Threat Actor Dark Storm has emerged as one of the most active pro-Russian hacktivist groups this year, escalating disruptive cyberattacks against several government agencies across Europe and Russia.   Known primarily for aggressive Distributed Denial-of-Service (DDoS) operations, the group is widening its targets, deepening alliances, and promoting DDoS-as-a-Service offerings to other threat actors across the underground ecosystem. 

Who Is Dark Storm? A Pro-Russian Collective Expanding Its Reach 

The threat actor Dark Storm, also known as Dark Storm Team, TeamDarkStorm, and MRHELL112, has built a reputation for hitting critical infrastructure, particularly airports and transportation networks. While DDoS has remained its signature method, the group has recently broadened its campaigns to include political, opportunistic, and retaliatory attacks.  Dark Storm is part of the pro-Russian alliance Matryoshka 424, connecting it to other hacktivist clusters that coordinate messaging, tools, and attack timing.   The group’s alignment with wider pro-Russian cyber movements has amplified its operational impact, especially during geopolitical flashpoints. 

Growing Web of Alliances Boosts Their Disruptive Capabilities 

The threat actor’s tactic frequently overlaps with those of linked groups such as OverFlame, Server Killers, Z-Pentest, and Team BD Cyber Ninja, all of which share DDoS infrastructure and ideological motivations. 

• OverFlame focuses on attacks connected to Ukraine and its allies. 

• Server Killers routinely targets entities perceived as opposing Russian interests. 

• Z-Pentest, a newer group, has been seen exploiting unauthorized access to ICS panels and performing website defacements. 

These joined alliances provide Dark Storm with broader botnet access, shared reconnaissance intelligence, and a coordinated amplification strategy, leading to larger and more sustained disruptions. 

How Dark Storm Executes Its Attacks

1. Exploiting Public-Facing Applications

Dark Storm’s operations often begin with exploiting weaknesses in internet-facing applications, including misconfigured servers, outdated services, and vulnerable web components. By leveraging Initial Access techniques such as exploiting public-facing apps (T1190), the group aims to identify high-value entry points.  This includes: 

• Web servers and cloud-hosted applications 

• Administrative interfaces 

• Exposed databases or misconfigured network devices 

The group has also been observed gathering victim identity information (T1589) and host configuration data (T1592) through reconnaissance activities, using scanning and metadata harvesting to tailor their next move. 2. Coordinated DDoS and Endpoint Denial-of-Service Attacks The core of Dark Storm’s activity lies in complicated Network Denial-of-Service (T1498) and Endpoint Denial-of-Service (T1499) campaigns.  These attacks typically rely on: 

• Voluminous traffic generation using botnets 

• IP spoofing to hide origin 

• Reflective amplification techniques 

• Multi-layer targeting of network and application endpoints 

By vast bandwidth, saturating hosting infrastructure, or crashing service layers, Dark Storm aims to cause maximum disruption with minimal operational cost. 3. Escalating Focus on Government Agencies While past activity was largely centered on transportation and logistics, the recent surge of attacks against government agencies in Europe and Russia marks a notable escalation. The group appears to be leveraging political tension, upcoming elections, and diplomatic shifts to justify their campaigns.  These government-focused attacks include: 

• Flooding official portals 

• Disrupting public-facing service websites 

• Interrupting online citizen services 

• Targeting digital communication channels 

Although largely disruptive rather than destructive, these incidents highlight the fragility of national digital services under sustained political hacktivism. 

How Organizations Can Defend Against Dark Storm’s Tactics 

The tactics used by Threat Actor Dark Storm, particularly large-scale DDoS attacks and exploitation of exposed applications, stress on the importance of continuous threat visibility. Organizations dependent on online services remains especially vulnerable during periods of geopolitical tension or heightened hacktivist activity.  Solutions like Cyble’s Cyber Threat Intelligence Platform provide early detection of adversary behavior, monitoring of emerging campaigns, and insights into developing threats that groups like Dark Storm rely on.  With holistic visibility, automation, and advanced analytics, security teams can prioritize high-risk exposures, detect reconnaissance activity sooner, and prepare defenses before attacks escalate. 

Stay ahead of threat actor groups like Dark Storm. 

Explore deeper threat insights with Cyble’s Cyber Threat Intelligence Platform- Get Your FREE Demo Now 

As Black Friday sale scams continue to rise, shoppers across Europe and the US are being urged to stay vigilant this festive season. With promotions kicking off earlier than ever, some starting as early as October 30 in Romania, cybercriminals have had an extended window to target bargain hunters, exploiting their search for deals with fraudulent schemes. Black Friday 2025, this year, scammers have been impersonating top brands such as Amazon, MediaMarkt, TEMU, IKEA, Kaufland, Grohe, Oral-B, Binance, Louis Vuitton, Jack Daniel’s, Reese’s, and United Healthcare. Among them, Amazon remains the most frequently abused brand, appearing in phishing messages, fake coupon offers, and mobile scams promising massive discounts.

Amid these ongoing threats, many shoppers are also expressing frustration with deceptive pricing tactics seen during the Black Friday period. One Reddit user described the experience as increasingly misleading:

“I'm officially over the Black Friday hype. It used to feel like a sale, now it feels like a prank.

I was tracking a coffee machine at $129. When the ‘Black Friday early deal’ showed up, it became ‘$159 now $139 LIMITED TIME.’ I saw $129 two weeks ago. The kids’ tablet went from $79 to $89 with a Holiday Deal tag — paying extra for a yellow label.

I've been doing Black Friday hunting for 10+ years and it's only gotten worse. Fake doorbusters, fake urgency, fake ‘original’ prices. Feels like they're A/B testing how cooked our brains are as long as the button screams ‘53% OFF.’

Now I only buy when needed and let a Chrome extension track my Amazon orders. It clawed back $72 last month from so-called ‘preview pricing’ after prices dropped again.”

This sentiment reflects a growing concern: while scam campaigns imitate trusted brands, the pressure-driven marketing tactics surrounding Black Friday can also make consumers more vulnerable to fraud.

Moreover, a recent campaign even spoofed United Healthcare, offering a fake “Black Friday Smile Upgrade” with Oral-B dental kits, aiming to collect sensitive personal data. According to data from the City of London Police, shoppers lost around £11.8 million to online shopping fraud during last year’s festive season, from 1 November 2024 to 31 January 2025. Fraudsters often pressure victims with claims that deals are limited or products are scarce, forcing hurried decisions that can result in stolen funds or sensitive information.

A Month-Long Shopping Season Means More Risk

With strong discounts across electronics, toys, apparel, and home goods, consumers are drawn to higher-ticket items. This year, electronics saw discounts up to 30.1%, toys 28%, apparel 23.2%, and furniture 19%, while televisions, appliances, and sporting goods hit record lows in price, prompting significant e-commerce growth. Adobe reported that for every 1% decrease in price, demand increased by 1.029% compared to the previous year, driving an additional $2.25 billion in online spending, a part of the overall $241.4 billion spent online. The combination of high consumer demand and deep discounts makes the Black Friday shopping period especially attractive to cybercriminals, as the increased volume of online transactions offers more opportunities for scams.

How to Protect Yourself from Black Friday Sale Scams

Ahead of Black Friday on November 28, shoppers are being encouraged to follow advice from the Stop! Think Fraud campaign, run by the Home Office and the National Cyber Security Centre (NCSC). Key precautions include:

• Check the shop is legitimate: Always verify reviews on trusted websites before making a purchase.
• Secure your accounts: Enable two-step verification (2SV) for important accounts to add an extra layer of security.
• Pay securely: Use credit cards or verified payment services like PayPal, Apple Pay, or Google Pay. Avoid storing card details on websites and never pay by direct bank transfer.
• Beware of delivery scams: Avoid clicking links in unexpected messages or calls and confirm any delivery claims with the organization directly.

Individuals are also urged to report suspicious emails, texts, or fake websites to the NCSC, which collaborates with partners to investigate and remove malicious content. For businesses and security-conscious shoppers, leveraging tools like Cyble’s Cyber Threat Intelligence Platform can help monitor brand impersonation, detect scams, and protect sensitive data in real-time during Black Friday sale scams. With the rise of cyber threats during high-demand shopping periods, proactive intelligence is key to staying safe. Stay alert this Black Friday, your bargains are only valuable if your personal data stays safe. Learn more about how Cyble can protect you and your business here.