TwoNet

TwoNet is a pro-Russian / Russian-aligned hacktivist group that surfaced in January 2025. Reporting cited in the content describes it as recently formed, with roughly 40 members involved in hacking, software development, and open-source intelligence gathering. TwoNet was initially associated primarily with distributed denial-of-service (DDoS) activity, including attacks promoted on Telegram against government and infrastructure targets in Ukraine, Spain, and the U.K., and data-dump activity against Israeli defense and technology companies. Intel 471 identified TwoNet as one of two new pro-Kremlin hacktivist groups, and the content also notes claimed ties or partnerships with other pro-Russian actors, including CyberTroops and OverFlame. Across multiple reports in the content, TwoNet is described as evolving from DDoS activity into targeting operational technology and industrial control system environments. In September 2025, Forescout reported that TwoNet targeted an ICS/OT honeypot designed to mimic a water treatment facility, then falsely portrayed the incident on Telegram as a real critical-infrastructure compromise. According to the cited reporting, TwoNet gained access to the HMI using default credentials (admin/admin), ran SQL queries to enumerate the database schema, created a new account named "BARLATI," and exploited CVE-2021-26829 in OpenPLC ScadaBR to deface the HMI login page with a "Hacked by Barlati" message. Forescout also reported that the group attempted disruptive actions including defacement, process disruption, manipulation, disabling logs and alarms, removing PLCs from the HMI data source list, changing PLC setpoints, and disabling real-time updates. The content states Forescout assessed the actor focused on the HMI web application layer and did not attempt privilege escalation or exploitation of the underlying host. The content further states that Russian-aligned groups including TwoNet have evolved from DDoS activity into OT and IoT reconnaissance and disruptive industrial targeting, and that such actors exploit internet-facing VNC connections and HMI devices with default or weak credentials to access OT control systems. Several reports characterize TwoNet as financially motivated in addition to hacktivist branding. The group is described as advertising ransomware-as-a-service, hack-for-hire, initial access brokerage, and purported access to SCADA systems in Poland; one report notes an offer for a ransomware affiliate slot. Some cited reporting assessed parts of these offerings, including a purported crypto-locker, as likely scams. The content indicates TwoNet maintained a Telegram presence, used it to boast about attacks, and engaged in signal-boosting of other hacktivist groups. Handles most associated with the group include "BARLATI" and "DarkWarios." Multiple reports describe the group as short-lived: its Telegram activity ceased or went dark around late September 2025, though the content notes that hacktivist operators may persist through rebranding or shifting alliances.