Hacktivist Cyber Operations Escalate Amid Geopolitical Tensions
A newly formed Russian-aligned hacktivist coalition calling itself Russian Legion (reportedly comprising Cardinal, The White Pulse, Russian Partizan, and Inteid) announced “OpDenmark,” a campaign of DDoS attacks intended to disrupt Danish government services and critical infrastructure and pressure Denmark to reverse military support for Ukraine. Reporting indicates the group issued an ultimatum tied to Denmark’s planned 1.5 billion DKK aid package, followed by service disruptions across multiple Danish organizations, including repeated targeting of the energy sector; analysts characterized the actor as state-aligned but not state-funded, using disruption and psychological pressure rather than confirmed destructive intrusions.
Separately, a new hacktivist group, Punishing Owl, claimed a breach of a Russian government security agency, publishing stolen documents and using DNS manipulation to redirect traffic to attacker-controlled infrastructure hosting the leak and a manifesto. The operation reportedly expanded into business email compromise against partners/contractors and included tooling such as the ZipWhisper PowerShell stealer, with lures using password-protected ZIPs and disguised LNK files to execute PowerShell downloaders. An additional opinion piece highlighted a broader rise in energy infrastructure cyber operations (including referenced events affecting Poland and Venezuela) but did not provide corroboration or direct linkage to the Denmark DDoS campaign or the Punishing Owl intrusion.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Russian Legion announces a new wave of attacks on Denmark
By 2026-02-04, reporting indicated Russian Legion had announced a specific time for another wave of attacks against Denmark. The campaign continued to combine DDoS activity, public threats, and psychological operations to amplify fear and media attention.
Technical details of ZipWhisper stealer are disclosed
Researchers disclosed that ZipWhisper harvested browser credentials, cookies, and saved passwords, staged the data in the Temp directory, and uploaded it to a command-and-control endpoint. The report also noted code comments suggesting AI tooling may have been used to generate parts of the malware script.
Punishing Owl expands intrusion into BEC against partners and contractors
Following the initial compromise, Punishing Owl used email accounts created within the victim's domain to target the agency's partners and contractors in a business email compromise campaign. Messages sent from Brazilian infrastructure carried password-protected ZIP files containing disguised LNK files that launched PowerShell to download the ZipWhisper stealer.
Russian Legion begins OpDenmark disruptions after deadline passes
After the 48-hour deadline expired, Danish companies and public sector organizations reported service disruptions attributed to Russian Legion's OpDenmark campaign. The group and associated figures posted screenshots claiming Danish websites had been taken offline, with repeated targeting especially noted in the energy sector.
Russian Legion issues ultimatum to Denmark over Ukraine aid
On 2026-01-28, Russian Legion warned Denmark via Telegram to withdraw its planned 1.5 billion DKK military aid package to Ukraine within 48 hours. The group threatened to escalate from DDoS activity to broader cyberattacks if Denmark did not comply.
Russian Legion member reportedly targets Danish healthcare portal
Earlier in the week before the main ultimatum, a Russian Legion member known as Inteid reportedly conducted preliminary attacks against Denmark's healthcare portal sundhed.dk. The activity indicated the alliance's ability to disrupt healthcare-related online services.
Russian Legion announces formation
On 2026-01-27, the pro-Russian hacktivist alliance Russian Legion announced its creation. The group was later assessed by Truesec as likely state-aligned but not directly state-funded.
Punishing Owl claims breach of Russian security agency and leaks data
On 2025-12-12, the newly identified hacktivist group Punishing Owl publicly claimed it had compromised a Russian government security agency and leaked internal documents. The group also altered the victim's DNS to create a subdomain that redirected traffic to a Brazil-hosted server serving the stolen data and a political manifesto.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Denmark subjected to sweeping Russian cyberattack threats | SC Media
scworld.com
Open sourceRussian Hacker Alliance Targeting Denmark in Large-Scale Cyberattack
cybersecuritynews.com
Open sourceNew Punishing Owl Hacker Group Targeting Networks of Russian Government Security Agency
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Russian-Attributed Cyberattacks on Danish Water Utility and Election Infrastructure
Danish intelligence services have publicly attributed a series of destructive and disruptive cyberattacks targeting Denmark's critical infrastructure to Russian state-backed groups. The attacks included a significant incident against a Danish water utility, reportedly causing pipes to burst and temporarily leaving homes without water, as well as coordinated denial-of-service (DDoS) attacks that overwhelmed Danish websites ahead of regional and local elections. Authorities identified the groups Z-Pentest, linked to the water utility attack, and NoName057(16), responsible for the DDoS campaigns, as operating on behalf of the Russian state. These operations are described as part of Russia's broader hybrid warfare strategy aimed at destabilizing Western nations and punishing those supporting Ukraine. The Danish Defence Intelligence Service emphasized that these cyber operations are intended to create insecurity and attract public attention, particularly during sensitive periods such as elections. The Danish government has condemned the attacks as unacceptable, with officials highlighting the incidents as clear evidence of ongoing hybrid warfare in Europe. In response, Denmark's foreign office has summoned the Russian ambassador for clarifications, underscoring the seriousness with which these state-attributed cyberattacks are being treated by Danish authorities.
Mar 21, 2026
Coordinated Pro-Russian DDoS and Cyberattacks Targeting Denmark
The Danish Defence Intelligence Service (DDIS) publicly attributed two major cyber incidents to Russian-linked actors: a cyberattack on a Danish water utility in 2024 by the group Z-Pentest, and a series of distributed denial-of-service (DDoS) attacks on Danish websites ahead of the municipal and regional council elections, attributed to NoName057(16). These attacks targeted critical infrastructure and government services, raising concerns about the security of essential services and the integrity of democratic processes in Denmark. The DDIS highlighted the connection between these threat actors and the Russian state, underscoring the geopolitical motivations behind the campaigns. In December 2025, threat intelligence analysis revealed a significant escalation in DDoS activity against Denmark, with NoName057(16) and their DDoSia project orchestrating 4,559 attacks against 148 unique domains and 137 IP addresses, primarily focusing on government, energy, telecommunications, and transportation sectors. The campaign also extended to Ukraine and other countries, but Denmark was a primary target, with municipal and local government websites bearing the brunt of the attacks. The use of port 443 (HTTPS) as the most targeted vector indicates a focus on disrupting secure web services critical to public administration and infrastructure.
Mar 21, 2026
Geopolitically Driven Cyber Activity and Hybrid Operations Escalate Across Europe and Major Events
Multiple reports describe an uptick in **state-linked and politically motivated cyber activity** in Europe, framed as part of broader **hybrid warfare**. Dutch intelligence (AIVD/MIVD) warned that Russia is intensifying a mix of cyberattacks, sabotage, disinformation, covert influence, and espionage designed to stay below the threshold of open conflict while testing Western red lines and undermining support for Ukraine. Related policy commentary notes growing calls from European and NATO officials for stronger “strike back” or offensive cyber capacity, but argues that political will and proportional response options—especially against proxy-driven sabotage—remain the limiting factors rather than technical capability. Separately, threat reporting tied to the **2026 Winter Olympics** indicates increased **hacktivist mobilization and targeting chatter** against Olympic-adjacent entities (e.g., transportation, sponsors, and overlapping supply chains), alongside continued targeting of the defense industrial base by a mix of hacktivists, state actors, and cybercriminals. A case study on Venezuela’s Caracas outage during “Operation Absolute Resolve” cautions against attributing major disruptions to “cyber-only” effects when available evidence also indicates substantial **kinetic/physical damage** to substations, underscoring that modern operations may integrate cyber and physical actions and that misframing can distort infrastructure security priorities.
May 7, 2026