🇷🇺 RUExploits CVEs in the wild

Z-Alliance

Also known asz_alliance

Z-Alliance is a Russian-aligned hacktivist threat group. Reporting cited in the provided content states that Z-Alliance, alongside Cyber Army of Russia Reborn, TwoNet, and the Infrastructure Destruction Squad, evolved from low-impact DDoS activity into operations involving OT/IoT reconnaissance and claimed disruptive attacks against industrial targets. The group has been associated with targeting or claiming compromises of cameras, and the content places it among actors observed targeting internet-exposed IP cameras. Separate reporting in the content also states that Z-Alliance issued a statement in Russian declaring support for Iran and readiness to conduct offensive operations during the Israel-Iran conflict, and claimed an attack against the Gan HaDarom pumping station. Based on the provided material, Z-Alliance should be understood as a Russian-aligned hacktivist actor involved in disruptive and propaganda-driven operations, with activity spanning DDoS, camera targeting, OT/IoT reconnaissance, and claimed industrial targeting.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Capital Goods
Utilities

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics2 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1190

Exploit Public-Facing Application

TA0006

Credential Access

1 technique

T1110

Brute Force

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2021-3626Privilege Escalation via Unrestricted Localhost TCP Control Socket in Multipass for WindowsIn the wildEvidence1

One of the Hikvision vulnerabilities (CVE-2021-3626; command injection) grants an attacker full root access to control the device.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

eclecticiq blogNews

Jun 11, 2026

The Escalating Cyber Risk Landscape in Regional Conflicts & Strategic Actions for 2026

Russia-aligned hacktivist group involved in OT/IoT reconnaissance and disruptive industrial targeting beyond traditional DDoS activity.

nozomi networks blogNews

Apr 2, 2026

IP Cameras in Modern Warfare: Pre-Strike Recon and Post-Strike Assessment

Listed as a threat group that has claimed to have compromised cameras or has been observed targeting cameras.

outpost24 blogNews

Jul 1, 2025

How hacktivist cyber operations surged amid Israeli-Iranian conflict

Hacktivist group publicly supporting Iran; claims targeting of Israeli water infrastructure.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.