3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Cyber Flood

Cyber Flood

ID: 9322a25c5e800328c6cd5de77d0c89ae
Cybercrime Defacement Operator Hacktivist
Threat types: Defacement, Hacktivism, Intrusion, Pro-Hamas, Anti-Israel
Iran ISR
Updated: 2026-03-14
Created: 2025-10-25
Progress: 88% Completeness: 96% Freshness: 70%
Operation zone: Israel
Aliases Limited alias preview
Cyb3r Fl00d Cyb3rFl00d Cy********
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

Cyber Flood (stylized as Cyb3r Fl00d) is a publicly-facing cover persona linked in reporting to Iran-aligned cyber-enabled influence operations (Emennet Pasargad / ASA / Cotton Sandstorm), including bulk messaging campaigns and propaganda-amplified disruption such as defacement used for psychological impact.


Technique Technique name Tactics Evidence
T1566 Phishing TA0001
  • 2024-02-26 — Bulk emails used to amplify claimed attacks or distribute warnings as part of the 'Cyber Flood' operation (influence delivery via messaging). · ref
  • 2024-10-30 — INFERENCE (confidence: medium): Persona operations commonly rely on phishing/impersonation-style delivery to seed links and narratives. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2024-02-26 — Reporting notes use of a compromised account to enhance authenticity of campaign emails (valid account abuse). · ref
T1491.002 External Defacement TA0040
  • 2024-02-26 — Influence ecosystem described embedding messaging into disruptive incidents; includes defacement-style content distribution (digital displays). · ref
T1583.001 Domains TA0042
  • 2024-02-14 — Public indicator set lists a Cyber Flood-branded domain used in campaign presence (domain as infrastructure). · ref
T1585.001 Social Media Accounts TA0042
  • 2024-02-14 — Public indicator set lists Cyber Flood Telegram channels and a Cyber Flood Twitter/X presence (online persona accounts). · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-20T00:11:56+00:00

CYB3R FL00D / Cyber Flood — Iran-linked cover-hacktivist persona used for cyber-enabled influence operations

Classification: TLP:WHITE — Open Source Intelligence (OSINT)

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — CYB3R FL00D / Cyber Flood

Classification: TLP:WHITE — OSINT

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — CYB3R FL00D / Cyber Flood

Classification: TLP:WHITE — OSINT-informed hunting guidance

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-20T00:14:04+00:00

IOC Appendix (TLP:WHITE) — CYB3R FL00D / Cyber Flood

Notes: Indicators are OSINT-sourced and may expire quickly. Treat as pivots for hunting and enrichment; blocking decisions should be risk-based and validated in your environment.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-20T00:14:31+00:00

OSINT Library — CYB3R FL00D

All references are open sources. Links open in a new tab.


Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/6
Address Verification SOCMINT
twitter.com/Cyb******** Restricted Not integrated
Address Verification SOCMINT
t.me/Cyb******** Restricted Not integrated
t.me/Lea************* Restricted Not integrated
t.me/cyb*************** Restricted Not integrated
Address Verification SOCMINT
cyberflood.io Restricted Not integrated
cyberflood.me Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–3 of 3 images
Propaganda Free Preview
Propaganda
Hacked website Free Preview
Hacked website
Logo Free Preview
Logo