3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Cyber.Anarchy.Squad

Cyber.Anarchy.Squad

ID: 7c89c4599ea886e33424cc7581978ebd
Hacktivist Group Hacktivism
Threat types: Defacement
Ukraine BLR, RUS
Updated: 2026-04-16
Created: 2025-10-25
Progress: 95% Completeness: 100% Freshness: 100%
Operation zone: Belarus, Russia
Aliases Limited alias preview
C.A.S C.A.S Group C.******** C**
CA******* CA****** Cy***************** Cy*****************
Showing 2 of 8 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2024-12-18 — C.A.S gains initial access by exploiting public-facing Jira/Confluence/MS-SQL services; phishing not used per actor messages. · ref
T1105 Ingress Tool Transfer TA0011
  • 2024-12-18 — Ingress Tool Transfer of Revenge RAT, Spark RAT, and Meterpreter during post-exploitation. · ref
T1003 OS Credential Dumping TA0006
  • 2024-12-18 — Use of credential theft tools including Mimikatz documented in C.A.S investigations. · ref
T1059 Command and Scripting Interpreter TA0002
  • 2024-12-18 — Command/scripted execution in staging and deployment of RATs and utilities. · ref
T1485 Data Destruction TA0040
  • 2024-07-29 — Destruction of data reported at Avanpost: >60 TB destroyed; 405 VMs encrypted or wiped. · ref
T1486 Data Encrypted for Impact TA0040
  • 2024-07-31 — Data encrypted for impact: hundreds of VMs encrypted during Avanpost incident per reporting. · ref
T1071 Application Layer Protocol TA0011
  • 2024-12-18 — RAT C2 over common application-layer protocols (HTTP/S) as documented for Spark/Revenge RAT. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-17T13:14:31+00:00
Cyber.Anarchy.Squad (C.A.S) — pro-Ukraine hacktivist collective targeting Russian/Belarusian organizations

Classification: Unclassified / Open Source Intelligence (OSINT)

Category: Cybercrime / Hacktivism — Origin: Ukraine-aligned (pro-Ukraine ecosystem)

Author: iQBlack CTI Team


Executive Summary

Cyber.Anarchy.Squad (C.A.S) is a pro-Ukraine hacktivist collective active since 2022, conducting destructive and data-leak operations primarily against Russia and Belarus. Public technical reporting (Kaspersky Securelist, 2024-12-18) documents C.A.S campaigns abusing public-facing application vulnerabilities (e.g., Jira, Confluence, MS-SQL) and deploying uncommon RATs (Revenge RAT, Spark RAT) and Meterpreter for post-exploitation. Victimology spans government, telecom, tech, and industrial firms in Russia/Belarus. C.A.S activity includes high-impact disruptions and data destruction, such as the Avanpost (Avanpost/Avapost) breach (2024-07) and Infotel JSC service disruption (2023-06), both publicly acknowledged by victims/media. C.A.S communicates on Telegram, posts claims/evidence, and has links to other pro-Ukraine groups (Ukrainian Cyber Alliance—UCA, RUH8, RM-RF), with cross-group operational collaboration noted. Overall, C.A.S’s capability to rapidly weaponize Internet-exposed services, leverage commodity+rare tools, and coordinate claims places it among the more operationally consequential hacktivist actors in the RU/UA conflict space. Confidence: high for targeting, tooling, and campaign facts; medium for internal membership structure.


  • Industries / Sectors: Government ministries and agencies; telecommunications; financial/banking infrastructure enablers; technology/entertainment; industrial enterprises.
  • Geography (Region): Primarily Russia and Belarus; opportunistic RU-linked providers.
  • Timeframe: 2022–present; notable peaks in 2023–2025.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO

Why care now: C.A.S has executed confirmed high-impact ops (Avanpost 2024-07; Infotel 2023-06), proving capacity for destruction & encryption beyond DDoS.

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook (SIEM & EDR)

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2025-11-25T20:46:00+00:00

IOC Appendix (TLP:WHITE)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2025-11-25T20:46:02+00:00

OSINT Library — Cyber.Anarchy.Squad (C.A.S)

2025-08-21 — SecurityWeek (brief via The Record) — “Pro-Ukraine hackers compromise Investment Projects in Russia”

https://www.scworld.com/brief/pro-ukraine-hackers-compromise-investment-projects

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/8
Address Verification SOCMINT
twitter.com/the******** Restricted Not integrated
Address Verification SOCMINT
t.me/cyb**************** Restricted Not integrated
t.me/t_y*** Restricted Not integrated
t.me/The*************** Restricted Not integrated
t.me/cyb************** Restricted Not integrated
t.me/Cyb*************** Restricted Not integrated
Address Verification SOCMINT
discord.gg/AV8******* Restricted Not integrated
Address Verification SOCMINT
dumpforums.to Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–7 of 7 images
Propaganda (merchandising) Free Preview
Propaganda (merchandising)
Propaganda (merchandising) Free Preview
Propaganda (merchandising)
Logo variant (@t_yama) Free Preview
Logo variant (@t_yama)
Logo variant Free Preview
Logo variant
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Affiliation between actors Free Preview
Affiliation between actors
Showing 4 of 7 images in preview mode. Additional evidence is restricted for Analyst and Premium plans.