3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
HARM Alliance

HARM Alliance

ID: 5c6b35ea1356a1168397df22c30e7b2072268
Hacktivist Group Hacktivism
Threat types: Hactivism, Intrusion, Defacement, Propaganda, SCADA, Political
Russia DEU, ISR, ITA, UKR, GBR
Updated: 2026-04-12
Created: 2026-04-06
Progress: 92% Completeness: 88% Freshness: 100%
Operation zone: Germany, Israel, Italy, Ukraine, United Kingdom
Aliases Limited alias preview
HARM HARM Team HA********** HA*****
HA******
Showing 2 of 5 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

HARM Alliance is an emerging pro-Russian hacktivist alliance operating mainly through Telegram-based propaganda, alliance announcements, and opportunistic intrusion or data-theft claims. Current public reporting most strongly supports monitoring it as a coalition-oriented symbolic disruption actor targeting Western- and Israel-linked environments.


Technique Technique name Tactics Evidence
T1583 Acquire Infrastructure TA0042
  • 2026-04-06 — Public channel branding, contact bot, and admin handle show deliberate acquisition and maintenance of actor-controlled online infrastructure for propaganda and coordination. · ref
T1584 Compromise Infrastructure TA0042
  • 2026-04-06 — INFERENCE (confidence: medium): HARM Alliance likely relies on compromised public-facing services or allied access to support data-theft and screenshot-based claims. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2026-04-06 — INFERENCE (confidence: medium): visible claims involving a Spanish agrotech company and an Israel-linked SCADA panel are most plausibly explained by exploitation or abuse of public-facing systems. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2026-04-06 — INFERENCE (confidence: low): some shallow-access or configuration-theft claims could involve valid accounts or weak/default credentials rather than direct software exploitation. · ref
T1005 Data from Local System TA0009
  • 2026-04-06 — Public claim text references extraction of customers, contracts, logins/passwords, and system settings from a Spanish agrotech company. · ref
T1020 Automated Exfiltration TA0010
  • 2026-04-06 — INFERENCE (confidence: low): if the Spanish agrotech claim is genuine, exfiltration of structured data likely occurred before publication. · ref
T1589 Gather Victim Identity Information TA0043
  • 2026-04-06 — INFERENCE (confidence: low): victim profiling and symbolic target selection suggest collection or assessment of organizational information before claims are published. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-04-06T18:15:43+00:00
HARM Alliance — Emerging pro-Russian hacktivist alliance / leak-and-disruption cluster

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Hacktivism / politically motivated cyber activity - Origin: Russia-aligned ecosystem

Author: iQBlack CTI Team


Executive Summary

HARM Alliance is an emerging Telegram-centric hacktivist group operating inside the broader pro-Russian cyber-propaganda environment. Publicly observable material indicates that the group presents itself as a “Hacker Alliance - Righteous Mission,” uses Telegram for branding and coordination, and publishes claims involving data theft, politically framed targeting, and at least one SCADA-themed intrusion claim. Confidence is medium that HARM Alliance is a real and active group identity rather than a purely cosmetic label.

Available evidence does not support treating HARM Alliance as a mature intrusion set with deeply documented tradecraft. Instead, the group is best modeled as a low-to-medium maturity alliance-style cluster whose operational value lies in propaganda, symbolic targeting, opportunistic exfiltration claims, and ecosystem-level alliance signaling. Its channel description, visible admin/support handles, and alliance announcements indicate deliberate brand construction rather than a one-off campaign artifact.


Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — HARM Alliance

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — HARM Alliance


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-04-06T18:19:42+00:00

IOC Appendix — HARM Alliance

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-04-06T18:19:59+00:00

OSINT Library — HARM Alliance


2026-04-06 — Telemetr.io — “HARM Alliance”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/5
Address Verification SOCMINT
t.me/har************* Restricted Not integrated
t.me/CEO******** Restricted Not integrated
t.me/har***** Restricted Not integrated
t.me/+FZ************** Restricted Not integrated
t.me/har******** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–6 of 6 images
Hacked website Free Preview
Hacked website
Alliance with Holy League Free Preview
Alliance with Holy League
Alliance with Inteid Free Preview
Alliance with Inteid
Alliance with QuietSec Free Preview
Alliance with QuietSec
Alliance with Russian Partisan Free Preview
Alliance with Russian Partisan
Logo / Avatar Free Preview
Logo / Avatar
Showing 4 of 6 images in preview mode. Additional evidence is restricted for Analyst and Premium plans.