CyberCaliphate
CyberCaliphate is a false hacktivist persona used in influence and disruptive cyber operations. The provided content links the persona to Russian activity: FireEye stated that leaks were conducted using false hacktivist personas including CyberCaliphate and that it identified overlaps between CyberCaliphate domain registration details and APT28 infrastructure. FireEye also identified APT28 (CORESHELL) traffic beaconing from TV5Monde’s network in February 2015, indicating APT28 had compromised TV5Monde before the April 2015 operation in which the alleged pro-ISIS CyberCaliphate defaced TV5Monde’s websites and social media profiles and forced 11 broadcast channels offline. The content further notes that French diplomacy later attributed the TV5Monde sabotage to Russian intelligence after it had been claimed by CyberCaliphate. In the broader reporting cited here, CyberCaliphate is described as one of several personas used to publicly leak or claim operations aligned with Russian objectives. Known related aliases/personas mentioned in the content include Guccifer 2.0, DC Leaks, Anonymous Poland, and Fancy Bears’ Hack Team; the associated intrusion set is APT28.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Media & Entertainment
Where they target
Geographies tied to known operations.
- 🇫🇷 France
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Mentioned as the group that claimed responsibility for the earlier TV5 Monde sabotage, as background comparison to the current case.
Hacktivist-branded persona/group used in connection with TV5Monde disruption/defacement; FireEye notes infrastructure overlaps with APT28.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.