🇷🇺 RU1 malware family

Russian Cyber Army

Also known asRussian Cyber Army

Russian Cyber Army is a pro-Russian hacktivist group assessed in reporting as highly active in cyberattacks against Ukraine, described as the second most active group in a three-month period of observed activity. The group’s operations are characterized primarily by disruptive activity (notably DDoS), aligned with broader Russian-affiliated hacktivist efforts targeting Ukrainian government and other sectors. Reporting notes Russian Cyber Army and NoName057(16) as operating in parallel since late 2022; NoName057(16) is described as having developed the DDoSia tool, with allegations that some participants were connected to Russian state structures and received funding from them. In the referenced Ukraine-focused reporting, the most targeted sector overall was Ukrainian government (nearly half of attacks), with technology and transportation also significantly impacted; DDoS comprised the majority of incidents (68.1%), with defacements and data breaches also present in the broader threat landscape.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0040

Impact

1 technique

T1498

Network Denial of Service

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

DDoSia“Noname057(16) developed a project—malicious software called Ddosia”1Mar 8, 2026

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

ctoatncsc substackNews

Dec 13, 2025

CTO at NCSC Summary: week ending December 14th

Pro-Russia hacktivist-aligned group operating since late 2022 in parallel with Noname057(16); associated with DDoS-style activity and alleged state-structure links/funding.

cloudsek blogNews

Aug 23, 2024

Cyber Shadows Over Ukraine: An Independence Day Perspective

Russian Cyber Army is a Russian-affiliated group conducting cyberattacks against Ukraine, focusing on government and critical infrastructure targets.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.