Threat Research

Dark Web Profile: Keymous+

SocRadar
Dark Web Profile: Keymous+
Keymous+ is a North African hacktivist cover for a commercially driven DDoS operation, with a broad alliance network and a track record that makes it one of the most prolific DDoS-claiming groups in global hacktivism. Its activity has centered on geopolitical flashpoints, especially Morocco, Israel, and conflict-linked targets, while researchers also link it to the EliteStress DDoS-as-a-Service platform. #KeymousPlus #EliteStress #OperationEpicFury #NoName05716 #OpIsrael

Keypoints

  • Keymous+ first appeared publicly in November 2023 with a DDoS attack against Morocco’s national e-Visa portal.
  • Researchers describe the group as a hybrid actor that combines political messaging with a commercial DDoS-as-a-Service model.
  • The group has two internal tracks: Alpha Team for breaches and leaks, and Beta Team for DDoS operations; Alpha Team later went inactive.
  • Keymous+ maintains a large Telegram and X presence and uses these channels to announce targets, publish proof links, and recruit supporters.
  • EliteStress is assessed to be operator-linked to Keymous+ and provides tiered DDoS-for-hire access through Telegram-based tooling.
  • The group has formed alliances with multiple hacktivist collectives and has claimed more than 700 DDoS attacks by 2025.
  • Confirmed attacks heavily target government, telecom, financial, transport, healthcare, education, and energy organizations, with Morocco, Saudi Arabia, India, France, and Israel among the most targeted countries.

MITRE Techniques

  • [T1498 ] Network Denial of Service – The group’s primary method is to overwhelm targets with DDoS traffic (‘Primary attack method across all confirmed operations’).
  • [T1498.001 ] Direct Network Flood – Keymous+ uses TCP SYN, UDP, DNS query, and HTTP/2 floods to directly saturate victim services (‘TCP SYN, UDP, DNS query, and HTTP/2 floods’).
  • [T1498.002 ] Reflection Amplification – The group leverages amplifiers such as CLDAP, DNS, NTP, memcached, SNMP, NetBIOS, rpcbind, L2TP, WS-DD, and chargen (‘CLDAP, DNS, NTP, memcached, SNMP, NetBIOS, rpcbind, L2TP, WS-DD, chargen’).
  • [T1499 ] Endpoint Denial of Service – Layer-7 HTTP/2 flooding is used against web-facing infrastructure to disrupt availability (‘Layer-7 HTTP/2 flooding targeting web-facing infrastructure’).
  • [T1583.003 ] Acquire Infrastructure: Virtual Private Server – The group uses public cloud instances as attack source nodes (‘Public cloud instances used as attack source nodes’).
  • [T1584.005 ] Compromise Infrastructure: Botnet – Compromised IoT devices and infected hosts are incorporated into attack pools (‘Compromised IoT devices and infected hosts integrated into attack pools’).
  • [T1090.003 ] Multi-hop Proxy – Tor exit nodes and commercial VPN/proxy services are used to hide origin traffic (‘Tor exit nodes and commercial VPN/proxy services are used to obscure source traffic’).
  • [T1005 ] Data from Local System – Alpha Team is described as conducting breaches and collecting local data before becoming inactive (‘Alpha Team is reportedly responsible for breaches and local data collection’).
  • [T1567 ] Exfiltration Over Web Service – Stolen Saudi banking sector data was later posted to cybercrime and leak forums (‘Stolen Saudi banking sector data surfaced on Chinese cybercrime and leak forums’).
  • [T1133 ] External Remote Services – The group claims persistent access to health systems across Africa and Asia through external services (‘Group claims persistent access to health systems across Africa and Asia’).
  • [T1078 ] Valid Accounts – Persistent access claims imply the use of valid credentials, though this is not independently confirmed (‘Implied by persistent access claims; no forensic confirmation available’).

Indicators of Compromise

  • [Domains / Services ] proof and telemetry indicators used by the group – check-host.net, EliteStress Telegram bot interface
  • [Telegram channels / handles ] primary communication and claim channels – KMPteam, Keymous_V2, keymous_team, keymous, KeymousPlusBot
  • [Social media handles ] public presence and recruitment – KeymousTeam on X, recruitment handle for EliteStress promotion
  • [File / campaign names ] group identity and operations – Red Eye Op., Hack for Humanity, #OpIsrael, #OpIndia
  • [IP / network telemetry ] DDoS source activity and attack scale – over 42,000 unique source IPs per attack, 44 Gbps collaborative peak, 11.8 Gbps solo peak
  • [Organizations / systems targeted ] victim context – Morocco’s national e-Visa portal, government portals, financial institutions, telecom and energy organizations

Read more: https://socradar.io/blog/dark-web-profile-keymous/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint