Inteid
Inteid is a hacktivist threat actor that has been identified as a member of the Russian Legion alliance alongside Cardinal, The White Pulse, and Russian Partizan. In reporting on Russian Legion’s January 2026 “OpDenmark” campaign, Inteid was linked to DDoS activity targeting Denmark, including preliminary attacks against the Danish health portal sundhed.dk. Reporting states that Inteid and other Russian Legion members used Telegram to publicize threats and claimed attacks, and posted screenshots of disrupted Danish sites as part of a psychological operations component. Truesec assessed Russian Legion as likely state-aligned but not state-funded; the provided content does not independently attribute Inteid itself beyond its membership in that alliance. Separate reporting in the provided content places Inteid among pro-Iranian/pro-Palestinian hacktivist actors active during the June 2025 Israel-Iran cyber escalation. Inteid was described as coordinating with other groups via Telegram, including a publicly announced collaboration with Keymous+. The content states that Inteid conducted multi-sector attacks on Israeli news, telecom, and medical organizations, and lists claimed attacks attributed to Inteid including Mercantile Discount Bank in Israel and CityRide. The reporting also notes alliances among groups such as Keymous+, Inteid, Anonymous Kashmir, and Mr Hamza Cyber Force, reflecting coordinated hacktivist activity. Much of the Israel-related activity is presented as claimed hacktivist operations, and the source notes that many such claims across the ecosystem were unverified.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Health Care Equipment & Services
- Government & Administration
Where they target
Geographies tied to known operations.
- 🇩🇰 Denmark
Where they're from
Attributed origin per open-source reporting.
- RU
Tradecraft
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Member of Russian Legion linked to a recent DDoS attack against Denmark’s health portal and involved in public claims of attacks on Danish organizations.
Russian Legion member credited with preliminary DDoS activity against Denmark’s sundhed.dk, demonstrating capability to disrupt healthcare-related online services as part of the broader “OpDenmark” campaign.
Pro-Iranian/pro-Palestinian hacktivist group participating in coordinated attacks against Israel and its allies.
Hacktivist actor coordinating with Keymous+; claims attacks against Israeli financial and transportation targets.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.