You are exploring the Free preview.
To unlock full read-only access to all public profiles and in-app notifications,
create a free research account.
For analyst / premium plans capabilities (editing, advanced tabs, exports),
please
contact us
RuntimeTerror is an assessed persona within the pro-Ukraine hacktivist ecosystem, tentatively associated with the RMRF Group cluster. Public OSINT directly evidences RMRF-linked intrusions and large-scale data leaks against Russian fuel and oil-refining companies, with stolen data (>100 GB) packaged and published via cloud storage. No malware family or toolset is clearly branded to RuntimeTerror personally; accordingly, this ATT&CK mapping is primarily at the RMRF cluster level, with several techniques marked as INFERENCE where procedures are not explicitly documented.
Technique
Technique name
Tactics
Evidence
T1560.001
Archive via Utility
TA0009
2024-05-03 —
Archive Collected Data: Archive via Utility — OsintFlow announces a new cooperation line with hackers from RMRF Group and presents a leak of more than 100 GB of documents from Russian fuel-trading company Flotsnab; the data is explicitly offered as a downloadable archive, implying that the operators compressed and packaged stolen files prior to publication, consistent with T1560.001 use of archiving utilities before exfiltration. · ref
T1567.002
Exfiltration to Cloud Storage
TA0010
2024-05-03 —
Exfiltration Over Web Service: Exfiltration to Cloud Storage — The same OsintFlow article on cooperation with RMRF Group provides a Mega.nz link to the >100 GB Flotsnab document dump (archive password set to "RMRF"); this demonstrates that exfiltrated corporate data is staged to public cloud storage and then distributed, matching T1567.002 (cloud storage-based exfiltration and leak publication). · ref
T1595.002
Vulnerability Scanning
TA0043
2026-01-19 —
INFERENCE (medium confidence) — Active Scanning: Vulnerability Scanning. OsintFlow describes that organizations of Russia’s oil-refining complex are under close scrutiny by Ukrainian ‘birds’ in partnership with RMRF Group, and presents a successful deep compromise of Flotsnab with large internal data theft. Given the nature of the victim (fuel/oil-trading infrastructure) and typical RU–UA hacktivist tradecraft, it is likely that RMRF-linked operators, including the RuntimeTerror persona, employ automated vulnerability and exposure scanning of Russian internet-facing assets to identify targets prior to intrusion, even though specific scanners or commands are not detailed in public reports. · ref
T1190
Exploit Public-Facing Application
TA0001
2026-01-19 —
INFERENCE (low–medium confidence) — Exploit Public-Facing Application. The documented breach of Russian company Flotsnab, resulting in theft of >100 GB of internal corporate documents and subsequent leak via RMRF–OsintFlow cooperation, implies successful compromise of internal business systems. In absence of detailed kill-chain reporting, exploitation of public-facing web applications, VPNs or remote management portals is assessed as a plausible initial access path, and T1190 is used here as a generic placeholder for this likely but unconfirmed vector. · ref
T1585.001
Social Media Accounts
TA0042
2024-10-10 —
Establish Accounts: Social Media Accounts — RMRF Group maintains an official, branded Telegram public channel (@rmrfgroup, “RMRF Official Channel 🇺🇦”) used to disseminate news, statements and references to leaks (including links back to rmrf.info and cooperative investigations). This fits ATT&CK T1585.001, in which threat actors establish and operate social media accounts as part of their public presence, influence activity and operations messaging. · ref
T1585.003
Cloud Accounts
TA0042
2026-01-19 —
INFERENCE (medium confidence) — Establish Accounts: Email Accounts. RMRF Group’s public profiles reference an email contact ([email protected]) alongside chat and channel handles, indicating that the cluster maintains dedicated communication endpoints for coordination, submissions and outreach. While there is no direct evidence of these accounts being abused for phishing or direct intrusion, their existence as operational contact channels is consistent with ATT&CK T1585.003 (threat-run email accounts to support campaigns and liaison). · ref
