3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Cardinal

Cardinal

ID: 6d16b8d48f82d9158ce26311d462cbba21819
Hacktivist Group Hacktivism
Threat types: Hacktivism, Intrusion, DDoS Attack
Russia DNK
Updated: 2026-04-12
Created: 2026-02-20
Progress: 94% Completeness: 92% Freshness: 100%
Operation zone: Denmark
Aliases Limited alias preview
Cardinal Hackers CardinalHackers MO*****
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Cardinal is assessed as a Russia-aligned hacktivist brand associated with coalition-style DDoS disruption and coercive messaging, most visibly linked in public reporting to the 'Russian Legion' alliance and Denmark-focused threats in early 2026.


Technique Technique name Tactics Evidence
T1498 Network Denial of Service TA0040
  • 2026-01-30 — Public reporting links the Russian Legion alliance (led by Cardinal) to DDoS-focused threats and claimed disruption under 'OpDenmark'. · ref
  • 2026-02-03 — Industrial reporting summarizes Truesec observations, including the Telegram-posted coercive threat and DDoS framing. · ref
T1589.003 Employee Names TA0043
  • 2026-01-30 — INFERENCE (confidence: medium): Availability-centric targeting implies identification of public-facing organisational internet properties as part of target selection. · ref
T1595 Active Scanning TA0043
  • 2025-12-18 — INFERENCE (confidence: medium): Government advisory on pro-Russian hacktivism describes opportunistic activity that commonly involves identifying exposed/available services; scanning/probing is a typical precursor in DDoS targeting workflows. · ref
T1583.006 Web Services TA0042
  • 2025-12-18 — INFERENCE (confidence: low–medium): Pro-Russia hacktivist DDoS activity commonly leverages distributed bot capacity or volunteer tooling rather than bespoke infrastructure. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-21T19:20:56+00:00

Cardinal — Pro-Russian Hacktivist Brand (DDoS-centric)

Classification: TLP: WHITE — Open Source Intelligence (OSINT)

Category: Cyber / Hacktivism (Disruption) — Origin: Russia-aligned (assessed)

Author: Jorge Mieres [Principal Analyst]



Executive Summary

Cardinal is assessed as a Russia-aligned hacktivist brand primarily associated with denial-of-service (DDoS) disruption and public influence signaling. Recent public reporting describes Cardinal as a leading component of a newly announced hacktivist alliance branded “Russian Legion,” alongside The White Pulse, Russian Partizan, and Inteid, which issued threats and claimed disruptive activity tied to “OpDenmark” against Denmark in late January–February 2026.

Open reporting indicates the “Russian Legion” alliance was publicly announced on 2026-01-27 and issued a coercive political message on 2026-01-28 via Telegram, threatening escalation beyond DDoS if Denmark did not change policy within 48 hours. This behavior aligns with broader pro-Russian hacktivist patterns documented by government advisories: opportunistic, politically motivated disruption operations aimed at high-visibility public services and trust-critical websites.

Confidence for concrete organizational assertions is medium because public reporting is currently the primary basis and the “Cardinal” label is also used in unrelated contexts (e.g., historical malware naming). However, confidence is high that the cluster’s operational intent is disruption and signaling, based on repeated public threats and DDoS-centric framing in multiple independent reports.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Cardinal


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Cardinal (Hacktivist DDoS & Influence Signaling)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-21T19:22:03+00:00

IOC Appendix (TLP:WHITE) — Cardinal


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-21T19:22:21+00:00

OSINT Library — Cardinal


2026-02-06 — Truesec — “Russian Hacktivist Group "Russian Legion" Initiate OpDenmark”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/11
Address Verification SOCMINT
x.com/reg********** Restricted Not integrated
x.com/car************ Restricted Not integrated
Address Verification SOCMINT
t.me/+mN************** Restricted Not integrated
t.me/+G4************** Restricted Not integrated
t.me/+XM************** Restricted Not integrated
t.me/+OW************** Restricted Not integrated
t.me/+Zo************** Restricted Not integrated
t.me/+zN************** Restricted Not integrated
t.me/+y1************** Restricted Not integrated
t.me/+y-************** Restricted Not integrated
t.me/+nt************** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–4 of 4 images
Alliance with BLACKNET Free Preview
Alliance with BLACKNET
Propaganda Free Preview
Propaganda
Logo / Avatar Free Preview
Logo / Avatar
Propaganda Free Preview
Propaganda