Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
Exploits CVEs in the wild

AnonGhost

Also known asAnonGhost

AnonGhost is a pro-Palestinian hacktivist group described in the provided content as a reconnaissance-focused faction. It has been associated with large-scale scanning activity, including release of a file named "120K_USA_NetBlock.txt" tied to scanning of 72.x.x.x U.S. IP ranges, and was also described as conducting port scanning at scale. The group has been observed collaborating with other hacktivist groups, including T3 dimension Team, Reliks Crew, and DragonForce Malaysia. In October 2023, AnonGhost was reported to have compromised Israel’s Red Alert/Alert App by exploiting an API vulnerability and used it to send false emergency notifications, including warnings that a nuclear bomb was coming. Separate reporting in the provided content states AnonGhost was observed using a malicious clone of the RedAlert Android app to target users in Israel and collect sensitive data. The group also claimed Israeli targeting activity in October 2023, including publication of a list of Israeli targets vulnerable to CVE-2023-29489 together with an exploit. Additional content places AnonGhost among hacktivist actors declaring simultaneous targeting of Israel and the United States, and names BD Anonymous and BABAYO EROR SYSTEM alongside it in that context. The content consistently characterizes AnonGhost as a hacktivist actor rather than a confirmed nation-state group.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics7 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1590
Gather Victim Network Information
T1595
Active Scanning
TA0001
Initial Access
1 technique
T1190×2
Exploit Public-Facing Application
TA0007
Discovery
1 technique
T1046
Network Service Discovery
TA0040
Impact
2 techniques
T1491
Defacement
T1491.001
Internal Defacement
T1565
Data Manipulation
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2023-29489Reflected XSS in cPanel cpsrvd error pageIn the wildEvidence1

October 17, 2023: Hacktivist group AnonGhost dumped a list of Israeli targets vulnerable to CVE-2023-29489 along with the exploit. The vulnerability affects cPanel application hosted commonly on websites. It’s a reflected cross-site scripting vulnerability that could be exploited without any authentication by an attacker.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
socradar blogNews
Apr 21, 2026
Iran-Israel/US Cyber War 2026: Iranian Hackers, APT Groups & Cyber Attacks

Hacktivist reconnaissance-focused group conducting large-scale scanning and port enumeration against US and Gulf infrastructure.

Read more
socradar blogNews
Mar 10, 2026
Telegram Hacktivist Activity Timeline of Iran - Israel & US War

Actor engaged in reconnaissance-oriented activity against US address space, publishing evidence of large-scale scanning rather than confirmed compromise.

Read more
hackreadNews
Mar 7, 2026
Hackers Spread Fake Red Alert Rocket Alert App to Spy on Israeli Users

Claimed compromise of the Red Alert app to push fake emergency notifications (disinformation/psychological impact) to Israeli users.

Read more
zendata cybersecurity blogNews
Mar 2, 2026
Cyber Warfare in the US-Israel vs Iran Conflict (Roaring Lion & Epic Fury) - ZENDATA Cybersecurity

Hacktivist group cited making targeting declarations against Israel and the US during the surge; specific confirmed intrusions are not detailed.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping6

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.