Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇷🇺 RU

Operation Zero

Also known asOperation Zero

Operation Zero is a Russia-based exploit broker, publicly operating through Matrix LLC and run by Russian national Sergey Sergeyevich Zelenyuk from St. Petersburg since 2021. It has been described as a zero-day broker that acquires and distributes cyber tools and offers multimillion-dollar bounties for exploits targeting widely used software, including U.S.-built operating systems, encrypted messaging applications such as Telegram, and mobile device compromise. The content states that Operation Zero does not disclose vulnerabilities to affected vendors and publicly claims to sell only to non-NATO customers, including the Russian government. U.S. authorities also stated that it sought to sell exploits to foreign intelligence agencies, recruited hackers through social media, and pursued development of spyware and methods to extract personal identifying information and other sensitive data uploaded to AI/LLM applications. Operation Zero was sanctioned by the U.S. Treasury and designated by the U.S. State Department in February 2026. The content identifies Matrix LLC as doing business as Operation Zero, and also names UAE-based Special Technology Services LLC FZ (STS) as a Zelenyuk-controlled affiliate established to expand operations in Asia and the Middle East and likely bypass sanctions. Associated sanctioned individuals and entities mentioned in the content include Marina Evgenyevna Vasanovich, Azizjon Makhmudovich Mamashoyev, Oleg Vyacheslavovich Kucherov, and Advance Security Solutions. The content states that Operation Zero acquired at least eight proprietary cyber tools stolen from a U.S. company and sold them to at least one unauthorized user. These tools were stolen between 2022 and 2025 by former L3Harris/Trenchant employee Peter Williams and sold to Operation Zero for cryptocurrency. Reporting in the content also says Operation Zero may have acquired the Coruna iOS exploit kit and sold it to other threat actors, including financially motivated cybercriminals. Known aliases and related names directly mentioned in the content are Matrix LLC and Operation Zero.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

15 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

6 of 15 tactics20 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1592
Gather Victim Host Information
T1598
Phishing for Information
T1598.002
Spearphishing Attachment
TA0042
Resource Development
4 techniques
T1583
Acquire Infrastructure
T1585
Establish Accounts
T1585.001×2
Social Media Accounts
T1587
Develop Capabilities
T1587.001
Malware
T1587.004×2
Exploits
T1588
Obtain Capabilities
T1588.001
Malware
TA0001
Initial Access
3 techniques
T1189
Drive-by Compromise
T1190×2
Exploit Public-Facing Application
T1195
Supply Chain Compromise
TA0002
Execution
1 technique
T1203×7
Exploitation for Client Execution
TA0004
Privilege Escalation
1 technique
T1068
Exploitation for Privilege Escalation
TA0011
Command and Control
3 techniques
T1105
Ingress Tool Transfer
T1132
Data Encoding
T1132.001
Standard Encoding
T1573
Encrypted Channel
ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
cyberthroneNews
Mar 13, 2026
Apple Patches Coruna Exploit Kit - Older iOS/iPadOS Devices - TheCyberThrone

A Russian exploit broker suspected of acquiring the Coruna exploit kit and selling it to other threat actors, including cybercriminals.

Read more
cert eu threat intelNews
Mar 2, 2026
CERT-EU - Cyber Brief 26-03 - February 2026

Exploit broker network involved in theft and sale/trafficking of cyber exploits and stolen government cyber tools to overseas buyers.

Read more
security affairsNews
Feb 25, 2026
Former U.S. Defense contractor executive sentenced for selling zero-day exploits to Russian broker Operation Zero

Russia-based exploit brokerage that buys and sells zero-day exploits (including for widely used operating systems and encrypted messaging apps) and advertises sales to non-NATO customers; per the cited U.S. Treasury language, it has sought relationships with foreign intelligence agencies, recruited hackers via social media, and explored development of spyware and data-extraction capabilities. The content links Operation Zero to downstream use of exploits for ransomware and other malicious activity by customers.

Read more
the hacker newsNews
Feb 25, 2026
Defense Contractor Employee Jailed for Selling 8 Zero-Days to Russian Broker

Russian exploit brokerage operation acquiring and distributing high-value zero-day exploits (e.g., for Telegram, Android, iPhone) and seeking to sell them to non-NATO customers, including foreign intelligence agencies; also described as pursuing development of spyware and data-extraction capabilities.

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping15

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.