Mr Hamza is a Telegram-based hacktivist collective active since late 2024 that combines politically motivated campaigns—primarily anti-Israel/pro-Palestinian—with commercial operations selling DDoS tools and botnets. The group was a top source of DDoS claims during the June 2025 Iran–Israel conflict and promotes bespoke Layer 7 flooding tools like HTTP Spectral Phantom V1 and HTTPS Flood V1. #MrHamza #HTTPSpectralPhantomV1
Keypoints
- Mr Hamza emerged in late 2024 as a Telegram-centered hacktivist group (possibly a small team) with alleged Moroccan ties and a hybrid activist/for-profit model.
- The group served as both a coordination hub and marketplace on Telegram, advertising botnets, stressers, and bespoke attack tools alongside propaganda and claimed proofs.
- During the June 2025 Iran–Israel conflict Mr Hamza was highly active, making 90 distinct attack claims in under two weeks and contributing significantly to over 441 hacktivist attack claims targeting Israel.
- Main tactics center on DDoS (particularly Layer 7 floods), with secondary claims of website defacements and data leaks; the group released custom tools such as HTTP Spectral Phantom V1 and HTTPS Flood V1 in August 2025.
- Associated tools and services include Elite Botnet, Rebirth Botnet, Nova Botnet, Ryzer Stresser, Dark Cloud Stresser, multiple C2 frameworks, and utilities like Email-Tracker and doxing tools.
- Mr Hamza maintains alliances and cross-promotion with diverse hacktivist groups (e.g., NoName057(16), Z-Pentest, Holy League, Anonymous Morocco), amplifying operations and visibility across regions.
- Mitigation recommendations focus on layered defenses: ISP filtering/blackholing, CDNs/cloud scrubbing, DNS protection, WAFs, on-prem DDoS appliances, rate limiting, and behavioral anomaly detection.
MITRE Techniques
- [T1499] Endpoint Denial of Service – Used to overwhelm targets with DDoS claims and operations (“the group was the leading source of DDoS claims… 90 distinct attack claims in less than two weeks”).
- [T1498] Network Denial of Service – Employed Layer 7 flooding tools (HTTP Spectral Phantom V1 and HTTPS Flood V1) to generate high-volume or application-layer traffic (“HTTP Spectral Phantom V1 – The script attempts to overwhelm targets with randomized request headers, cookies, and URL paths”).
- [T1190] Exploit Public-Facing Applications – Abuse of web application interfaces and HTTP request characteristics to bypass defenses and cause disruption (“includes long lists of WAF-bypass payloads, proxy support, and even cycles through fake TLS and JA3 fingerprints to evade detection”).
- [T1588] Obtain Capabilities – Marketplace behavior and tool sales where botnets, stressers, and C2 frameworks are advertised and sold (“selling attack tools such as botnets and stressers… distributes its own branded toolset via a dedicated ‘Tools’ Telegram channel”).
- [T1071] Application Layer Protocol – Use of HTTP/HTTPS floods that spoof headers, rotate IP headers, and simulate browser sessions to blend with legitimate traffic (“generates high-volume Layer 7 traffic while spoofing User-Agents, rotating IP headers (X-Forwarded-For, X-Real-IP), and simulating browser sessions”).
- [T1195] Exploit Public-Facing Application – Use of randomized query strings and asset requests to mimic legitimate browsing and evade caching/signature defenses (“appends random query strings and asset requests (favicons, CSS, JS) to appear like legitimate browsing traffic”).
Indicators of Compromise
- [Tool Names] Tools and botnets promoted or used – Elite Botnet, Rebirth Botnet, Nova Botnet, and Ryzer Stresser (examples of services advertised/sold).
- [Custom Tools] Branded Layer 7 scripts released – HTTP Spectral Phantom V1, HTTPS Flood V1 (descriptions indicate payloads and evasion techniques used).
- [C2/Network Frameworks] Command-and-control frameworks and networks referenced – MonacoC2, WraithC2, Sapphire C2, Cindy Network, Trident Network (examples of associated infrastructure).
- [Utilities] Doxing and tracking utilities mentioned – Email-Tracker, Chiasmodon (used for data collection/doxing actions).