Mad Ghost is a hacktivist actor referenced in the context of the March 2026 cyber activity surrounding the Iran-Israel-US war. The content places Mad Ghost in the pro-Iranian/pro-Palestinian aligned ecosystem and specifically states that it joined the DieNet operational cluster targeting Bahrain government infrastructure, where it played an amplification and coordination role. The actor also claimed a successful attack against MME/PGW devices belonging to Israeli mobile network operators, though the broader report emphasizes that many telecom, OT/ICS, and critical infrastructure claims made by groups in this ecosystem were unverified or only partially verified. During the March 2026 campaign, Mad Ghost is described as launching attacks using DieNet infrastructure while forwarding claims through Telegram channels. Based on the provided content, Mad Ghost appears associated with disruptive hacktivist operations, especially coordinated campaigns leveraging DieNet’s DDoS-focused infrastructure, with targeting tied to Israeli and Bahraini entities. No additional aliases or sub-groups beyond "mad_ghost" are provided in the content.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Hacktivist group participating in DieNet-coordinated attacks against Bahraini government infrastructure, primarily in amplification and coordination roles.
Smaller hacktivist group that used DieNet’s infrastructure to launch attacks during the March 2026 campaign.
Channel used to amplify technically detailed telecom and infrastructure attack claims, including alleged attacks on Israeli mobile core infrastructure.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.