Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

OverFlame

Also known asOverFlame

OverFlame is a hacktivist group referenced in the reporting as part of a broader pro-Iranian/pro-Palestinian cyber ecosystem active during the 2026 Iran-Israel conflict. The group is described as participating in coordinated disruptive campaigns targeting GCC critical infrastructure portals and governmental systems, and as being active in cyber operations related to the conflict alongside groups such as Handala Hack Team and DieNet. Reporting also states that DieNet shares DDoS-as-a-service infrastructure with OverFlame and DenBots Proof, based on attack source analysis, indicating overlap in operational infrastructure for network-disruption activity. Separately, Forescout reporting cited in the content says the pro-Russian hacktivist group TwoNet claimed ties or affiliation with OverFlame and CyberTroops, and that Russia-based hacktivist group NoName057(16) / S16 was observed partnering with OverFlame to target energy facilities. Based on the provided content, OverFlame is associated with disruptive operations, especially DDoS-style activity and targeting of government and critical infrastructure entities; no higher-confidence malware, intrusion, or destructive ICS capabilities are directly established in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics3 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0040
Impact
2 techniques
T1491
Defacement
T1491.001
Internal Defacement
T1498
Network Denial of Service
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
socradar blogNews
Mar 17, 2026
Dark Web Profile: DieNet

Hacktivist or disruptive actor sharing DDoS-as-a-service infrastructure with DieNet.

Read more
cyble blogNews
Mar 3, 2026
Middle East Conflict: Iran-US-Israel Cyber-Kinetic Crisis

Hacktivist/disruptive activity targeting GCC critical infrastructure portals and government systems.

Read more
cyble blogNews
Mar 3, 2026
Middle East Conflict: Iran-US-Israel Cyber-Kinetic Crisis

Hacktivist group involved in coordinated disruptive campaigns against GCC critical infrastructure portals and government systems.

Read more
securityaffairsNews
Dec 1, 2025
U.S. CISA adds an OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog

Mentioned only as an entity that TwoNet claims ties to; no specific operations, tooling, victims, or TTPs are described in the provided content.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.