Two new pro-Russian hacktivist groups have begun launching cyberattacks on Ukraine and its allies, while also attempting to recruit insiders to strengthen their operations. This is according to a recent report by cybersecurity company Intel 471.
The groups, known as IT Army of Russia and TwoNet, coordinate their activities through Telegram, where they recruit employees of Ukrainian organizations and collect intelligence on potential targets.
Researchers noted that both groups emerged in early 2025 and may be rebranded versions of previously known cybercriminal organizations. While their exact connections to past operations remain unclear, their methods are similar to those used by other Russian hacktivists such as NoName057(16), KillNet, and XakNet Team, with a focus on DDoS attacks, website defacements, and data theft.
According to the report:
- IT Army of Russia first became active in late March 2025. It uses the cybercrime forum Duty-Free and a Telegram channel that already has more than 800 subscribers. The group frequently posts reports of attacks on Ukrainian websites, leaks stolen databases, and actively seeks insiders with access to Ukraine’s critical infrastructure. Its main targets have been smaller Ukrainian companies.
- The group uses a tool called PanicBotnet, promoted on underground forums, and runs a Telegram bot that gathers intelligence on Ukrainian military facilities and infrastructure. Recently, it posted databases it claims were stolen from Ukrainian and Polish websites, including a Ukrainian real estate search platform, cosmetics shops, and an educational portal in Poland.
- TwoNet, the second group, began its activities in January 2025 and has around 40 members who specialize in hacking, malware development, and open-source intelligence gathering. It also focuses heavily on DDoS attacks and uses its Telegram channel to promote assaults on government and infrastructure targets in Ukraine, as well as in Spain and the United Kingdom.
Intel 471 also reports that TwoNet has declared partnerships with other pro-Russian hacktivists. In January, the group announced the death of one of its members, callsign Sakura, who was reportedly killed during combat operations in Ukraine.