Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
🇷🇺 RU

it_army_of_russia

Also known asit_army_of_russia

IT Army of Russia is a pro-Russian, pro-Kremlin hacktivist group that emerged in late March 2025. It communicates via the Duty-Free cybercrime forum and a Telegram channel with more than 800 subscribers. Reported activity in the provided content is focused primarily on Ukraine and includes attacks against Ukrainian organizations, especially Ukrainian websites and small Ukrainian businesses, as well as recruitment of insiders within Ukraine’s critical infrastructure. The group also uses cybercrime forums and Telegram to publish allegedly stolen data, solicit intelligence on Ukrainian military and civilian infrastructure for future attacks, and operate a Telegram bot to collect intelligence and suggest new targets. Intel 471 identified the group as mainly involved in DDoS attacks, and the content also attributes website defacements, data leaks, and claimed data theft to it. The group reportedly uses a tool called PanicBotnet for DDoS operations. In the provided reporting, IT Army of Russia claimed responsibility for an attack affecting Ukrposhta’s mobile application and alleged it had previously breached Ukrposhta infrastructure, accessed a server, and exfiltrated user and internal data, though those claims were not independently verified. Separate self-reported claims attributed to the group describe a destructive attack against Ukrainian housing and utilities-related infrastructure associated with info-gkh[.]com[.]ua, including malware distribution, encryption of victim systems, exfiltration of personal data, access to employee accounts and websites, and destruction of databases; these claims were also not independently verified. The group has also claimed leaks of databases from Ukrainian and Polish websites, including a real estate platform, a makeup retailer, and Poland’s educational platform. Known alias in the provided content: it_army_of_russia.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Transportation
  • Government & Administration
  • Military

Where they target

Geographies tied to known operations.

  • 🇺🇦 Ukraine

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics10 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1078×2
Valid Accounts
T1566
Phishing
TA0002
Execution
1 technique
T1204
User Execution
TA0003
Persistence
1 technique
T1078×2
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078×2
Valid Accounts
TA0005
Stealth
1 technique
T1078×2
Valid Accounts
TA0009
Collection
1 technique
T1213
Data from Information Repositories
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
TA0040
Impact
2 techniques
T1486×2
Data Encrypted for Impact
T1491
Defacement
IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the record mediaNews
Jun 25, 2026
Ukraine's state postal operator reports app disruption after cyberattack | The Record from Recorded Future News

Pro-Russian hacktivist group that claimed responsibility for the cyberattack on Ukrposhta and has claimed numerous cyberattacks targeting Ukrainian organizations since emerging in March 2025.

Read more
risky biz rssNews
Jul 4, 2025
Risky Bulletin: Hunters International ransomware shuts down and releases decryption keys

Pro-Kremlin hacktivist group conducting DDoS attacks and recruiting insiders in Ukrainian organizations.

Read more
the record mediaNews
Jul 3, 2025
Two new pro-Russian hacktivist groups target Ukraine, recruit insiders

Pro-Russian hacktivist group conducting DDoS attacks, website defacements, and data theft against Ukrainian and allied targets, with a focus on recruiting insiders and leaking stolen data.

Read more
codebyNews
Apr 16, 2018
IT ARMY OF RUSSIA похоронила всю сеть украинских ЖКХ

Claims a destructive and data-theft campaign against Ukrainian housing and utilities-related web infrastructure, including phishing/lure delivery of malware, encryption of victim computers and a core server, theft of personal data and call-center databases, and compromise of administrative accounts and websites.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping7

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.

it_army_of_russia | Mallory