Illusive Blog March 23, 2022

A Proxy War: Ukrainian Hacktivists VS. Russian Hacktivists

By Shahar Zelig and Yan Linkov

The Russia – Ukraine war is fought on all fronts, including the involvement of hacktivists in the Cyber front. It’s been about a month since it all began, and there is a lot of related cyber activity from both sides.

Ukrainian hacktivists have been launching distributed denial of service (DDoS) attacks using a tool called Liberator. Russian hacktivists have responded by releasing a malicious version of Liberator intended to steal cached credentials.

In this Blog post we’ll provide background on these factions, and the lessons we’ve learned that can be applied to enterprise security: the fact that attackers are seeking exposed credentials to establish a beachhead.


A team of cybersecurity and crypto enthusiasts who are aimed at creating a decentralized network of users who share computing resources to perform DDoS stress testing.
Striving to defend companies with servers and services on the Internet from DDoS attacks.
You can read more information about the group on their website:

From Crypto Enthusiasts to Cyber Hacktivists

We can see based on the domain registration info from whois, the Disbalancer group started their activity about a year ago.

This how their website looked about a year ago(thanks to

6 months ago:




Basically a DDoS application developed by the “Disbalancer” group for stress testing, as the war broke, it was converted into a DDoS attack tool aimed at Russian internet web services to support the Ukrainian war effort.

Anyone who wishes to support their cause can join their cyber army.

“Liberator was created by the team of disBalancer. For over a year, we have been working on a B2B solution for stress testing and protection from DDoS attacks for Web3 products. When we understood that we could use our DDoS expertise to help Ukraine in a war against Russia, we developed our DDoS application and called it Liberator.”

The Deception

A fake Disbalancer telegram channel is being used to lure Ukrainian Hacktivists to download a malicious version of the Liberator DDoS tool.

According to Cisco’s threat intelligence (which has produced IOCs and other technical details for those interested), “DISBALANCER.exe” is an info-stealer malware sent through Telegram channels to Ukrainian Hackctivists as a DDoS tool to attack Russian sites. In fact, this tool steals some of the user’s data and sends it to the attacker.

We decided to run a swift examination of the fake liberator tool – “DISBALANCER.exe” in our lab and see what info interests the deceptive attackers. We executed “disbalancer.exe” under Sysinternal’s procmon (using Noriben).

We saw that “disbalancer.exe” executed the “applaunch.exe” process and the malicious code was executed under this process:

In addition, we saw what kind of information the attacker was looking for – Browser credentials and browsing information(Chrome, Edge, Firefox):

We can see the process tries to access files associated with browsing data and browser stored credentials.

The Illusive angle

Even though this attack campaign is in the non-corporate world, it definitely reinforces our approach, and we can see (yet again) what attackers are after: cached credentials.

We believe in an identity-first approach to security. Illusive solutions provide identity protection on several levels – automatically and continuously discovering, mitigating and protecting against identity risks, in part by using deception.

Food for thought:

Imagine the same scenario in the corporate world: malicious software imposed as legitimate software – would a deceptive attacker be ready to face defensive deceptions?


It is interesting to see how the “civilian” community can get involved in the cyber aspects of the war, even without having any deep knowledge in the field.

We hope it will all be over soon and peace will be restored.

For the meanwhile we must be prepared to disrupt cyber attacks, war or non war related and we hope to do it well by focusing on the #1 attack vector for cyberattack attacks – Identities.