3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
OverFlame

OverFlame

ID: ee7c9196a35cc624774e641bf7962efc
Hacktivist Group Hacktivism
Threat types: Hacktivism, Intrusion, DDoS Attack, OT/CI, Defacement
Russia AUS, POL, UKR
Updated: 2026-04-07
Created: 2026-01-27
Progress: 83% Completeness: 80% Freshness: 90%
Operation zone: Australia, Poland, Ukraine
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

OverFlame is a pro-Russia-aligned hacktivist brand frequently referenced in OSINT as an active participant in coalition-style DDoS campaigns (including co-activity with NoName057(16)) and as a member of coalition constructs such as the 'Holy League'. Multiple sources also associate OverFlame with alliances in the pro-Russian OT/critical-infrastructure hacktivist ecosystem (e.g., Sector16/Z-Pentest adjacency and infrastructure sharing narratives). Evidence strongly supports DDoS disruption and propaganda/cross-promotion; OT/ICS intrusion capability is treated as variable and marked INFERENCE where not independently validated.


Technique Technique name Tactics Evidence
T1498 Network Denial of Service TA0040
  • 2024-09-20 — Threat report describes OverFlame and NoName057(16) launching a DDoS campaign against Austrian targets. · ref
  • 2024-09-24 — News reporting describes pro-Russia hackers OverFlame and NoName057(16) claiming and conducting DDoS attacks against Austrian websites. · ref
T1585.001 Social Media Accounts TA0042
  • 2024-12-12 — OSINT notes OverFlame reshared attack details on Telegram, supporting propaganda/cross-promotion behavior. · ref
  • 2024-07-23 — Coalition membership lists and public posts are used to frame and amplify operations (Holy League context). · ref
T1583.006 Web Services TA0042
  • 2024-06-01 — INFERENCE (confidence: medium): OSINT PDF describes OverFlame sharing DDoS-as-a-service infrastructure with another group (DieNET), indicating technical collaboration and shared capacity. · ref
T1595 Active Scanning TA0043
  • 2024-09-20 — INFERENCE (confidence: medium): DDoS targeting implies identification and validation of exposed public endpoints prior to attack waves. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-23T01:14:12+00:00

OverFlame — Pro-Russia-Aligned Hacktivist Brand (DDoS Coalition Member; OT/CI Narrative Adjacency)

Classification: TLP: WHITE — Open Source Intelligence (OSINT)

Category: Cyber / Hacktivism — DDoS disruption + coalition-driven propaganda; occasional critical-infrastructure narrative adjacency

Assessed home base: Unclear / transnational; consistently described as pro-Russia-aligned in OSINT


Executive Summary

OverFlame is a pro-Russia-aligned hacktivist brand repeatedly referenced in OSINT as an active participant in DDoS campaigns and coalition structures. In 2024, the actor is described as part of hacktivist “coalitions” and as operating alongside NoName057(16) in prominent DDoS waves (e.g., Austria-focused targeting ahead of elections). OSINT also places OverFlame within a broader ecosystem of pro-Russian hacktivist alliances that cross-promote and share operational capacity.

From 2025 onward, reporting increasingly links OverFlame to OT/critical-infrastructure narratives through collaboration/adjacency with Sector16 and Z-Pentest ecosystems, including claims of unauthorized access to industrial control interfaces. These OT-related claims are often framed as intimidation (“proof-of-access” screenshots/videos) and should be treated as variable-impact without victim-side validation.

Confidence is high that OverFlame is a real, active hacktivist brand participating in pro-Russia-aligned DDoS campaigns and coalition messaging. Confidence is medium regarding the actor’s direct OT/ICS intrusion capability, because much of the linkage appears via alliances, shared infrastructure narratives, and claim-driven reporting rather than consistent, independently validated technical artifacts.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — OverFlame


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — OverFlame (Coalition DDoS Campaigns)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-22T02:59:33+00:00

IOC Appendix (TLP:WHITE) — OverFlame


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-22T02:59:50+00:00

OSINT Library — OverFlame


2024-07-23 — NETSCOUT ASERT — “DDoS Attacks in Spain (Holy League coalition list includes OverFlame)”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/3
Address Verification SOCMINT
t.me/pri********** Restricted Not integrated
t.me/ove********** Restricted Not integrated
t.me/+HZ************** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–3 of 3 images
Alliance with Bogatyrskaya Zastava Free Preview
Alliance with Bogatyrskaya Zastava
Hacked website Free Preview
Hacked website
Logo Free Preview
Logo