Low Orbit Ion Cannon
Low Orbit Ion Cannon (LOIC) is a distributed denial-of-service (DDoS) tool used by participants associated with the Anonymous collective during Operation Payback in 2010. The provided content describes LOIC being used to flood targets such as RIAA.org and RIAA.com with traffic, contributing to service outages against entertainment industry, anti-piracy, and government-related websites including the RIAA, MPAA-related infrastructure, IFPI, Hadopi, the U.S. Copyright Office, Aiplex, and other anti-piracy entities in Spain, Italy, Finland, and the UK. The tool was used in publicly coordinated volunteer-driven attacks, including by users with limited technical knowledge. The content specifically notes that LOIC was modified to include a "hive mind" feature, allowing a user to turn their computer into a voluntary bot by entering the correct IRC command-and-control server, enabling automated participation in attacks. High-confidence behavior described in the content is limited to DDoS traffic generation and IRC-based coordination for the hive-mind mode. The malware/tool is closely associated in the content with Anonymous and Operation Payback. No file-based indicators of compromise are provided in the supplied material.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The Anonymous users signed on to the Low-Orbit Ion Cannon (LOIC) tool, and began trying to access the RIAA site at 5 PM ET, instead of at 4 PM as the organizers originally planned.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Command and Control
1 technique
Command and Control
The Anonymous team has modified the Low Orbit Ion Cannon DDoS tool to include a new “hive mind” feature, which allows anyone using the software to turn their computer into a voluntary bot simply by inputting the correct IRC C&C server into the program. Once the C&C is set, the software will then automatically connect to the channel, receive commands (What URL/IP to attack), and start attacking automatically.
Impact
3 techniques
Impact
Low Orbit Ion Canon, a voluntary denial-of-service tool used last year to protest Visa, Paypal and Mastercard’s decisions to cut off donations to Wikileaks. LOIC is a point-and-click piece of software that bombards a targeted website with useless traffic.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A denial-of-service tool used to flood a target website with traffic and take it offline.
A denial-of-service tool used to flood targeted websites with traffic and disrupt availability.
A denial-of-service tool used by Operation Payback participants to flood target websites. The content notes a modified version with a “hive mind” feature that connects to an IRC command-and-control server and automatically receives attack commands, effectively turning users into voluntary bots.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.