A hacktivist group with suspected roots in India, known as CyberVolk, has been deploying ransomware attacks against state and public entities in nations perceived as opposing Russian interests. The group has been active since at least March 2024, exploiting global geopolitical tensions to justify its campaigns.
CyberVolk recently claimed responsibility for cyberattacks on critical infrastructure and scientific institutions in Japan, France, and the United Kingdom.
Previously operating under the names Gloriamist India and Solntsevskaya Bratva, the group rebranded to CyberVolk earlier this year. The collective’s leader, identified as “Hacker-K,” is reportedly of Indian origin, although the exact composition and location of its members remain uncertain. CyberVolk has aligned itself with other pro-Russian hacktivist collectives, such as NoName057(16).
Unlike many hacktivists who primarily conduct distributed denial-of-service (DDoS) attacks, CyberVolk employs a diverse arsenal that includes ransomware and information-stealing malware, according to a report by cybersecurity firm SentinelOne. The group uses a custom stealer malware designed to gather browser credentials, cryptocurrency wallet data, and gaming information, with stolen data exfiltrated via the Discord platform.
CyberVolk’s ransomware is based on tools developed by the now-defunct pro-Russian group AzzaSec, whose ransomware source code was leaked in June 2024. CyberVolk adapted this code into its own branded ransomware, which targets Windows systems.
In addition to AzzaSec’s tools, CyberVolk has leveraged other ransomware families, including HexaLocker and Parano, and has incorporated established malware like LockBit and Chaos.
“The reuse of tools like AzzaSec Ransom, Diamond RW, and even more established ones like LockBit and Chaos, demonstrates just how dynamic these affiliations and alliances between hacktivist groups can be,” notes the report. “Not only are such groups touting new tools within short time frames only to abandon them and pivot to something else later, the number of hacktivist groups is also growing. Infighting and tensions amongst them are also fuel for the rates of growth and change – as alliances crumble or shift, the threat environment stays highly volatile and dynamic, making it more difficult for cyber defenders to track their activities consistently.”