3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Coup Team

Coup Team

ID: e082c12d2ca61794b37aee719e982311
Cybercrime Cybercriminal DDoS-for-Hire Operator
Threat types: DDoS
Russia ISR, NLD
Updated: 2026-04-07
Created: 2026-02-09
Progress: 87% Completeness: 85% Freshness: 90%
Operation zone: Israel, Netherlands
Aliases Limited alias preview
CoupTeam
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Coup Team is a hacktivist disruption brand repeatedly listed in public reporting as participating in coordinated or loosely coordinated DDoS campaigns, typically aligned to pro-Russian narratives. The most consistent behavior is short-lived service disruption (DDoS) amplified via public claims and Telegram coordination.


Technique Technique name Tactics Evidence
T1498 Network Denial of Service TA0040
  • 2024-06-14 — Public reporting on EU-election hacktivist activity enumerates Coup Team among groups claiming DDoS activity; this maps to network-level denial of service as an impact technique. · ref
  • 2025-06-18 — Conflict reporting lists Coup Team among groups observed claiming DDoS targeting Israel, consistent with Network Denial of Service as the primary impact mechanism. · ref
T1499 Endpoint Denial of Service TA0040
  • 2024-06-14 — INFERENCE (confidence: medium): DDoS waves against public web services commonly manifest as application-layer exhaustion at the endpoint/service level (HTTP(S) floods), which aligns with Endpoint Denial of Service where the bottleneck is service resources rather than pure link saturation. · ref
T1595 Active Scanning TA0043
  • 2024-10-01 — INFERENCE (confidence: medium): DDoS tasking typically requires target enumeration of exposed web endpoints (domains, paths, ports) prior to flooding; actor is referenced in campaign contexts where such preparation is implicit. · ref
T1583 Acquire Infrastructure TA0042
  • 2024-12-01 — INFERENCE (confidence: medium): Participation in a broader hacktivist ecosystem implies access to acquired infrastructure (VPS, booter-like services, or shared botnet capacity) used to generate attack traffic. · ref
T1102.002 Bidirectional Communication TA0011
  • 2026-02-17 — INFERENCE (confidence: low): Public coordination and claims via Telegram can be modeled as use of an external web service for operational communication. This is included for analyst tracking; it is not a definitive C2 indicator. · ref
T1491.002 External Defacement TA0040
  • 2024-12-01 — INFERENCE (confidence: low): Pro-Russian hacktivist ecosystems frequently mix DDoS with opportunistic external defacement. Actor-specific defacement evidence is limited in high-quality OSINT; include as a low-confidence hypothesis for defensive completeness. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-17T20:15:42+00:00

Coup Team — Pro‑Russian hacktivist brand associated with the “Killnet” ecosystem (DDoS / disruption claims)

Classification: TLP:WHITE - Open Source Intelligence (OSINT)

Category: Cyber / Hacktivism (disruption / DDoS) - Origin: Russia-aligned (INFERENCE, confidence: medium)

Author: iQBlack CTI Team [



Executive Summary

Coup Team is an online hacktivist label repeatedly listed in public reporting as participating in coordinated or loosely coordinated DDoS and disruption campaigns in support of geopolitical narratives. Multiple open sources place Coup Team alongside well-known pro‑Russian hacktivist brands and “collectives” (e.g., NoName057(16), HackNeT/HakNet, CyberDragon, UserSec, and other “Killnet‑adjacent” clusters). The most consistent, evidence-backed activity profile is service disruption (DDoS) and public “claim” messaging, rather than technically sophisticated intrusion tradecraft.

A visible activity window in public reporting occurred around June 2024 in the context of EU election‑related hacktivist DDoS claims, where Coup Team is enumerated among claiming groups. Additional reporting and compilations during 2024–2025 continue to list Coup Team among hacktivist actors observed claiming DDoS during conflict‑driven campaigns. Open sources also indicate an associated Telegram presence used for posting targets, claims, and rhetoric.

Confidence is medium that Coup Team should be modeled as a hacktivist “brand” operating within a broader pro‑Russian disruption ecosystem (not necessarily a single stable team). Confidence is low‑to‑medium on granular technical specifics (tooling, botnet composition, infrastructure ownership) because public sources often summarize claims and group lists without exposing underlying telemetry.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Coup Team

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Coup Team


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-17T20:26:06+00:00


This appendix captures a minimal, defensible set of open-source indicators linked to Coup Team.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-17T20:20:14+00:00

OSINT Library — Coup Team


2024-06-14 — Radware Security Blog — “Uncovering the Hacktivist Cyberattacks Targeting the EU Election”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/8
Address Verification SOCMINT
t.me/Cou***** Restricted Not integrated
t.me/Cou********* Restricted Not integrated
t.me/Ano************ Restricted Not integrated
t.me/Wor********** Restricted Not integrated
t.me/Cha***** Restricted Not integrated
t.me/Glo************** Restricted Not integrated
t.me/Cou***** Restricted Not integrated
t.me/Bot********** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–2 of 2 images
Propaganda Free Preview
Propaganda
Image used in social media account Free Preview
Image used in social media account