa hacktivist DDoS collective

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — DDOS54 (DDoS54)

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — DDOS54 (DDoS54)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-20T02:38:12+00:00

IOC Appendix (TLP:WHITE) — DDOS54 (DDoS54)

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-20T02:43:40+00:00

OSINT Library — DDoS54


2025-04-13 — Yabiladi (EN) — “Algerian hackers target Moroccan government sites in escalating cyberwar”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.