Russian Legion
Russian Legion is a pro-Russian hacktivist alliance that emerged publicly in January 2026. Reporting states it is led by Cardinal and includes The White Pulse, Russian Partizan, and Inteid. It announced its formation on January 27, 2026 and launched “OpDenmark,” a coordinated campaign against Denmark in retaliation for Danish military aid to Ukraine. The group issued a Telegram ultimatum on January 28 demanding Denmark reject a planned 1.5 billion DKK aid package within 48 hours, threatened to escalate beyond DDoS into “real cyber attacks,” and claimed attacks against Danish private companies, public organizations, and especially the energy sector. Inteid was linked in reporting to a DDoS attack on Denmark’s health portal sundhed.dk. Truesec assessed Russian Legion as likely state-aligned but not state-funded, operating independently while supporting Russian geopolitical objectives. Across the provided reporting, Russian Legion is associated primarily with disruptive and influence-oriented activity, especially distributed denial-of-service attacks, public threats via Telegram, psychological operations, and posting screenshots or breach claims to amplify fear and media attention. One report states the alliance uses DDoS-for-hire services and combines denial-of-service attacks with political messaging to pressure Western governments. Other reporting places Russian Legion within a broader Russia-Iran cyber partnership alongside RuskiNet, stating that the two groups provide TOR relay infrastructure, data leak operations, and military intelligence exfiltration capabilities. The content also says Russian Legion and other pro-Russian groups shifted some focus from Ukraine-related operations to anti-Israel actions supportive of Iran, though some of those claims are described as having mixed credibility. Additional claims in the content state that Russian Legion joined pro-Iran activity, threatened Denmark’s critical sectors, and claimed breaches of Israeli military networks including the Iron Dome system. Known alias in the provided content: russian_legion.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they're from
Attributed origin per open-source reporting.
- RU
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Pro-Russian hacktivist group participating in the pro-Iran coalition during the conflict.
Group cited as participating in similar cyber activity during the conflict.
Pro-Russian hacktivist group claiming breaches of Israeli military networks, including the Iron Dome missile defense system.
Russian-linked actor supporting the Russia-Iran cyber axis by providing TOR relay infrastructure, data leak operations, and military intelligence exfiltration capabilities.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.