Free Demo

Trending

Report: Global Cybersecurity Report 2025          Report: Europe Threat Landscape Report 2025          Report: APAC Cyber Threat Landscape Report 2025          Report: North America Cyber Threat Landscape Report 2025          Report: META Threat Landscape Report 2025          Recognition: Cyble Recognized in the Gartner® Hype Cycle™ for Cyber-Risk Management, 2025          Recognition: Cyble Named a Sample Vendor in Gartner® Hype Cycle™ for Managed IT Services 2025         
Report: Global Cybersecurity Report 2025          Report: Europe Threat Landscape Report 2025          Report: APAC Cyber Threat Landscape Report 2025          Report: North America Cyber Threat Landscape Report 2025          Report: META Threat Landscape Report 2025          Recognition: Cyble Recognized in the Gartner® Hype Cycle™ for Cyber-Risk Management, 2025          Recognition: Cyble Named a Sample Vendor in Gartner® Hype Cycle™ for Managed IT Services 2025         

Table of Contents

  • Published on: November 25, 2025
  • 6 min read

Threat Actor Profile: Dark Storm Team

The Dark Storm Team is one of the more active hacktivist groups known for conducting politically aligned cyber operations. Known primarily for Distributed Denial-of-Service (DDoS) campaigns, the group’s activity centers on disrupting critical transportation assets, especially airports, while simultaneously marketing DDoS-as-a-Service (DaaS) capabilities to broader audiences.

Dark Storm Team operates under various aliases, including DarkStorm, DarkStormTeam, and MRHELL112, and maintains strong affiliations within the pro-Russian hacktivist ecosystem. Its most notable partnership is with Matryoshka 424, a coalition of aligned threat groups working collectively to advance Russian geopolitical narratives.

Targeting Patterns and Operational Scope 

Although the group’s ideological stance is rooted in support for Russia, its targeting footprint extends far beyond regional boundaries. Reported activity includes campaigns directed at organizations in the United Arab Emirates, Egypt, France, Israel, Italy, the Netherlands, Thailand, Ukraine, and the United States.  

This broad geographic reach reflects a willingness to strike entities perceived as politically relevant, regardless of location. Industries affected by Dark Storm Team’s operations note a preference for sectors where service disruption would have immediate public visibility. The group’s targets span: 

  • Banking, Financial Services, and Insurance (BFSI) 
  • Energy and Utilities 
  • Government and Law Enforcement 
  • Healthcare 
  • Media and Entertainment 
  • Transportation and Logistics 

Affiliated and Related Hacktivist Groups 

Dark Storm Team maintains links with multiple threat groups whose motivations, tactics, or alliances overlap with its own. These associations strengthen its operational resilience and expand its access to shared tooling and infrastructure. 

  • AlixSec: AlixSec is an Indonesia-leaning, pro-Palestinian hacktivist group known for routine DDoS attacks against government institutions and private organizations. The group has also partnered with groups such as BhinnekaSec and AnonymousWorld to carry out attacks against Indian websites. 
  • Mr. Hamza: Originating from Morocco, Mr. Hamza is a hacktivist threat actor conducting ideologically driven DDoS operations. Its activity frequently targets national security institutions, including intelligence and law enforcement agencies. 
  • OverFlame: OverFlame is firmly situated within the pro-Russian hacktivist environment. Its operations primarily target Ukraine and allied nations, and it collaborates with well-known collectives such as NoName057(16) and the People’s Cyber Army. 
  • Server Killers: Another pro-Russian group, Server Killers, is associated with persistent DDoS operations against organizations considered hostile to Russian state interests. 
  • Team BD Cyber Ninja: This Bangladesh-based group conducts cyber defacement and targeting campaigns focused largely on educational and government institutions in Bangladesh and India. 
  • Z-Pentest: First observed in late 2024, Z-Pentest is one of the newer collectives linked to NoName057(16) and the People’s Cyber Army. The group has demonstrated intent to compromise Industrial Control System (ICS) panels and deface websites.  

Role in Multi-Group Campaigns

The Dark Storm Team played an important role in carrying out cyberattacks that followed the Iran–Israel conflict in June 2025. Numerous hacktivist groups, including GhostSec, Arabian Ghosts, and Mr. Hamza, coordinated attacks across more than 18 critical infrastructure sectors in Israel. These operations included DDoS attacks, ICS intrusions, and data exfiltration. Dark Storm Team contributed by targeting Israeli government services, while other actors deployed tooling such as GhostLocker, GhostStealer, and IOControl. 

Tactics and Techniques 

Dark Storm Team operates in ways that are consistent with many other pro-Russian hacktivist groups. One of its common methods involves breaking into systems that are exposed to the internet. The group looks for weaknesses, such as outdated software or incorrect settings, in places like websites, online platforms, cloud services, or network equipment. When these weaknesses are found, they can be used as entry points into deeper parts of an organization’s environment. 

Another tactic involves overwhelming online services with excessive traffic to knock them offline. This approach targets websites, email systems, and other public-facing services by flooding them with more data than they can handle. To make the attacks more effective and harder to block, the group often sends the traffic from many different sources or disguises where it is coming from. 

In addition to attacking networks, Dark Storm Team may also shut down individual devices by overloading their resources. This can cause systems to freeze, crash, or become too slow to function normally, even when the wider network remains intact. 

Before carrying out any of these operations, the group usually gathers details about its targets. This can include information about users, login methods, or how systems are configured. They collect this data by scanning online services, tricking individuals into revealing information, or placing harmful code on compromised websites. This preparation allows their attacks to be more precise and effective. 

Conclusion 

Dark Storm Team exists as an active and coordinated hacktivist threat, leveraging broad alliances and sustained disruption tactics to target critical sectors worldwide. Its methods and participation in multi-group campaigns require timely and high-quality intelligence. 

Fortunately, Cyble’s threat intelligence platform delivers this level of foresight, offering real-time awareness and AI-driven analysis that support faster and more informed defensive decisions. In an environment shaped by rapid escalation and unpredictable factors, timely intelligence is the most reliable path to proactive security. 

Start with a free External Threat Assessment to reveal the risks hidden across your attack surface. Follow it with a personized Cyble demo to see how AI-native intelligence detects, predicts, and neutralizes threats like Dark Storm Team in real time. 

Recommendation and Mitigation Strategies 

  • Deploy DDoS protection and redundant infrastructure to maintain service availability. 
  • Keep public-facing systems and applications patched and secure. 
  • Harden endpoints to prevent crashes and resource exhaustion. 
  • Monitor threats using intelligence platforms like Cyble for early detection. 
  • Train staff to recognize phishing and social engineering attempts. 
  • Secure critical infrastructure, including transport and ICS systems. 

MITRE ATT&CK Techniques Associated with Dark Storm Team 

MITRE ATT&CK Techniques (Source: Cyble Vision) 
  • Exploit Public-Facing Application (T1190): Adversaries exploit weaknesses in internet‑facing systems, such as websites, databases, cloud platforms, or network devices, to gain initial access, often leveraging bugs, misconfigurations, or outdated components. Compromise may extend to underlying cloud or container environments and edge infrastructure. 
  • Network Denial of Service (T1498): Attackers overwhelm network bandwidth to disrupt access to websites, DNS, email, and other online services. These attacks may come from single or distributed sources, often using IP spoofing or botnets to increase volume and evade filtering. 
  • Endpoint Denial of Service (T1499): Adversaries exhaust system resources or cause crashes on specific hosts without saturating network capacity. They target operating systems, server software, and application layers, frequently using botnets or traffic manipulation techniques. 
  • Gather Victim Identity Information (T1589): Attackers collect user identities, credentials, and authentication details through phishing, system probing, or publicly available sources to support targeted attacks or enable unauthorized access. 
  • Gather Victim Host Information (T1592): Adversaries obtain details about system configurations, network setups, and host attributes through scanning, phishing, or embedded malicious content, supporting further reconnaissance and preparation for intrusion. 
Discover how we help proactively defend against evolving threats with Gen 3 intelligence. Request a Demo today!
Schedule a demo with Cyble Vision

Share Post:

Cyble Vision

Related Topics

Mustang Panda

Threat Actor Profile: Mustang Panda

Threat Actor Profile: Fog Ransomware Group

Threat Actor Profile: Dark Storm Team

NoName057(16)

Threat Actor Profile: NoName057(16)

Threat Actor Profile: Carbanak Group

Threat Actor Profile: Flying Kitten 

Scroll to Top