3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
IT Army of Russia

IT Army of Russia

ID: 60d5067039f6032b8b4659b5ed60b8c776669
Hacktivist Group Hacktivism
Threat types: Hacktivism, Intrusion
Russia UKR
Updated: 2026-04-15
Created: 2026-02-22
Progress: 94% Completeness: 92% Freshness: 100%
Operation zone: Ukraine
Aliases Limited alias preview
itarmy_ru ITRUSSIA Th*******************
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

IT Army of Russia is a pro‑Russia-aligned hacktivist campaign brand reported in mid‑2025 OSINT as targeting Ukraine and supporters via Telegram-coordinated operations. Public reporting emphasizes disruption (DDoS) and claim amplification, with some mention of insider recruitment and information collection. Government and partner advisories in late 2025 highlight opportunistic pro‑Russia hacktivist disruption patterns that inform defensive priorities. ATT&CK mapping is conservative: DDoS and social-platform coordination are supported; insider solicitation and related preparatory behaviors are included as INFERENCE where not directly evidenced for this specific brand.


Technique Technique name Tactics Evidence
T1498 Network Denial of Service TA0040
  • 2025-07-02 — OSINT reporting describes IT Army of Russia conducting DDoS attacks against Ukraine. · ref
  • 2025-12-18 — Government advisory describes opportunistic pro‑Russia hacktivist disruptive attacks as a broader trend (ecosystem baseline). · ref
T1585.001 Social Media Accounts TA0042
  • 2025-07-03 — Reporting describes Telegram being used to coordinate operations and recruit insiders by IT Army of Russia and similar groups. · ref
T1595 Active Scanning TA0043
  • 2025-07-03 — INFERENCE (confidence: medium): DDoS campaigns typically require target endpoint discovery and validation prior to wave execution; reporting describes operations targeting Ukraine-aligned services. · ref
T1589 Gather Victim Identity Information TA0043
  • 2025-07-03 — INFERENCE (confidence: low–medium): insider recruitment and information collection implies gathering of victim identity/organizational information to facilitate targeting; details are limited in open reporting. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-23T02:17:16+00:00

IT Army of Russia — Pro‑Russia‑Aligned Hacktivist Brand (Telegram‑Coordinated Disruption + Insider Recruitment Claims)

Classification: TLP: WHITE — Open Source Intelligence (OSINT)

Category: Cyber / Hybrid — Hacktivism (DDoS + claims), potential data‑theft/insider solicitation (claim-driven)

Assessed home base: Unclear; pro‑Russia alignment reported; Telegram‑centric ecosystem



Executive Summary

IT Army of Russia is a pro‑Russia-aligned hacktivist label reported in OSINT as a newer entrant (mid‑2025 reporting) in the pro‑Russia hacktivist ecosystem targeting Ukraine and its supporters. Open reporting describes Telegram as the primary coordination surface, with campaign-style operations emphasizing disruption (DDoS) and information collection. Some reporting describes insider recruitment attempts and data‑theft operations, though detailed technical corroboration is often limited in publicly available material.

This actor should be treated as a campaign brand in a broader pro‑Russia hacktivist landscape characterized by coalition dynamics, brand churn, and opportunistic targeting. Government and partner advisories in late 2025 emphasize that pro‑Russia hacktivist ecosystems conduct opportunistic disruptive attacks (often DDoS) and—within critical infrastructure contexts—may abuse exposed remote access to OT devices; those advisories provide the best baseline for defensive control priorities, even when not naming every emerging brand.

Confidence is medium that IT Army of Russia is a real and operational hacktivist brand used in Telegram-coordinated campaigns. Confidence is low–medium regarding deeper intrusion capability and insider recruitment effectiveness due to claim-driven reporting and limited victim-side telemetry in the open record reviewed for this deliverable.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — IT Army of Russia


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — IT Army of Russia (Telegram‑Coordinated Disruption + Insider Solicitation Risk)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-23T02:18:09+00:00

IOC Appendix (TLP:WHITE) — IT Army of Russia

Note: Reviewed OSINT provides limited stable infrastructure IOCs specifically attributable to IT Army of Russia. This appendix focuses on behavioral indicators and correlation cues typical of Telegram-coordinated hacktivist disruption and insider solicitation.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-23T02:18:22+00:00

OSINT Library — IT Army of Russia


2025-07-02 — Intel 471 — “Pro-Russian hacktivism: shifting alliances, new groups and risks (mentions IT Army of Russia)”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/15
Address Verification SOCMINT
t.me/ita*************** Restricted Not integrated
t.me/ITA*************** Restricted Not integrated
t.me/+Gw************** Restricted Not integrated
t.me/ita****** Restricted Not integrated
t.me/itr******** Restricted Not integrated
t.me/itr********** Restricted Not integrated
t.me/itr************* Restricted Not integrated
t.me/itr******** Restricted Not integrated
t.me/ita************ Restricted Not integrated
t.me/+27************** Restricted Not integrated
t.me/ita*************** Restricted Not integrated
t.me/ita******** Restricted Not integrated
Address Verification SOCMINT
ITA****** Restricted Not integrated
XSS***** Restricted Not integrated
XSS****** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–4 of 4 images
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Logo Free Preview
Logo