3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
313 Team

313 Team

ID: 08ee9086c28b81c9f13ac2295bec8475
Cybercrime Defacement Operator Hacktivist
Threat types: Hacktivism, Defacement, DDoS Attack, Pro-Iran
Iran ISR, SAU, ZAF, ESP, TUR, USA
Updated: 2026-04-09
Created: 2025-10-23
Progress: 82% Completeness: 79% Freshness: 90%
Operation zone: Israel, Saudi Arabia, South Africa, Spain, Turkey, United States
Aliases Limited alias preview
313 AL MUJAHIDEEN FORCE 313 AL********************* Is********************************
So******************** Te******
Showing 2 of 6 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

313 Team is a pro-Iran, Shia-aligned hacktivist collective that brands itself as an Islamic cyber resistance group based in Iraq. Public reporting links 313 Team to disruptive DDoS operations against politically symbolic targets such as Truth Social following U.S. strikes on Iranian nuclear facilities, and joint cyberattacks against Saudi government platforms like Qiwa and Absher alongside Yemen Cyber Army and Cyber Islamic Resistance-Axis. The group also promotes its own open-source destructive malware, 313 AlmuntaqimVirus, written in C#, which corrupts the Master Boot Record (MBR), deletes registry keys, and produces visual and audio disturbances for psychological impact. Overall, 313 Team sits in the mid-tier hacktivist band: technically capable of impactful disruption and defacement, tightly coupled to regional ideological narratives, and increasingly integrated into a broader Axis-of-Resistance cyber coalition.


Technique Technique name Tactics Evidence
T1498.001 Direct Network Flood TA0040
  • 2025-06-21 — 313 Team publicly claimed responsibility for a distributed-denial-of-service attack against Donald Trump’s Truth Social platform shortly after U.S. airstrikes on Iranian nuclear facilities. Media and analysts reported that the platform experienced a brief outage with network failure messages, and the Center for Internet Security (CIS) and other watchdogs corroborated a DDoS campaign saturating the service with artificial traffic. · ref
  • 2025-06-22 — Follow-on analysis in regional and security media described a sustained DDoS flood attributed to 313 Team, causing Truth Social to slow to a crawl and return error messages for roughly 60–90 minutes, in line with Network Denial of Service using direct traffic floods. · ref
T1498.001 Direct Network Flood TA0040
  • 2025-09-07 — The Cyber Shafarat reported that 313 Team, together with Yemen Cyber Army and Cyber Islamic Resistance-Axis, conducted a cyberattack against Saudi Arabia’s Qiwa platform (Ministry of Human Resources and Social Development). The report notes approximately five hours of service disruption, consistent with DDoS-based Network Denial of Service targeting a public-facing government web service. · ref
T1498.001 Direct Network Flood TA0040
  • 2025-09-XX — Regional media and Telegram reposts describe 313 Team as part of a coalition (with Yemen Cyber Army, Holy League, Cyber Islamic Resistance-Axis) claiming responsibility for cyber attacks that temporarily disrupted Saudi government services such as Absher and telecom providers, reflecting repeated use of DDoS or similar network-flood tactics against high-profile state platforms. · ref
T1491.001 Internal Defacement TA0040
  • 2025 — A defaced site at heritageflowers.biz displayed a banner 'Seized By 313 Team' with religious slogans and references to Iraqi cyber resistance. This is a classic example of a website defacement used for propaganda and signalling by the group. · ref
T1561.002 Disk Structure Wipe TA0040
  • 2025-07-25 — 313 Team announced an open-source malware tool in C# named 313 AlmuntaqimVirus, describing a function `AlmuntaqimVirus313TeamMBR` that writes random data to the Master Boot Record and explicitly notes that this can make the system unbootable. This behaviour aligns with Disk Structure Wipe targeting the MBR. · ref
  • 2025-07-30 — A detailed write-up on 313 AlmuntaqimVirus explains that the malware corrupts the MBR by randomising its contents, classifying this as a destructive feature that can render systems unbootable and requiring full recovery. · ref
T1485 Data Destruction TA0040
  • 2025-07-25 — In addition to MBR corruption, 313 AlmuntaqimVirus is advertised by 313 Team as deleting system registry keys via a dedicated routine, and as a tool intended to 'wreak havoc' on victim systems, which collectively represent deliberate data and system structure destruction for impact. · ref
T1112 Modify Registry TA0003 TA0005
  • 2025-07-25 — The malware’s `reg_delete` function is described as issuing commands through cmd.exe to delete system registry keys, directly modifying the Windows Registry as part of its destructive behaviour. · ref
T1059.003 Windows Command Shell TA0002
  • 2025-07-25 — 313 AlmuntaqimVirus uses cmd.exe to execute registry deletion commands, demonstrating use of the Windows Command Shell as a scriptable interface to perform destructive changes on the system. · ref
T1565.003 Runtime Data Manipulation TA0040
  • 2025-07-25 — The tool’s documented functions `PerformBitBltEffects` and a routine that randomly places icons on the screen manipulate what is rendered to the display at runtime, producing heavy visual distortions and chaos for psychological effect rather than data theft. · ref
  • 2025-07-30 — Public analysis of 313 AlmuntaqimVirus notes its use of GDI BitBlt operations and runtime icon overlays to create screen distortions and a chaotic visual environment, aligning with Runtime Data Manipulation to affect the user’s perception of the system state. · ref
T1583.006 Web Services TA0042
  • 2025-07-30 — The Cyber Shafarat article on 313 AlmuntaqimVirus links to a public GitHub repository that hosts the malware’s source code under the 313Team namespace, illustrating the group’s use of third-party web services to host tooling and distribute code. · ref
  • 2025-12-12 — 313 Team operates an official Telegram channel where it publishes communiqués, forwards joint statements from other Axis-of-Resistance cyber entities, and occasionally shares operational content, representing use of web-based messaging platforms as part of their operational infrastructure. · ref
T1585.001 Social Media Accounts TA0042
  • 2025-12-12 — The 313 Team Telegram presence explicitly brands itself as 'Islamic cyber resistance in Iraq' and acts as an official account for recruitment, propaganda, and threat claims, illustrating the establishment of social-media-style accounts to support operations and narrative distribution. · ref
T1591 Gather Victim Org Information TA0043
  • 2025-06-21 — INFERENCE (confidence: medium): The timing and selection of Truth Social as a DDoS target, immediately following U.S. strikes on Iranian nuclear facilities and a celebratory post by Donald Trump, suggests that 313 Team monitors victim organisations and their public communications to select high-symbolism targets and moments. · ref
  • 2025-09-07 — INFERENCE (confidence: medium): 313 Team’s participation in coordinated attacks on Saudi government platforms such as Qiwa and Absher, which are key HR and e-government services, implies prior understanding of the victim organisations’ roles and public-facing services as impactful targets within Saudi digital infrastructure. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-01-27T03:27:05+00:00

313 Team (a.k.a. Team 313) — Pro-Iranian / “Islamic cyber resistance” hacktivist collective

Classification: TLP:WHITE

Author: iQBlack Team



Executive Summary

313 Team (often branded as “Team 313”) is a pro-Iranian, religiously framed hacktivist collective that positions itself as “Islamic cyber resistance in Iraq, soldiers of Imam Mahdi” on Telegram and related channels. Publicly observed activity is dominated by disruptive operations (primarily DDoS) and propaganda-oriented claims against geopolitical adversaries of Iran, especially the United States, Israel, and Gulf states aligned with them.

In June 2025, 313 Team publicly claimed responsibility for a Distributed Denial-of-Service (DDoS) attack that briefly disrupted Donald Trump’s Truth Social platform shortly after the U.S. announced strikes on Iranian nuclear facilities; this claim was echoed in mainstream media, DHS-linked commentary, and private-sector threat reporting that describe the group as Iran-aligned hacktivists. In September 2025, The Cyber Shafarat reported that 313 Team, together with Yemen Cyber Army and Cyber Islamic Resistance-Axis, conducted a coordinated cyberattack against the Saudi government’s “Qiwa” HR platform, reportedly impacting services for several hours.


Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/9
Address Verification SOCMINT
x.com/x31****** Restricted Not integrated
Address Verification SOCMINT
t.me/xX3******** Restricted Not integrated
t.me/x31********** Restricted Not integrated
t.me/x31************ Restricted Not integrated
t.me/x31****** Restricted Not integrated
t.me/x31****** Restricted Not integrated
Address Verification SOCMINT
op3******************** Restricted Not integrated
Address Verification SOCMINT
313team.github.io/313******** Restricted Not integrated
Address Verification SOCMINT
github.com/313**** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–4 of 4 images
Hacked website Free Preview
Hacked website
Image used in social media account Free Preview
Image used in social media account
Hacked website Free Preview
Hacked website
Logo Free Preview
Logo