3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
SoubearArmy

SoubearArmy

ID: a51ebeeee9fccf528ada17b7db5c10fd
Hacktivist Group DDoS Crew Hacktivism
Threat types: DDoS Attacks, Hacktivism
Russia
Updated: 2026-02-17
Created: 2026-02-17
Progress: 64% Completeness: 61% Freshness: 70%
Operation zone:
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

SoubearArmy is a hacktivist brand label reported as part of a pro-Russian DDoS alliance linked to the NoName057(16)/DDoSia ecosystem, with activity expressed primarily as disruptive DDoS campaigns against public-facing services (availability impact) rather than covert intrusion.


Technique Technique name Tactics Evidence
T1498 Network Denial of Service TA0040
  • 2024-03-01 — Ecosystem reporting describes daily DDoS operations against public-sector and other services; SoubearArmy is named as an allied label in the same context (coalition-level association). · ref
  • 2025-05-01 — DDoS threat landscape reporting highlights the scale of the DDoSia project and references alliances including SoubearArmy (coalition-level). · ref
T1071.001 Web Protocols TA0011
  • 2026-01-07 — INFERENCE (confidence: medium): DDoSia-style operations commonly use HTTP(S) at the application layer for flooding activity and/or retrieving configurations; this maps to web protocols usage in the operational chain (ecosystem-level). · ref
T1105 Ingress Tool Transfer TA0011
  • 2024-03-01 — INFERENCE (confidence: medium): Ecosystem reporting describes distribution of DDoS tooling to participants (e.g., instructions and software delivery to volunteers), consistent with tool transfer behaviors (ecosystem-level). · ref
T1595 Active Scanning TA0043
  • 2026-01-07 — INFERENCE (confidence: low–medium): Target selection for DDoS campaigns typically involves identifying exposed public endpoints and chokepoints; ecosystem-level descriptions imply active discovery and selection of targets. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-18T00:21:38+00:00

SoubearArmy — Pro-Russian-aligned hacktivist brand linked to DDoS “alliance” activity

Classification: TLP:WHITE — Open Source Intelligence (OSINT)

Category: Hacktivism / Crowd-enabled DDoS (cluster-level association) - Origin: Russia-aligned ecosystem (INFERENCE, confidence: medium)

Author: iQBlack CTI Team




Executive Summary

SoubearArmy appears in public reporting primarily as one of several hacktivist “ally” brands publicly aligned with the pro‑Russian DDoS ecosystem centered on NoName057(16) and its crowdsourced DDoS tooling (“DDoSia”). Public reporting describes an “alliance” including SoubearArmy and other groups, notably connected to attacks against Italian infrastructure, but provides limited independent, actor‑unique technical artifacts directly attributable to SoubearArmy.

Given the available OSINT, the most defensible analytic stance is to treat SoubearArmy as a label within a broader pro‑Russian hacktivist coalition rather than as a fully distinct intrusion set with unique tooling. Where activity is observed, it is most plausibly expressed through commodity DDoS operations (HTTP floods and related volumetric methods) and/or participation in shared “call‑to‑action” targeting cycles published via Telegram channels affiliated with the wider ecosystem.

Confidence in the coalition linkage is medium (reported “alliance” announcements in multiple sources). Confidence in any specific, independent SoubearArmy infrastructure or bespoke tooling is low due to a lack of uniquely attributable indicators in open reporting. Analysts should therefore model SoubearArmy as a campaign tag for coalition activity and track it as part of NoName057(16)/DDoSia‑style operations, with conservative attribution.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — SoubearArmy

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — SoubearArmy (Coalition-linked DDoS)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-18T00:24:59+00:00

IOC Appendix — SoubearArmy (Coalition-linked)

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-18T00:25:16+00:00

OSINT Library — SoubearArmy


2024-03-01 — Sekoia.io TDR — “NoName057(16)'s DDoSia project: 2024 updates and behavioural shifts”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.