3C-INT | [Cyber]Crime Characterization for Intelligence

Narodnaya CyberArmiya

ID: 6c787c3b8f5c8385213bd014e9367e3355667

Hacktivist Group DDoS Crew Hacktivism

Threat types: Defacement, Intrusion, DDoS, Propaganda

Russia UKR, USA

Updated: 2026-04-12

Created: 2025-10-20

Progress: 92% Completeness: 88% Freshness: 100%

Operation zone: Ukraine, United States

Aliases Limited alias preview

C.A.R.R.	CARR	Ci*******************	Cy******************
Cy*************************	Cy**********************	Cy*****************	Cy**********************
Na******************	N**	Pe*****************	th*********************
Th*******************************	На*****************	На*************************	—

Showing 2 of 15 aliases in free preview.

Associated Threat Relationships

Limited preview

Related profiles 11
Related files 0

Related profiles

ID	Threat	Origin	Type	Categories
4c05b1e5e29d9d8b9d060a33399e271c	CyberDragon	Unknown	ally-of	Hacktivist Group
bc0dc0b7ded7bd81aef1307a1d7350af78029	Degtyarenko	Russia	member-of	Cybercrime
6467d88491553c77b3bd09c424627e5368291	error_404_smoke	Russia	member-of	Cybercrime
2351a5d9cf5d5b7183400840e36e37b282707	KillMilk	Russia	related	Cybercrime
78dd1c3c3dfc6fcbbda95d743ab0e2f732121	NoName057(16)	Russia	ally-of	Hacktivist Group
ee7c9196a35cc624774e641bf7962efc	OverFlame	Russia	ally-of	Hacktivist Group
958a59d20a43b9f22f914bc556fb14f439035	Pankratova	Russia	member-of	Cybercrime
fe9a74adcf33cbcff8ce1ce59ccc597a29517	Sector16	Russia	ally-of	Hacktivist Group
ba0e9ae91ba1b9b5b915d1d4b147736311264	SKILLNET	Russia	ally-of	Hacktivist Group
131885bdee7830a7b8da4526fc33b96895956	UserSec	Russia	affiliated	Hacktivist Group
6510ee192f0b33ba10a9895a3aa93ba437033	Z-INQUISITOR	Russia	ally-of	Hacktivist Group

Related files

No related files found.

Actor Network Graph

Open Network Graph

Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.

MITRE ATT&CK®

confidence: high

Actor Techniques page ATT&CK® Diagram

Narodnaya CyberArmiya (People’s Cyber Army / CARR) — pro-Russia hacktivist label specializing in Telegram-coordinated DDoS against Ukraine and pro-Ukraine states. Public records show target call-outs followed by website outages; U.S. Treasury (July 19, 2024) sanctioned two leaders, describing the group as government-aligned. Capability: low–moderate technically, high in tempo and publicity.

Technique	Technique name	Tactics	Evidence
T1498	Network Denial of Service	TA0040	2022-11-28 — Detector Media reports DDoS after a post on the Narodnaya Cyber Armiya Telegram channel naming it a new target. · ref
T1585	Establish Accounts	TA0042	2022–2025 — Group operations organized and publicized via Telegram channels; media and monitors reference specific call-outs. · ref
T1102	Web Service	TA0011	2024-08-13 — SOCRadar profile outlines People's Cyber Army/CARR as a Telegram-centric hacktivist operation (web service as broadcast). · ref
T1589	Gather Victim Identity Information	TA0043	2024-12-01 — National CSIRT report documents politically motivated DDoS tied to Narodnaya CyberArmiya’s Telegram narrative. · ref

Strategic Intelligence

Limited preview

Last updated: 2026-04-13T00:48:39+00:00

Preliminary Strategic Intelligence

Narodnaya CyberArmiya (People’s Cyber Army / CARR) — Pro-Russia Hacktivist DDoS Coalition

CLASSIFICATION: Unclassified / Open Source

Executive Summary

Narodnaya CyberArmiya (Народная CyberАрмия) — often branded in English as the People’s Cyber Army or Cyber Army of Russia Reborn (CARR) — is a prominent pro-Russia hacktivist label active since early 2022, specializing in high-tempo DDoS and propaganda operations against Ukraine and pro-Ukraine states. Public reporting and advisories describe the group’s Telegram-centric tasking model, political targeting, and repeated call-outs that precede attacks on media and public portals. In July 2024, the U.S. Treasury sanctioned two named leaders, framing the entity as government-aligned; analysts and regulators continue to debate the boundary between state enablement and “hacktivism.” Overall capability: low–moderate technically (L7/L4 floods, botnets, open proxies), high in tempo and publicity, with demonstrated cross-campaign influence effects. Confidence: high

Brand & naming. The label appears as Narodnaya CyberArmiya / People’s Cyber Army, and widely as Cyber Army of Russia Reborn (CARR) in sanctions and vendor profiles. Telegram posts frame political motives (retaliation for pro-Ukraine stances) and call for crowd participation
Positioning. Multiple sources profile CARR as a prominent hacktivist outfit conducting disruptive campaigns; narratives oscillate between “grassroots” and state-aligned depending on the source.

Objectives. Availability disruption for narrative/psychological effect, timed to news cycles (sanctions, elections, battlefield events). Telegram broadcasts name the target, then the attack follows (media outlets note the causality).
Influence model. Public claims, scoreboard-style proofs (uptime checks), and coalition amplification with other pro-Russia banners. INFERENCE (medium) from ecosystem reporting.

Full strategic intelligence is available in Analyst and Premium plans.

Executive Analyst Brief for CISO

Saved Limited preview

Executive Analyst Brief for Decision Makers — Cyber Army Russia Reborn (CARR)

Classification: Unclassified / OSINT — TLP:CLEAR

Upgrade to access the full executive brief.

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.

Saved successfully.

Hunting Playbook

Saved Limited preview

Hunting Playbook — Cyber Army Russia Reborn (CARR)

Classification: Unclassified / OSINT — TLP:CLEAR

Upgrade to access the full hunting playbook.

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.

Saved successfully.

IOC Appendix

Saved Limited preview

Last updated: 2026-04-13T00:49:19+00:00

IOC Appendix (TLP:WHITE) — Cyber Army Russia Reborn (CARR)

Important: CARR activity is frequently opportunistic and may not reuse stable infrastructure. Many “indicators” are behavioral (exposure patterns) rather than durable hashes/domains.

More IOC context for Research. Full appendix for Analyst and Premium plans.

Saved successfully.

OSINT Library

Saved Limited preview

Last saved: 2026-02-18T00:02:46+00:00

OSINT Library — Cyber Army Russia Reborn

2025-12-09 — FBI / CISA (Joint CSA) — "Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure (AA25-343A)"

Full OSINT references available for Research / Analyst.

Saved successfully.

Social Medial & Communication

SOCMINT integrated: 0/10

Telegram 10 0

Address	Verification	SOCMINT
`t.me/Cyb*********************`	Restricted	Not integrated
`t.me/Cyb**********************`	Restricted	Not integrated
`t.me/Cyb**************`	Restricted	Not integrated
`t.me/+0I**************`	Restricted	Not integrated
`t.me/+f1**************`	Restricted	Not integrated
`t.me/Cyb****************`	Restricted	Not integrated
`t.me/Cyb***********************`	Restricted	Not integrated
`t.me/SRK***************`	Restricted	Not integrated
`t.me/+27**************`	Restricted	Not integrated
`t.me/rus***************`	Restricted	Not integrated

Notes: preview mode hides sensitive social/contact details.

Reference Images/Associated Evidence Limited

Free Preview

Propaganda

Threat Actor Characterization

Narodnaya CyberArmiya

Associated Threat Relationships

Related profiles

Related files

Actor Network Graph

MITRE ATT&CK®

Strategic Intelligence

Executive Summary

Executive Analyst Brief for CISO

Executive Analyst Brief for Decision Makers — Cyber Army Russia Reborn (CARR)

Hunting Playbook

Hunting Playbook — Cyber Army Russia Reborn (CARR)

IOC Appendix

IOC Appendix (TLP:WHITE) — Cyber Army Russia Reborn (CARR)

OSINT Library

OSINT Library — Cyber Army Russia Reborn

Social Medial & Communication

Reference Images/Associated Evidence Limited