Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

Just Evil

Also known asJust Evil

Just Evil is a hacktivist group linked to Killmilk and identified as one of three factions that emerged from the split of the original KillNet group, alongside Deanon and KillNet 2.0. The available content places it within a broader pro-Russia hacktivist ecosystem associated with KillNet’s influence. Just Evil is described as having been introduced by Killmilk as a new hacktivist group and as expanding KillNet’s influence. Observed activity in the provided content includes targeting the solar monitoring system used by Lithuania’s Ignitis Group, and being tied to botnet activity in Japan in 2024 in which hundreds of devices were hijacked. The content also references Just Evil in connection with attacks on renewable-energy-related infrastructure, specifically solar monitoring environments. Known alias in the provided content: just_evil. Related groups and sub-groups directly mentioned in the content: KillNet, KillNet 2.0, and Deanon. The content does not provide high-confidence detail on Just Evil’s full independent targeting scope, malware/tooling, or specific TTPs beyond its hacktivist affiliation, linkage to Killmilk, and involvement in the cited incidents.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • energy
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
help net securityNews
Oct 14, 2025
The solar power boom opened a backdoor for cybercriminals

Hacktivist activity targeting solar monitoring/management systems, with at least one cited operation against the solar monitoring system used by Lithuania’s Ignitis Group.

Read more
security online infoNews
Apr 15, 2025
Vulnerabilities in Solar Power Systems Threaten Power Grids

Just Evil is linked to botnet operations that compromised hundreds of solar power devices in Japan in 2024, leveraging vulnerabilities in these systems.

Read more
thecyberexpress com vulnerabilitiesNews
Feb 2, 2024
Decoding KillNet 2.0 and Sylhet Gang-SG Cyberattack Plans for 2024

Just Evil is a new hacktivist group introduced by Killmilk, expanding the influence of the original Killnet. It is one of the three main factions resulting from the split of the original Killnet group.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.