Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory

CyberCaliphate

Also known ascybercaliphate

CyberCaliphate is a false hacktivist persona used in influence and disruptive cyber operations. The provided content links the persona to Russian activity: FireEye stated that leaks were conducted using false hacktivist personas including CyberCaliphate and that it identified overlaps between CyberCaliphate domain registration details and APT28 infrastructure. FireEye also identified APT28 (CORESHELL) traffic beaconing from TV5Monde’s network in February 2015, indicating APT28 had compromised TV5Monde before the April 2015 operation in which the alleged pro-ISIS CyberCaliphate defaced TV5Monde’s websites and social media profiles and forced 11 broadcast channels offline. The content further notes that French diplomacy later attributed the TV5Monde sabotage to Russian intelligence after it had been claimed by CyberCaliphate. In the broader reporting cited here, CyberCaliphate is described as one of several personas used to publicly leak or claim operations aligned with Russian objectives. Known related aliases/personas mentioned in the content include Guccifer 2.0, DC Leaks, Anonymous Poland, and Fancy Bears’ Hack Team; the associated intrusion set is APT28.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Media & Entertainment

Where they target

Geographies tied to known operations.

  • 🇫🇷 France
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics4 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1589
Gather Victim Identity Information
TA0042
Resource Development
1 technique
T1584
Compromise Infrastructure
T1584.006
Web Services
TA0005
Stealth
1 technique
T1036
Masquerading
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.