GhostSec

GhostSec is a hacktivist collective, described in the content as Anonymous-affiliated and, in some reporting, Iran-affiliated. It has targeted Islamic extremist content online, Israeli organizations, industrial control and water-related systems, satellite/GNSS infrastructure, and social media accounts. Known aliases in the provided content include only GhostSec; related groups mentioned include CtrlSec, which was founded by GhostSec-linked operator “Mikro” and shared personnel and resources. The content states GhostSec’s self-declared mission was to target Islamic extremist content on websites, blogs, videos, and social media accounts using both “official channels” and “digital weapons.” It reportedly conducted DDoS attacks against ISIS-linked websites and claimed to have disrupted or taken down more than 130 such sites. Mikro is identified as GhostSec’s “operations officer,” and GhostSec and CtrlSec are described as originating from Anonymous. In later reporting, GhostSec is associated with disruptive and opportunistic hacktivist activity tied to the Israel-Hamas and Israel-Iran conflicts. The group is cited as targeting Unitronics PLCs and Aegis devices used to control water pumps, and as compromising Israeli water, industrial control, and satellite systems. One report says GhostSec claimed on October 13, 2023 to have hacked multiple Unitronics devices and 27 Aegis devices. Other content states GhostSec targeted PLCs linked to Israeli media and water systems, and claimed access to water/ICS and satellite systems during 2025 conflict-related operations. GhostSec also targeted satellite-related infrastructure. In 2023 it reportedly attacked numerous GNSS receivers in countries including Russia and Israel, and in some cases claimed to have wiped data from compromised receivers. Additional reporting in the content describes GhostSec as part of hacktivist activity involving DDoS, web defacement, and claimed intrusions into VSAT terminals and satellite operators. The content also links GhostSec to ransomware operations. It references GhostLocker ransomware and GhostStealer, and describes GhostSec as collecting local and system information, encrypting victim data for impact, inhibiting recovery, and using bootkit elements, obfuscation, process injection, masquerading, and timestamp modification for defense evasion. In May 2024, GhostSec reportedly announced it was ending its ransomware operations and returning to hacktivism, with GhostLocker RaaS operations to be handed off to Stormous. Across the provided sources, GhostSec is characterized as a hacktivist actor whose observed tactics include DDoS, web defacement, claimed intrusions into ICS/OT and satellite systems, data wiping claims, ransomware-based encryption for impact, system and local information collection, recovery inhibition, bootkit use, obfuscation, process injection, masquerading, and timestamp modification.