Two new pro-Russian hacktivist groups have emerged in recent months to mount cyberattacks on Ukraine and its allies.
The groups, calling themselves the IT Army of Russia and TwoNet, use the Telegram messaging app to coordinate operations, recruit insiders, and collect information about targets in Ukraine, according to a new report by cybersecurity firm Intel 471.
Researchers said both groups appeared earlier this year and may be rebrands of previously known threat actors, though their exact links to past campaigns remain unclear.
Like other well-known Russian hacktivist groups — including NoName057, KillNet, and XakNet Team — the new gangs are primarily carrying out distributed denial-of-service (DDoS) attacks, website defacements, and data theft.
The IT Army of Russia first appeared in late March 2025 and communicates via the Duty-Free cybercrime forum and a Telegram channel with over 800 subscribers, according to Intel 471.
The group posts about alleged attacks on Ukrainian websites, leaks of stolen data, and recruits insiders working in Ukraine’s critical infrastructure. Many of its targets have been small Ukrainian businesses, according to the report.
The group also operates a Telegram bot that encourages users to submit intelligence about Ukraine’s military or infrastructure and to suggest new targets for cyberattacks. It reportedly utilizes a tool called PanicBotnet, which is advertised on underground forums, to launch DDoS operations.
Most recently, the group posted on its channel what it claimed were leaked databases from several Ukrainian and Polish websites, including a Ukrainian real estate search platform, a makeup retailer, and Poland’s educational platform, according to Intel 471.
The second group, TwoNet, surfaced in January 2025 and is believed to have around 40 members involved in hacking, software development, and open-source intelligence gathering. The group’s preferred tactic is also DDoS incidents, and its Telegram channel has promoted attacks on government and infrastructure targets in Ukraine, Spain, and the U.K., Intel 471 said.
Researchers say the group has claimed partnerships with other pro-Russian actors. In January, TwoNet’s Telegram channel announced the death of one alleged member, nicknamed “Sakura,” reportedly killed during combat in Ukraine.
Since the start of the war, several Russian hacking groups have changed their tactics, tools, and, in some cases, identities. KillNet, once known for its high-profile pro-Kremlin hacktivist campaigns, has recently resurfaced with a focus on cybercrime-for-hire operations, prioritizing profit and reputation over political messaging.
Other groups, such as the Cyber Army of Russia Reborn — whose members were sanctioned by the United States last year — have largely disappeared from public view. At the same time, one of the most prolific hacktivist collectives, NoName057, continues its operations, targeting at least one or two entities each week.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
