Z-Pentest and the hacktivist offensive against exposed SCADA, CCTV, and automation systems

Since the beginning of the war between Ukraine and Russia, pro-Russia hacktivism has gradually stopped looking like a noisy outer layer of the conflict and started to reveal a far more uncomfortable face, one that makes clear it is no longer just about DDoS attacks or flashy defacements. In groups such as NoName057(16), OverFlame, PalachPro, PerunSwarog, Server Killers, inteid, Morningstar, and many others, there is a growing recurrence around exposed systems connected to water, energy, climate control, surveillance, or industrial automation.

Within that landscape, Z-Pentest stands out for the persistence with which it returns to exposed SCADA/OT/ICS systems, CCTV/NVR infrastructure, and automation tied to sensitive processes. That is where much of its distinctiveness lies: not only in the type of surface it exploits, but in the way it turns those accesses into a narrative of war, geopolitical hostility, and public intimidation. Not as a complete anomaly inside the pro-Russia ecosystem, because since the start of the war between Ukraine and Russia that scene has already shown actors increasingly comfortable operating on less conventional layers of digital conflict. But it is a fairly clear expression of that evolution.

While part of hacktivism still revolves around attention-grabbing DDoS campaigns or defacements with more aesthetics than substance, Z-Pentest keeps returning to water systems, sanitation, pumping stations, climate control, surveillance, building automation, and light industrial equipment.

The numbers help ground that impression. Across a broad set of publications attributed to the group, the most visible pattern does not sit in the public web layer, but in systems with some degree of operational relevance. Water, sanitation, and pumping account for 127 observed incidents. Far behind come Website/DDoS/Propaganda with 65, Building/Facility Automation with 56, CCTV/NVR/Surveillance with another 56, and HVAC/Refrigeration/Climate with 47. When viewed by sector, the picture becomes even clearer: Water & Wastewater accounts for 119 events, Construction & Industry 56, Hospitality & Leisure 54, Energy & Utilities 44, Agriculture & Food 18, and Healthcare 12. Put differently, the group does not operate exclusively in critical infrastructure, but neither does it remain confined to trivial or purely decorative targets. It alternates between sensitive environments and others that are extremely useful for spectacle, humiliation, or propaganda.

The distribution by system layer confirms that Z-Pentest is not limited to DDoS or defacement: a central part of its visible activity keeps returning to environments with greater operational value.

The sectoral distribution shows a combination of sensitive targets and others with high propagandistic value, more useful for public display than for sustained damage.

Z-Pentest seems to move comfortably within a logic that has become increasingly profitable inside pro-Russia hacktivism. It does not take catastrophic sabotage to produce a useful political effect. Sometimes it is enough to show access to a treatment plant, a pumping station, a hospital HVAC system, a camera network, or a domestic or commercial control panel. Once published in the right tone, that access can be used to intimidate, humiliate, project capability, and build internal prestige.

Within that logic, the countries do not seem to have been chosen at random either. Italy, Spain, Poland, the United States, France, and Israel appear among the hardest hit in the observed universe, alongside activity in Romania, Lithuania, Portugal, Belgium, Bulgaria, the Czech Republic, Taiwan, and other lower-density environments. Italy accounts for 50 incidents, Spain 48, Poland 41, the United States 28, Romania 26, France 22, and Israel 21. There is a visible geography to the targeting, and it makes sense to read it politically, not only operationally. Part of the group’s value lies in how it turns those accesses into a map of hostility.

The countries most affected in the observed universe reinforce that Z-Pentest’s targeting does not respond only to technical opportunity, but also to a visible geography of political hostility.

Z-Pentest is not a generic pro-Russia group. It is a more charged mix of Serbian nationalism, antagonism toward Ukraine, NATO, and Israel, and a rhetoric that is aggressive, revanchist, and in several cases openly antisemitic. That helps explain why it selects certain countries and why it seeks to give its actions a broader political meaning rooted in wartime memory, anti-Western resentment, religious and cultural affinities, and a narrative of historical grievance that still carries weight in sectors of Serbian nationalism.

This becomes even more interesting when viewed against the broader evolution of pro-Russia hacktivism. Russia not only carries a long-standing reputation in the development and distribution of malicious code, botnets, exploit kits, and complex criminal ecosystems. Since the war with Ukraine, it has also been showing a hacktivist environment that is increasingly aggressive, more coordinated, and more willing to operate on surfaces that used to be less valued. Z-Pentest is not alone in that transformation. Other actors such as OverFlame, PalachPro, PerunSwarog, Server Killers, or inteid help show that the phenomenon is becoming broader, more complex, and more hostile as it seeks to exploit access to exposed systems with operational value and strong propagandistic potential.

Within that broader web, another element appears that deserves caution, but should not be ignored: the public and strategic alignment that Z-Pentest projected with Sandworm. The group framed that relationship in terms of operational integration, although for now there is not enough basis to treat that claim as a confirmed organic link. Even so, the reference does not seem entirely random. Sandworm has for years been strongly associated with critical infrastructure, OT/ICS environments, energy, water, and operations with potential for physical disruption, and it is precisely on that kind of surface that Z-Pentest has built its profile.

There is another element worth keeping in view. The recurring use of labels such as “students,” “new student,” or “apprentice” can be read as propagandistic excess, but their repetition also leaves open a much more serious possibility: that the group may function not only as an offensive actor, but also as a space for learning, training, or the circulation of techniques. If that were even partially true, the issue would no longer be only what Z-Pentest does today, but what it may be able to teach, normalize, or recycle inside a broader ecosystem. From an intelligence perspective, that point matters.

The relational layer also adds density, although it should not be overstated. There is visible proximity to NoName057(16), as well as a zone of convergence that brushes against other fronts already explored editorially by iQBlack, including those where the pro-Russia ecosystem begins to intersect with anti-Israeli or pro-Palestinian spaces. There is no need to retell that entire story here. It is enough to say that Z-Pentest does not operate in isolation and that its activity becomes easier to understand when placed within a setting where tactical and narrative compatibilities increasingly carry their own weight.

Even so, some clear-eyed caution is still necessary, because it remains unclear to what extent each of the group’s publications reflects sustained material impact, or how much of its activity corresponds to theatricalization. Even after discounting potential noise, Z-Pentest represents a form of pro-Russia hacktivism that repeatedly relies on access to exposed SCADA/OT/ICS systems, CCTV/NVR infrastructure, and automation connected to sensitive processes, and turns that layer into part of a narrative of war, intimidation, and internal legitimacy.

Part of hacktivism no longer seems satisfied with taking down web resources or signaling political hostility through a striking defacement. It is also trying to show that it can reach into exposed systems with operational value and turn those accesses into propaganda, reputational pressure, and public demonstrations of capability. The more detailed descriptive component on Z-Pentest has already been absorbed into the strategic and preliminary work developed within 3C-INT. What matters here is something else: what this group reveals about the evolution of an ecosystem that stopped being as simple as many still prefer to describe it.

Methodological note: This article was produced using internal profiling inputs developed in 3C-INT on Z-Pentest Alliance, along with analysis of the actor’s public channels.