🇺🇦 UA

IT Army of Ukraine

Also known asit_army_of_ukraine

The IT Army of Ukraine is a pro-Ukraine volunteer hacktivist and cyberwarfare collective formed in late February 2022 after Russia’s invasion of Ukraine. It was publicly announced by Ukraine’s Minister of Digital Transformation, Mykhailo Fedorov, and coordinates volunteers primarily through Telegram and Twitter. The group is described as dividing participants into offensive and defensive cyber units, with volunteers ranging from regular computer users to more advanced operators. The content consistently associates the IT Army of Ukraine with distributed denial-of-service (DDoS) operations against Russian and Belarusian targets, including Russian banks, internet service providers, government websites, telecoms, and other infrastructure. Reported or claimed targets mentioned in the content include Akado, GazpromBank, the Moscow Stock Exchange, Sberbank, Roscosmos, the FSB, Russian and Belarusian government sites, and Russian digital-signature issuers including Osnovanie. The group was also reported as having targeted Yandex Taxi in collaboration with Anonymous, causing a traffic disruption in Moscow. The content further states that the group listed Kaluga Astral among its intended targets in 2023, although there is no evidence linking it to Astral’s later incident and it is unclear whether it ever successfully attacked the company. The group is described as lowering the barrier to participation by publishing target lists and providing tooling through itarmy.com.ua, including the “IT Army Kit,” improved versions of MHDDOS, DB1000N, and Distress, and an Automatic DDoS Server Starter (ADSS) for Linux systems. The tooling reportedly supports graphical configuration, automated target-list updates, scheduling, and automatic updates. The group also maintained a leaderboard and anonymous IT Army IDs via Telegram to incentivize volunteers. The content states that guidance was published for deploying attack infrastructure and abusing free cloud trials from providers including Google Cloud, Amazon, Azure, Hetzner, and Digital Ocean. The content portrays the IT Army of Ukraine as part of the broader cyber dimension of the Russia-Ukraine war and notes overlap or cooperation with Ukrainian state structures in some reporting. One cited passage states that Ukraine’s defense intelligence directorate (GUR) teamed with the crowdsourced IT Army of Ukraine to conduct DDoS attacks against Russian civilian targets including banks and ISPs. Another source notes that the group later stated it would abide by International Committee of the Red Cross rules of engagement for civilian hackers. The content also notes that the group denied knowing whether Artyom Khoroshilov was part of its community. Known alias in the provided content: it_army_of_ukraine.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Software & Services
Government & Administration
Banks

Where they target

Geographies tied to known operations.

🇷🇺 Russia

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics4 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0011

Command and Control

1 technique

T1090

Proxy

TA0040

Impact

2 techniques

T1498×5

Network Denial of Service

T1498.001

Direct Network Flood

T1499

Endpoint Denial of Service

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

the record mediaNews

Jun 15, 2026

Cyberattack on Russian tech firm Astral disrupts business, government services for week | The Record from Recorded Future News

Volunteer hacktivist collective that publicly listed Kaluga Astral as an intended target in 2023; the content does not establish that it carried out the latest attack.

the hacker newsNews

Dec 29, 2025

⚡ Weekly Recap: MongoDB Attacks, Wallet Breaches, Android Spyware, Insider Crime & More

The IT Army of Ukraine is a hacktivist group coordinating distributed denial-of-service (DDoS) attacks on Russian infrastructure, particularly during the Russia-Ukraine conflict.

the record mediaNews

Dec 4, 2025

Russian scientist sentenced to 21 years on treason, cyber sabotage charges

Coordinating distributed denial-of-service (DDoS) attacks on Russian infrastructure, particularly since the start of the war between Russia and Ukraine.

lawfareNews

Nov 3, 2025

Offensive Cyber Operations and Combat Effectiveness After Ukraine

Large crowdsourced volunteer hacktivist collective aligned with Ukraine; used to conduct DDoS operations against Russian civilian and dual-use targets, reportedly in coordination with GUR.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.