Introduction
In recent years, even the largest online platforms have proven vulnerable to disruptive cyberattacks. One stark example came on March 10, 2025, when users worldwide were unable to access X (formerly Twitter) due to a massive distributed denial-of-service (DDoS) attack. A threat actor calling itself “Dark Storm” swiftly claimed responsibility on Telegram, showcasing outage maps and “proof” links to validate the attack. This incident underscored the potency of modern hacktivist-driven DDoS campaigns and the evolving threat they pose to critical digital infrastructure.
Dark Storm has emerged as a high-profile threat actor specializing in large-scale DDoS attacks, blending politically charged hacktivism with profit-driven cybercrime. This article provides an in-depth profile of Dark Storm – examining its tactics, techniques, and procedures (TTPs), infrastructure and botnets, known campaigns (including the 2025 X outage), and how these map to the MITRE ATT&CK framework. Our research analyzes Dark Storm’s methods such as IoT botnet deployment, exploitation of router vulnerabilities, proxy chaining for anonymity, and more, offering insight into the group’s operations and their implications for cyber defenders.
Threat Actor Profile: Dark Storm
Dark Storm is a relatively new threat actor that surfaced in late 2023, rapidly gaining notoriety for politically motivated cyber aggression. The group initially aligned itself with pro-Palestinian hacktivist narratives, positioning their attacks as retaliation or protest in geopolitical conflicts. However, Dark Storm’s activities soon revealed a dual nature: ideologically driven hacktivism on one hand, and financially-motivated cybercrime on the other.
In practice, Dark Storm operates both as a hacktivist collective and as a DDoS-for-hire service provider, monetizing its capabilities by offering attacks to paying clients. This hybrid motive sets Dark Storm apart from purist hacktivist groups, indicating a shift toward “cyber mercenary” behavior where causing disruption doubles as advertising for their black-market services.
Organizationally, Dark Storm appears to be well-resourced and adaptive. The group is known to organize and coordinate via Telegram channels and dark-web forums, where they recruit supporters, disseminate attack playbooks, and publicize their successes. They have shown resilience against takedowns – for instance, after one of their Telegram channels was shut down, Dark Storm re-emerged with heightened activity and an expanded target scope.
Their campaigns now frequently target Western organizations and critical infrastructure not only in the U.S. but also in Israel, Ukraine, and the UAE, suggesting a deliberate effort to disrupt services in line with geopolitical interests. Despite the political overtones, Dark Storm’s messaging lacks the overt ideological flair of some hacktivists; instead, their communications often emphasize their capabilities and services, reflecting a calculated branding strategy.
Indeed, high-profile attacks claimed by Dark Storm often serve as “live demos” of their DDoS prowess, meant to impress potential clients and reinforce their reputation in the underground marketplace.
Typical Targets
Dark Storm’s operational focus is overwhelmingly on DDoS attacks against public-facing services. They have repeatedly struck major platforms and institutions to maximize visibility. Observed targets since 2025 include social media (X/Twitter), telecommunications and tech companies (e.g. ChatGPT’s web service, Zoom, Spotify, Binance.US), government and law enforcement sites (FBI, police departments), aviation hubs (airport websites), financial services, and media outlets.
These sectors are high-impact by design – outages in such services cause broad disruption, media attention, and political pressure. Notably, U.S.-based digital infrastructure has been a primary focus, with Dark Storm and similar groups viewing the U.S. as a high-value stage for their campaigns. This reflects an intent to “maximize visibility, chaos, or impact by targeting essential and widely used services” across the economy. It also aligns with Dark Storm’s roots in activism (e.g. targeting government or media to advance a cause) while serving their profit motive (demonstrating capability against big-name targets).
Infrastructure and Capabilities
Dark Storm’s technical infrastructure and operating methods reveal a highly organized approach to conducting DDoS attacks at scale. The group leverages a blend of compromised devices, anonymization networks, and cloud resources to carry out attacks while obscuring their identity.
IoT Botnets
At the core of Dark Storm’s firepower is a sprawling botnet of malware-infected devices, many of them Internet-of-Things (IoT) systems. Our security analysis of Dark Storm’s campaigns demonstrates that the group can enlist hundreds of thousands of bots worldwide to generate malicious traffic. These bots range from compromised home routers and IP cameras to digital video recorders – common IoT devices with poor security. In fact, investigation of the March 2025 X attack confirmed the DDoS was driven “mostly [by] IoT devices (e.g. IP cameras, DVRs, routers)” flooding X’s servers.
To build such botnets, Dark Storm actively exploits vulnerable systems: for example, prior Dark Storm attacks heavily abused vulnerable MikroTik routers – leveraging known firmware vulnerabilities or misconfigurations to hijack these devices. Thousands of MikroTik network devices have been unwittingly conscripted, alongside other unsecure IoT endpoints, into Dark Storm’s botnet infrastructure.
The group likely conducts wide-ranging internet scans to find exploitable IoT devices (weak default passwords, outdated firmware, open management ports, etc.) and uses automated malware to infect them, analogous to how the Mirai botnet spread. Once under control, these devices provide massive bandwidth and distributed geography for launching DDoS attacks.
Proxy Chains and Anonymization
To mask their operations and make tracing difficult, Dark Storm makes heavy use of proxies, VPNs, and anonymization networks. Their attackers route traffic through layers of proxy servers – including open proxy nodes and the Tor network – to hide the true origin of malicious packets. This was observed in earlier Dark Storm campaigns, which showed attack traffic coming via open proxies or Tor exit nodes from countries like Switzerland, the U.S., Tanzania, and Indonesia.
By chaining connections in this way, Dark Storm can obfuscate their command-and-control and attack origins, appearing as a swarm of global sources. Our research reveals that Dark Storm operatives rent or hijack IP addresses in various regions to further muddy attribution. These multi-hop proxy and VPN techniques correspond to classic defense-evasion measures; they not only conceal the operators’ location but also help malicious traffic blend with legitimate user traffic.
Command-and-Control (C2)
The exact C2 infrastructure for Dark Storm’s botnets is closely guarded, but it likely follows the conventions of large botnet operations. In a typical setup, once IoT devices are infected with Dark Storm’s malware, they communicate with central C2 servers controlled by the group. These C2 servers can issue commands such as “attack target X now with technique Y,” which the bots then execute in unison.
Communication between bots and C2 may use standard application-layer protocols (HTTP/HTTPS or IRC) to avoid detection, possibly with encryption to prevent defenders from eavesdropping. Notably, Dark Storm also leverages Telegram as an organizational C2 channel for human volunteers and affiliates. The group’s Telegram channels are used to share target lists, rally participants for crowd-sourced “botnet” activities, and even to distribute simple attack scripts.
For example, some hacktivist crews have shared tools like web stress-test scripts for supporters to run; while Dark Storm’s own tools are not publicly dumped, their Telegram messages coordinate timing and targets for attacks and occasionally even solicit “continuation” of attacks by the community. Thus, one can view Dark Storm’s command structure as two-tiered: a covert malware-based botnet under direct control, and a social layer of followers directed via Telegram – both converging on chosen targets.
Tooling and Services
Dark Storm’s capabilities extend beyond raw DDoS bandwidth. The group has shown the ability to perform active reconnaissance and exploit development to facilitate attacks. A prominent example was the X platform incident: our research indicates that Dark Storm (or its partners) identified an exposed weakness in X’s infrastructure – certain backend servers were not properly shielded by Cloudflare DDoS protection – and directed their botnet traffic at those unprotected endpoints.
By exploiting this misconfiguration, the attackers bypassed X’s front-line defenses and achieved a much larger impact. This indicates a level of technical scanning and network knowledge: Dark Storm likely uses tools (or open-source intelligence via services like Shodan) to map out target networks and find vulnerable interfaces before an attack.
Additionally, Dark Storm has collaborated with other threat groups to expand its toolset. They have worked alongside Russia-linked hacktivist group KillNet and Islamist hacktivists like Anonymous Sudan and Ghosts of Palestine, sharing tactics and infrastructure. These collaborations suggest that Dark Storm can tap into partner botnets or tools when needed, and vice versa, forming a loose network of mutually supportive threat actors. Indeed, Dark Storm’s members or allies operate in time zones spanning the Middle East, Eastern Europe, and Moscow, indicating a global network of operators behind its campaigns.
Beyond DDoS, Dark Storm also markets other illicit services – notably data breach and “database dumping” services. Advertisements on their Telegram show Dark Storm offering to steal data (e.g. dumping databases from target websites) for a fee, in addition to pure DDoS offerings. This implies the group (or its contractors) can conduct intrusion operations (such as exploiting web vulnerabilities to exfiltrate data) when financially incentivized. In summary, Dark Storm’s operational toolkit is diverse: from botnet-driven traffic floods, to network scanning and exploitation, to possibly hands-on-keyboard hacking – all under a business-like model.
Tactics, Techniques, and Procedures (TTPs)
Dark Storm’s known tactics and techniques align with multiple stages of the MITRE ATT&CK framework, from reconnaissance through impact. Below, we outline key TTPs observed in Dark Storm operations, mapping them to corresponding MITRE ATT&CK tactics and technique IDs for clarity:
Reconnaissance – Target Scanning and Surveillance
Before launching attacks, Dark Storm conducts active reconnaissance on both victims and potential botnet nodes. The group likely performs wide network scanning (ATT&CK Active Scanning – T1595), searching for internet-exposed assets associated with targets. In the X attack, for example, adversaries discovered unprotected origin servers for X that were not behind the DDoS mitigation front-end. This implies methodical probing of the target’s infrastructure (ATT&CK Gather Victim Network Information – T1590), possibly using tools to find real IP addresses or misconfigured cloud services.
Similarly, to build its botnet, Dark Storm scans the internet for vulnerable IoT devices and routers (seeking default credentials or known exploits). This aligns with ATT&CK Resource Development tactics – specifically, Compromise Infrastructure: Botnet (T1584.005), whereby adversaries compromise numerous third-party systems to form a botnet. Dark Storm’s use of MikroTik router exploits and IoT malware to grow its botnet is a textbook case of this technique in action.
In addition, the group monitors open sources (like social media and outage reports) to gauge the impact of their attacks and sometimes to identify opportunistic targets – for instance, jumping to claim credit when a major service has an outage (even if by unrelated causes).
Resource Development – Botnets and Infrastructure Acquisition
Dark Storm invests heavily in acquiring and maintaining attack infrastructure. Besides compromising IoT devices (ATT&CK T1584.005 as noted), they also rent servers and IP space to use as launch pads or proxies. This corresponds to ATT&CK Acquire Infrastructure: Virtual Private Servers/Hosting (T1583.003) and Acquire Infrastructure: Botnet (T1583.005), reflecting how Dark Storm obtains infrastructure through both purchase and compromise.
The group’s botnet is a blend of owned assets and “as-a-service” rentals. By offering DDoS-for-hire, they effectively crowdsource infrastructure – clients pay them to direct attacks, funding further development. Dark Storm’s collaboration with other hacktivist crews also suggests resource sharing; for example, partnerships with KillNet or Anonymous Sudan mean they can leverage those groups’ botnets or lists of proxies when needed.
Thus, the Resource Development phase for Dark Storm is continuous and multifaceted: ensnaring new devices, acquiring proxy lists, developing attack scripts, and even maintaining online personas and channels to grow their following (which maps to Establish Accounts – T1585, since they must create and manage anonymous Telegram/chat accounts for coordination).
Initial Access & Execution – DDoS Attack Launch
Unlike many threat actors, Dark Storm typically does not infiltrate a victim’s internal network – rather, they achieve their objective by directly executing attacks from the outside. The “execution” in this context is the firing of a DDoS blast. However, if we consider their broader offering (database hacks, etc.), they might also use Initial Access techniques such as Exploitation of Public-Facing Application (T1190) to breach web servers when stealing data for clients.
For DDoS specifically, the Impact tactic is where Dark Storm shines. The primary technique is Network Denial of Service (T1498) – overwhelming target networks or servers with illegitimate traffic to deny service. In Dark Storm’s case, they have employed various forms of network/application traffic floods (akin to sub-technique Direct Network Flood – T1498.001). For example, the attack on X involved direct HTTP(S) request floods sent by tens of thousands of bots to X’s web servers. Such volumetric attacks can exceed tens or hundreds of Gbps, saturating bandwidth or overwhelming server resources.
Dark Storm is also adept at application-layer DDoS (MITRE ATT&CK Endpoint Denial of Service – T1499), which targets specific application endpoints (e.g. web API calls, login pages) to exhaust system resources without necessarily maxing out bandwidth. Their use of custom tools and scripts enables complex multi-vector attacks; while details are scarce, similar groups have performed concurrent Layer 7 (application) and Layer 3/4 (network) attacks to complicate mitigation. Dark Storm’s playbook may include UDP floods, HTTP GET/POST floods, and possibly reflection/amplification attacks (T1498.002) if they exploit open servers like DNS or NTP for amplification – though most documented Dark Storm attacks appear to rely on direct botnet traffic rather than classic reflector attacks.
Command and Control – Botnet Management
Dark Storm’s botnet requires robust command-and-control to coordinate large attacks. In MITRE terms, their operations fall under C2 Communication techniques such as Application Layer Protocol – T1071, using standard protocols to issue commands to bots. By using commonplace ports (80, 443) and protocols (HTTP, TLS), the C2 traffic blends with normal traffic (ATT&CK Non-Standard Port – T1571 and Encrypt Communication – T1573 if encryption is used).
Furthermore, Dark Storm’s reliance on Telegram for coordination can be mapped to Web Services for C2 – T1102, since they leverage a popular messaging service (albeit mostly for human coordination, not machine C2). The group’s use of multi-hop proxies and VPNs (T1090) also relates to C2: it allows their controllers to issue commands to the botnet indirectly and hide the C2 server’s location by bouncing through anonymization layers.
In practice, each wave of DDoS is likely orchestrated by sending start/stop commands to bot nodes, either from a single master server or tiered controllers. Because Dark Storm’s botnet spans the globe, their C2 design must account for scale and stealth – possibly using a redundant infrastructure (multiple C2 servers or peer-to-peer control) to avoid a single point of failure. (While specifics are not published, this is consistent with how large botnets operate.)
Defense Evasion – Anti-Attribution and Evasive Techniques
Dark Storm expends significant effort in evasion tactics, primarily to avoid attribution and to some extent to bypass defenses. Key among these is Network Proxying (ATT&CK T1090) – funneling malicious traffic through intermediary systems. By using compromised routers as proxies and deploying attacks from third-party machines, Dark Storm ensures that defenders see IP addresses of unwitting hosts, not the originators. They also use Tor and VPN services (ATT&CK Multi-hop Proxy – T1090.003) to encrypt and anonymize their own operators’ connections when managing attacks. This makes it extremely difficult for law enforcement or researchers to trace the true source of the attack commands.
Additionally, Dark Storm often claims responsibility publicly but provides little forensic trace – a form of information warfare. For example, they bolster their credibility by publishing “proof-of-attack” links (e.g. check-host.net snapshots showing a site down), yet the actual attack traffic may be indistinguishable from generic botnet noise. In some cases, Dark Storm may not have even been the sole actor behind an attack, using plausible deniability to their advantage.
The X incident illustrated this: while Dark Storm took credit, some security experts observed that the attack characteristics differed from Dark Storm’s past operations (different botnet composition and geographies). This led to speculation that either Dark Storm’s capabilities had suddenly grown or that another actor might have been involved. Indeed, a few days later the hacker collective Anonymous claimed they were behind the X attack, casting further doubt.
Such ambiguity benefits Dark Storm – by claiming high-profile attacks (whether or not they orchestrated them alone), they enhance their image while muddying the investigative waters. This behavior can be viewed as a strategy of misattribution (not a formal MITRE technique, but a deliberate tactic): they insert themselves into incidents in the public eye, which complicates defenders’ and analysts’ attempts to pinpoint responsibility.
MITRE ATT&CK Mapping Table
| MITRE Tactic | Technique (ID) | Dark Storm Application |
|---|---|---|
| Reconnaissance | Active Scanning (T1595); Gather Victim Network Information (T1590) | Scanning targets for weaknesses (e.g. unprotected servers, open ports) and mapping victim infrastructure. Also scanning internet for vulnerable IoT devices to exploit. |
| Resource Development | Compromise Infrastructure: Botnet (T1584.005); Acquire Infrastructure: Botnet (T1583.005) | Building a global IoT botnet by compromising routers, cameras, etc. Renting servers or IP addresses to expand attack infrastructure. Establishing Telegram channels (accounts) to organize operations. |
| Defense Evasion (also C2) | Proxy: Multi-hop Proxy (T1090.003); Virtual Private Network (related to T1090) | Chaining proxies, VPNs, and Tor to anonymize attack traffic and operator location. Mixing malicious traffic with legitimate patterns to evade detection. |
| Command and Control | Application Layer Protocol (T1071); Non-Standard Port (T1571) | Utilizing common protocols (HTTP/S) for botnet C2 communications to blend in. Possibly encrypting C2 traffic. Using Telegram (web service) for human coordination. |
| Impact | Network Denial of Service (T1498); Service Exhaustion/Flood (T1498.001) | Launching volumetric DDoS attacks that flood network pipelines and overwhelm services. Overloading websites and APIs with high request volumes to cause outages. |
| Impact | Endpoint Denial of Service (T1499) | Conducting application-layer DDoS (HTTP floods, login page attacks) to exhaust target system resources and knock services offline. |
Table: Dark Storm’s tactics mapped to MITRE ATT&CK. The group’s operations center on developing botnets and executing DDoS (Impact), while using proxies and compromised infrastructure for evasion and scale.
Attack on X (Twitter) – March 2025
On March 10, 2025, the social media platform X (formerly Twitter) suffered a sudden, massive outage globally. Users were unable to log in, post, or even view content for several hours. Elon Musk publicly acknowledged the incident, citing it was likely caused by “a large, coordinated group and/or a country” mounting a cyberattack. Shortly thereafter, Dark Storm posted on its Telegram channel claiming responsibility, and even shared a check-host.net “proof” link showing X’s services unreachable at that time.
According to subsequent investigations, the attack was indeed a large-scale DDoS. Telemetry showed a huge volume of traffic hitting X’s servers, sourced mainly from a botnet of IoT devices around the world. Uniquely, the attackers took advantage of a misconfiguration in X’s network: some of X’s back-end servers were not fully behind Cloudflare’s DDoS protection, leaving an opening for the botnet traffic. By directing the flood to those specific servers’ IP addresses, the attackers bypassed many of X’s defenses and caused significant disruption until emergency mitigations were applied. (X reportedly scrambled to update its Cloudflare protections once the issue was discovered.)
This campaign was noteworthy not just for its scale, but for what it revealed about Dark Storm. Technically, it showcased the group’s ability to execute a complex, multi-layered DDoS – likely combining network flooding with high-rate web requests to take down a well-resourced platform. It also highlighted Dark Storm’s operational security: by using thousands of globally distributed bots and proxies, they made attribution difficult. Our research indicates that Dark Storm’s typical obfuscation tactics (rented IPs, proxy chains, huge botnets) make it extremely difficult to pinpoint the attackers’ true origin or any state backing.
Indeed, the attribution of the X attack remains murky. While Dark Storm loudly took credit (bolstering their reputation), some analysts questioned whether Dark Storm acted alone. The attack traffic profile differed from earlier Dark Storm DDoS events, suggesting perhaps a more powerful actor or botnet was involved. A few days later, the Anonymous collective claimed responsibility via social media, hinting that Dark Storm’s claim might have been opportunistic. Nevertheless, as far as open-source intelligence is concerned, Dark Storm is the group most associated with the X outage – an attack that “underscores the vulnerability of even the most well-established platforms to politically motivated cyber threats.”
Other Notable Campaigns and Targets
Beyond the headline-grabbing examples above, Dark Storm has an extensive list of claimed attacks in late 2023 and 2024–2025. The group has repeatedly attacked U.S. government and law enforcement websites, such as the Federal Bureau of Investigation (FBI) portal and municipal police department sites. These attacks often coincide with anti-authority or anti-West messaging. For instance, hitting law enforcement domains dovetails with Dark Storm’s occasionally hinted anti-establishment views.
They have also targeted the aviation sector, with multiple U.S. airport websites reportedly taken offline by Dark Storm’s DDoS waves. Disrupting airports can cause alarm about critical infrastructure stability. Another prominent target was Binance.US, the cryptocurrency exchange, which suffered performance issues in a period where Dark Storm allegedly directed attacks at it. Likewise, Dark Storm aimed at tech innovators – notably, they claimed attacks on OpenAI’s ChatGPT service in early 2025. Disabling access to an AI service not only grabs tech headlines but also signals that no digital service is out of reach.
The breadth of Dark Storm’s campaigns – from social media and tech firms to finance, government, and beyond – illustrates their strategy of maximizing impact. Each successful disruption, especially if covered in the news, is amplified by Dark Storm through Telegram propaganda. This serves both to advance whatever cause they espouse at the moment and to advertise their effectiveness to prospective “customers” of their DDoS-for-hire service.
One cannot overlook the commercial undercurrent in these campaigns. Unlike some hacktivists who might stop after a political message is delivered, Dark Storm frequently uses a successful attack as a springboard to promote their services. Following attacks, they have posted messages like “Did you see what we did to [Big Company]? Imagine what we can do for you” – essentially turning their campaigns into marketing for their DDoS tools. In underground forums and Telegram, Dark Storm advertises packages (as shown earlier: e.g. $25 for a 2-hour attack, up to $600 for a month-long sustained attack). They even offer to sell stolen data from “protected websites for company and airport, bank, etc.” starting at $200.
This indicates that some campaigns might be customer-driven. A rival or an extremist might pay Dark Storm to attack a target, and Dark Storm executes it under the guise of hacktivism or their own initiative. The line between their ideological and mercenary activities is deliberately blurred.
Advanced DDoS Protection Against Dark Storm Tactics
At ShieldsGuard, we were built for adversaries like Dark Storm.
Our advanced DDoS protection engine is purposefully designed to counter sophisticated, multi-vector attacks — the very tactics Dark Storm relies on. From volumetric floods to Layer 7 stealth probes, we neutralize each layer with a unified cybersecurity architecture that spans L3, L4, and L7.
We don’t just react — we anticipate.
Our platform delivers up to 99% protection across all network layers and maintains 99.9% uptime even under sustained, coordinated attacks. Real-time automated mitigation ensures zero service disruption, regardless of the scale or complexity of the assault.
Dark Storm evolves. So do we. ShieldsGuard stays ahead.
Conclusion
Dark Storm represents a new breed of threat actor that blends ideological hacktivism with savvy cybercrime entrepreneurship. By specializing in DDoS attacks and building a brand around disrupting high-profile targets, Dark Storm has made a name for itself in the cyber underground in a short time. The group’s tactics – from massive IoT botnets and clever reconnaissance to proxy obfuscation and exploitation of misconfigurations – demonstrate a level of technical sophistication and organizational coordination that poses a serious challenge to defenders.
Moreover, Dark Storm’s activities underscore how threat actors are leveraging the ATT&CK techniques of yesterday (botnets, proxies, DoS) in novel, combinatorial ways to challenge even well-secured enterprises. Mapping these actions to frameworks like MITRE ATT&CK helps defenders understand and anticipate the threat: for every technique Dark Storm uses, there are corresponding mitigations and detective controls that can be put in place.
