Threat Actor Characterization
PalachPro
ID: 8e42712d8e2d0d7d6090bd2c3b4c94b794908| palach | PalachTech | Th************ | — |
Related profiles
| ID | Threat | Origin | Type | Categories | |
|---|---|---|---|---|---|
|
e1f46b8cbf7c9c514048ed97dacf7a6b93073 | 22C | Russia | co-actor | Hacktivist Group |
|
125c675b998f01a97afbfc3a83d41d1f83490 | DarkWarios | Russia | affiliated | Cybercrime |
|
e6ada4fb02f00af85a4f427e84b4108d04917 | Eye Of Sauron | Russia | ally-of | Hacktivist Group |
|
064b1dd62886517f23389d1fe8e63e4991975 | Morningstar | Russia | ally-of | Hacktivist Group |
|
78dd1c3c3dfc6fcbbda95d743ab0e2f732121 | NoName057(16) | Russia | ally-of | Hacktivist Group |
|
035031254758b51f853749465e75b07196207 | TwoNet | Russia | related | Hacktivist Group |
|
4324563b5322b38d31833a74c88177ab | Z-Pentest Alliance | Serbia | ally-of | Hacktivist Group |
Related files
Actor Network Graph
Open Network GraphMITRE ATT&CK®
PalachPro is a pro‑Russia Telegram hacktivist/cyber-operator brand associated in OSINT with hack‑and‑leak claims (including alleged exfiltration and intent to sell data), co-claims with other brands (e.g., Eye Of Sauron in the Sonata messenger narrative), and OT/ICS-themed access claims discussed in technical analysis with validation caveats. ATT&CK mapping is conservative and emphasizes social-platform coordination/propaganda, data exfiltration intent/claims, and opportunistic abuse of exposed services/weak credentials as plausible enabling paths (labeled INFERENCE where not directly evidenced).
| Technique | Technique name | Tactics | Evidence |
|---|---|---|---|
| T1585.001 | Social Media Accounts | TA0042 | |
| T1567 | Exfiltration Over Web Service | TA0010 |
|
| T1583.006 | Web Services | TA0042 |
|
| T1133 | External Remote Services | TA0001 TA0003 |
|
| T1498 | Network Denial of Service | TA0040 |
|
PalachPro — Pro‑Russia Hacktivist / “Cyber Operator” Brand (Hack‑and‑Leak Claims + OT/ICS Access Narratives)
Classification: TLP: WHITE — Open Source Intelligence (OSINT)
Category: Cyber / Hybrid — Disruption + hack‑and‑leak claims; OT/ICS access narratives; Telegram‑amplified propaganda
Assessed home base: INFERENCE: Russia-identified / Russia-linked in self-presentation (confidence: medium-high); exact geography remains unconfirmed.
Executive Summary
PalachPro is a pro‑Russia‑aligned hacktivist/cyber‑operator brand visible primarily through Telegram presence, claim-driven incident narratives, and third‑party analytical reporting. The group is associated with (a) hack‑and‑leak style claims targeting Ukraine-aligned entities and European organizations, (b) co-claiming with other brands (notably Eye Of Sauron in the “Sonata Messenger” narrative), and (c) OT/ICS-themed access claims (CCTV/HVAC and industrial targets) discussed in technical analysis.
The most analytically valuable, higher-quality OSINT reference in the reviewed set is Google Cloud Threat Intelligence, which states that PalachPro claimed to have targeted multiple Italian defense companies in November 2025 and alleged data exfiltration, including a claim to sell the data. A separate technical write-up from Forescout analyzes Russian-aligned hacktivist activity and includes a persona (“DarkWarios”) described as being from PalachPro and TwoNet, with claims of access to CCTV systems and even HVAC in government contexts; the same analysis notes validation limitations and victim denials in at least one case, underscoring the need for telemetry-based confirmation.
IOC Appendix (TLP:WHITE) — PalachPro
Note: Reviewed OSINT provides limited stable malware/C2 indicators uniquely attributable to PalachPro. This appendix prioritizes behavioral indicators and correlation cues aligned to hack‑and‑leak and opportunistic access operations.
