1 malware family

Anonymous

Also known asanonymous

Anonymous is a decentralized hacktivist collective and open banner originating from 4chan-era anonymous internet culture. The content describes it as a loose confederation active since at least 2008, with no centralized leadership, and notes that anyone can claim the Anonymous banner. Known associated aliases and sub-groups directly mentioned in the content include LulzSec/Lulz Security, Anonymous Hispano, and the PayPal 14; prominent associated figures mentioned include Aubrey Cottle, Hector "Sabu" Monsegur, Jeremy Hammond, and the persona "Kayla" later linked by police to Ryan Ackroyd. The content attributes to Anonymous a long history of politically motivated hacktivism, including Project Chanology against the Church of Scientology; Operation Payback / Operation Avenge Assange targeting PayPal, Visa, MasterCard, and others after WikiLeaks donation restrictions; attacks and leaks involving HBGary Federal; support activity around Tunisia, Occupy, Ferguson, and anti-KKK operations; Operation Turkey protesting internet censorship; and later campaigns against Islamic State, QAnon, Russia (#OpRussia), and Killnet. The group is also linked in the content to the BlueLeaks disclosure, described as 269 GB of law-enforcement data allegedly stolen from 251 law-enforcement-related websites and published by DDoSecrets. Tactics directly mentioned in the content include distributed denial-of-service attacks, website defacements, data theft and public leaks, exposure of internal emails and documents, attacks on chat infrastructure, and publication of personal details. Specific examples mentioned include DDoS attacks against PayPal, Visa, MasterCard, the RIAA, and foreign government systems; defacement of the PRI-DF website in Mexico City; compromise of HBGary Federal resulting in publication of more than 50,000 emails; attacks on Ku Klux Klan infrastructure and release of member details; and anti-Russian targeting of Russian state, financial, and media entities during the Russia-Ukraine conflict. The content also emphasizes that Anonymous has been the target of state disruption efforts. Leaked Snowden archive reporting cited in the content says GCHQ's JTRIG monitored and targeted Anonymous, including with DDoS attacks against IRC chatrooms used by Anonymous and LulzSec members. Overall, the content portrays Anonymous as a persistent, decentralized hacktivist movement focused on anti-censorship, transparency, protest, and politically charged cyber operations, but also one whose actions have included unlawful intrusions, disruptive attacks, leaks, and occasional misidentification of targets.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration

Where they target

Geographies tied to known operations.

🇺🇸 United States

MITRE ATT&CK

Tradecraft

34 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics40 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

4 techniques

T1589

Gather Victim Identity Information

T1590

Gather Victim Network Information

T1591

Gather Victim Org Information

T1598

Phishing for Information

TA0042

Resource Development

2 techniques

T1585

Establish Accounts

T1588

Obtain Capabilities

T1588.001

Malware

TA0001

Initial Access

4 techniques

T1078×6

Valid Accounts

T1133

External Remote Services

T1190

Exploit Public-Facing Application

T1566×2

Phishing

TA0003

Persistence

2 techniques

T1078×6

Valid Accounts

T1133

External Remote Services

TA0004

Privilege Escalation

1 technique

T1078×6

Valid Accounts

TA0005

Stealth

1 technique

T1078×6

Valid Accounts

TA0006

Credential Access

2 techniques

T1040

Network Sniffing

T1649

Steal or Forge Authentication Certificates

TA0007

Discovery

1 technique

T1040

Network Sniffing

TA0008

Lateral Movement

1 technique

T1210

Exploitation of Remote Services

TA0009

Collection

5 techniques

T1005

Data from Local System

T1114

Email Collection

T1185

Browser Session Hijacking

T1213×6

Data from Information Repositories

T1530

Data from Cloud Storage

TA0011

Command and Control

2 techniques

T1090

Proxy

T1090.003×3

Multi-hop Proxy

T1573

Encrypted Channel

TA0010

Exfiltration

3 techniques

T1048×3

Exfiltration Over Alternative Protocol

T1537×8

Transfer Data to Cloud Account

T1567×2

Exfiltration Over Web Service

T1567.001

Exfiltration to Code Repository

TA0040

Impact

6 techniques

T1485×4

Data Destruction

T1489

Service Stop

T1491×2

Defacement

T1491.001×9

Internal Defacement

T1498×24

Network Denial of Service

T1498.001×2

Direct Network Flood

T1499×8

Endpoint Denial of Service

T1499.003

Application Exhaustion Flood

T1531

Account Access Removal

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Low Orbit Ion CannonThe Anonymous users signed on to the Low-Orbit Ion Cannon (LOIC) tool, and began trying to access the RIAA site at 5 PM ET, instead of at 4 PM as the organizers originally planned.3May 26, 2026

IOCS

Observables

40 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

40 IOCsView more in app

Domains

32 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+24

ip.v4

6 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

uri

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

malware newsNews

Jun 19, 2026

Canadian hacker pleads guilty to charges for cyberattack on Texas Republican website - Malware News - Malware Analysis, News and Indicators

Hacktivist group linked in the content to a cyberattack targeting the Texas Republican Party.

lawfare mediaNews

May 15, 2026

Inside the World of Teen Cybercrime | Lawfare

Discussed as a notable hacking group that shaped hacking culture and cybercrime subculture.

the record mediaNews

May 4, 2026

Ransomware group claims breach of pro-Orbán Hungarian media firm | The Record from Recorded Future News

Hacktivist activity involving website defacement of Hungarian government-affiliated news sites, including Mediaworks outlets.

hibp breachesNews

Mar 18, 2026

Have I Been Pwned: Republican Party of Texas Data Breach

Claimed responsibility for hacking the Republican Party of Texas, conducting a website defacement and subsequent data and document leak.

+196 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping34

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables40

Domains, IPs, and hashes tied to this actor, refreshed continuously.