Our latest OSINT report focuses on KillNet.
KillNet has evolved far beyond a conventional hacktivist group. Our analysis shows that its campaigns consistently align with political developments and the geopolitical interests of the Russian Federation, while technical attacks are regularly combined with coordinated information and psychological operations.
Although most of its operations rely on relatively low-complexity techniques, KillNet remains one of the most influential pro-Russian cyber groups due to its ability to rapidly mobilize a broad network of supporters, coordinate large-scale DDoS campaigns, and amplify their impact through Telegram and other online platforms.
Ghostwriter (UNC1151) has become one of the most closely tracked threat actors operating against Ukraine, NATO members, and Eastern European governments.
Over nearly a decade of activity, the group has combined credential harvesting, malware deployment, website compromises, cyber espionage, and coordinated influence operations targeting government institutions, military personnel, journalists, media organizations, and political actors.
Dragonfly is one of the most well-known Russian APT groups, which for years has focused its operations on the energy sector and industrial control systems.
In this report, we examine the group’s history, tooling, known operations, and reported links to Russian state structures. Particular attention is given to campaigns targeting U.
NoName057(16) is a pro-russian hacktivist collective that has been conducting large-scale DDoS campaigns against government institutions, financial systems, transportation infrastructure, and media organizations across Europe and NATO-aligned countries since 2022. Unlike traditional APT groups, its activities are not focused on espionage or long-term persistence, but rather on disruption and the degradation of digital services.
APT29 (Cozy Bear) remains one of the most active cyber espionage groups linked to the Russian intelligence apparatus. Their approach is not built around “fast” attacks, but around long-term access, credential operations, and gradual persistence inside targeted infrastructure.
The report breaks down a typical APT29 attack chain — from OSINT collection, phishing delivery, and malicious RDP/HTML files to Azure AD compromise, persistence through service principals, and further activity within Office 365 and cloud environments.
SHUM has established a partnership with Lex Talionis and OsintVarta as part of their joint OSINT-focused initiative.
The project brings together teams working on open-source investigations, data collection, and analytical research related to the russian federation’s defence-industrial complex and associated structures. It includes structured datasets, mapping, and analysis aimed at improving transparency and enabling further investigative work.
Our Research and Development department has been running in the background for a while now — building tools and internal solutions that support our OSINT investigations and war crimes documentation efforts. As part of that, we’ve launched a GitHub organization. Access is restricted — our work touches sensitive areas, and we keep it that way intentionally.
We’ve updated the volunteer application form — time to apply.
We have open volunteer positions — anyone can join, regardless of experience or field. OSINT, cybersecurity, analysis, or journalism — all the details are at the link.
Together we do work that matters.
This analytical report examines how GRU-linked APT groups operate in cyberspace as interconnected elements of a coordinated system rather than as isolated actors.
It reconstructs the operational logic behind units such as APT28 and APT44, showing how cyber operations are integrated with intelligence gathering, sabotage, and information campaigns. The analysis highlights that cyber activity is often driven by geopolitical triggers such as wars, elections, and crises, while different units perform distinct roles within a shared operational ecosystem.
6,000 defense-industrial complex enterprises of the russian federation are now available on an interactive map.
Lex Talionis and OsintVarta have developed a map of enterprises operating within the aggressor state. The platform includes descriptions of their activities and specific developments, information on vetted employees with enriched data, as well as structured categorization for easier navigation and analysis.