Skip to main content
Mallory
Back to threat actors
🇷🇺 RU4 malware familiesExploits CVEs in the wild

Cardinal

Also known ascardinal

Cardinal is a threat actor tracked in the provided content as both a cybercrime group associated with Black Basta ransomware activity and as a pro-Russian hacktivist actor participating in politically motivated operations. Symantec and the Carbon Black Threat Hunter Team track the group as Cardinal and state that Black Basta was developed by this group. In recent Black Basta activity, Cardinal was linked to a campaign that embedded a bring-your-own-vulnerable-driver (BYOVD) capability directly into the ransomware payload. The malware dropped the signed but vulnerable NsecSoft NSecKrnl kernel driver, created a service to run it, and abused CVE-2025-68947 to send malicious IOCTL requests that terminated protected security processes, including SophosHealth.exe and MsMpEng.exe, before encrypting files and appending the .locked extension. Reporting also noted a suspicious side-loaded loader observed weeks before ransomware deployment, suggesting possible long dwell time. The content states Cardinal went relatively quiet after internal Black Basta chat logs leaked in early 2025 or February 2025. The content also describes Cardinal as a pro-Russian hacktivist group. Cardinal led the newly formed Russian Legion alliance, publicly announced on January 27, 2026, together with The White Pulse, Russian Partizan, and Inteid. In that role, Cardinal was involved in OpDenmark, a coordinated campaign threatening and conducting DDoS attacks against Danish companies and public organizations to pressure Denmark over military aid to Ukraine. The alliance used Telegram-based threats, screenshots of disrupted sites, and warnings that DDoS was only the beginning of broader cyberattacks. Truesec assessed Russian Legion as likely state-aligned but not state-funded. Separately, pro-Russian hacktivist groups Cardinal and Russian Legion claimed to have breached Israeli military networks, including the Iron Dome missile defense system, and Cardinal claimed to have targeted Israel Defense Forces systems and publicly leaked stolen information. Known aliases and associated names directly mentioned in the content include only Cardinal. Sub-groups or allied groups directly mentioned are The White Pulse, Russian Partizan, and Inteid as members of Russian Legion.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Energy
  • Government & Administration

Where they target

Geographies tied to known operations.

  • 🇩🇰 Denmark

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics7 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0003
Persistence
1 technique
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0004
Privilege Escalation
2 techniques
T1068
Exploitation for Privilege Escalation
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0040
Impact
2 techniques
T1486×2
Data Encrypted for Impact
T1498×2
Network Denial of Service
ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Black Basta“A recent Black Basta attack campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself… the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself.”3Mar 18, 2026
Cobalt Strike“…attempts to sell hacking tools, such as a modified version of Cobalt Strike.”1Mar 18, 2026
QakBot“It also had a strong association with the Qakbot botnet, prior to its takedown in August 2023.”1Mar 18, 2026
TrickBot“Members of the group are alleged to have connections with… the Trickbot banking Trojan.”1Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-68947Arbitrary Process Termination in NSecsoft NSecKrnl Windows DriverIn the wildEvidence2

“The NSecKrnl driver is a Windows kernel-mode driver with a known critical security vulnerability (CVE-2025-68947), which means that it fails to verify if a user has sufficient permissions before executing commands. This allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes, by issuing crafted Input/Output Control (IOCTL) requests to the driver.”

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
the hacker newsNews
Mar 4, 2026
149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict

Pro-Russian hacktivist group claiming breaches of Israeli military networks, including the Iron Dome missile defense system.

Read more
dark readingNews
Mar 3, 2026
As War Continues, Pro-Iranian Actors Launch Barrage of Cyberattacks

Pro-Russian hacktivist group claiming intrusion into IDF networks and public release of allegedly leaked data.

Read more
cyber security newsNews
Feb 9, 2026
Black Basta Ransomware Actors Embeds BYOVD Defense Evasion Component with Ransomware Payload Itself

Cybercrime group discussed in connection with analysis of the Black Basta campaign; noted as potentially returning to active operations after leaked internal chat logs in early 2025.

Read more
industrialcyberNews
Feb 3, 2026
Truesec flags ‘OpDenmark’ cyber threat as Russian Legion issues large-scale attack warning against Denmark - Industrial Cyber

Leader of the Russian Legion alliance and involved in public claims of DDoS attacks against Danish targets as part of the threatened ‘OpDenmark’ campaign.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping5

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.