3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
RMRF Group

RMRF Group

ID: aec70f53e5c42b4234c59d6e9c90ed6f92527
Hacktivist Group Hacktivism
Threat types: Intrusion
Ukraine RUS
Updated: 2026-02-23
Created: 2025-10-25
Progress: 85% Completeness: 91% Freshness: 70%
Operation zone: Russia
Aliases Limited alias preview
ReMove -RussianFederation ReMove RussianFederation Re********************** R****
RM********* R*** RM******* su********
Showing 2 of 8 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

RMRF Group (a.k.a. sudo rm -RF, “ReMove-RussianFederation”) is a pro-Ukraine hacktivist collective linked by public claims to high-impact disruptions and alleged data/backups destruction against Russian entities, including the 2024-10 attack on state broadcaster VGTRK and a 2023-08 breach claim against MosgorBTI.


Technique Technique name Tactics Evidence
T1485 Data Destruction TA0040
  • 2024-10-07 — Reports of data and backup deletion during the VGTRK intrusion attributed to ‘sudo rm -RF’. · ref
  • 2024-10-08 — Follow-up confirms allegations of erased backups at VGTRK per sources. · ref
T1491.002 External Defacement TA0040
  • 2024-10-07 — Broadcast disruption across multiple VGTRK channels, used for narrative impact. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2024-10-07 — INFERENCE: probable use of public-facing application abuse for rapid initial access at media infrastructure; exact vector not disclosed. · ref
T1565.001 Stored Data Manipulation TA0040
  • 2024-10-08 — INFERENCE: stored data manipulation/wipe aligns with reports of non-recoverable backups at VGTRK. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-09T03:37:11+00:00
RMRF Group (a.k.a. sudo rm -RF, “ReMove-RussianFederation”) — pro-Ukraine hacktivist collective

CLASSIFICATION: Unclassified / Open Source Intelligence (OSINT)

Category: Cyber / Hacktivism — Origin: Ukraine-aligned (public claims since 2023)


Executive Summary

RMRF Group —frequently stylized as sudo rm -RF— is a pro-Ukraine hacktivist collective that conducts high-impact operations against Russian entities, prioritizing disruption and data destruction and publicly showcasing results. On 2023-08-07, the group claimed to have compromised MosgorBTI (the Moscow real-estate registry) and transferred information on officials and security forces to Ukrainian authorities.

On 2024-10-07, multiple outlets reported an “unprecedented” intrusion against the state corporation VGTRK (Russian television and radio) coinciding with Putin’s birthday; sources attributed the operation to sudo rm -RF, with allegations of backup deletion and outages on dozens of channels.

The operational pattern emphasizes large-scale attacks and rapid disclosure via Telegram/media to maximize reputational effects. Assessed capability: moderate-to-high for disruption and wiping; low public evidence of custom malware. Analytic confidence: high for publicly reported incidents/attribution to sudo rm -RF; medium for internal tactical details.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — sudo rm -RF / RMRF Group


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook (Splunk/Elastic/Sentinel)

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
Last updated: 2026-01-19T23:13:48+00:00


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-01-19T23:14:40+00:00

OSINT Library — RMRF Group (“ReMove RussianFederation”)


2025-09-10 — dev.ua — “Interview: ‘Killnet is just a marquee on the road.’ A great interview with Ukrainian hacker Herm1t”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/8
Address Verification SOCMINT
t.me/RMR****** Restricted Not integrated
t.me/+Gc************** Restricted Not integrated
t.me/RMR***** Restricted Not integrated
t.me/RMR***** Restricted Not integrated
t.me/RMR***** Restricted Not integrated
t.me/rmr***** Restricted Not integrated
Address Verification SOCMINT
rm**********@tuta.io Restricted Not integrated
Address Verification SOCMINT
rmrf.info Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–4 of 4 images
Logo variant Free Preview
Logo variant
Actor website Free Preview
Actor website
Propaganda Free Preview
Propaganda
Logo variant Free Preview
Logo variant