Z-Pentest

Z-Pentest is a pro-Russian hacktivist group established in September 2024, formed from members of Cyber Army of Russia Reborn (CARR) and NoName057(16). Multiple sources in the content describe it as emerging from fragmentation within earlier pro-Russian groups; one advisory states CARR administrators and a NoName057(16) administrator spun off in late September 2024, using similar TTPs to CARR but without GRU involvement. The group is described as specializing in OT intrusion operations targeting globally dispersed critical infrastructure entities, while also conducting hack-and-leak and defacement activity to amplify pro-Russia messaging. The content consistently associates Z-Pentest with targeting critical infrastructure and industrial environments, including water, energy, food and agriculture, heavy industry, defense suppliers, and food processing facilities. Reported victim geographies include Denmark, Germany, Italy, Poland, the United States, and other NATO-aligned or Western organizations. Danish authorities attributed a 2024 destructive cyberattack on the Tureby Alkestrup Waterworks to Z-Pentest; the attack reportedly changed water pressure, burst a pipe, and temporarily disrupted water service. Other reporting says the group claimed compromises of U.S.-based industrial control systems, SCADA networks, and CCTV systems, and claimed access to industrial networks in Germany, Italy, and Poland. Its tradecraft is described as opportunistic and focused on weak authentication and exposed remote access rather than advanced malware. The content states Z-Pentest and related groups commonly exploit poorly secured internet-facing VNC connections to OT devices and HMI/SCADA environments, often scanning ports 5900-5910, using VPS infrastructure, brute forcing passwords, abusing default or weak credentials, password spraying, reused leaked credentials, and credential-stuffing-like automated login attempts. By 2025, the group was described as repeatedly accessing industrial interfaces through compromised authentication pathways. After access, actors are reported to manipulate HMI settings via legitimate interfaces, including changing credentials, parameters, device names, instrument settings, disabling alarms, restarting or shutting down devices, and causing temporary "loss of view" requiring manual intervention. The content notes that some attacks attributed to this ecosystem have caused physical damage in some cases. Z-Pentest is repeatedly grouped with CARR, NoName057(16), and Sector16 as part of a broader pro-Russia hacktivist ecosystem that evolved from DDoS activity into OT and ICS intrusion activity. Companion groups and related names directly mentioned in the content include Cyber Army of Russia Reborn (CARR), NoName057(16), Sector16, Dark Engine, and the Infrastructure Destruction Squad. The group largely avoids DDoS compared with some peers and instead emphasizes OT intrusion claims, propaganda, and media amplification. One source also notes claims that the group is based out of Serbia, but the content consistently characterizes it as pro-Russian and Russia-affiliated.