Poland Cyber Threat Assessment - January 2026

Comprehensive analysis of Russian hybrid warfare operations targeting Poland. Intelligence derived from Baysec CTI and open-source reporting.

Table of Contents

1. BLUF (Bottom Line Up Front)
2. Executive Summary
   • Key Findings
   • Key Assessments
3. Credential Exposure
4. Geopolitical Context
   • Russia’s Hybrid Warfare Campaign
   • Physical Sabotage Timeline (2024-2026)
   • Telegram Recruitment for Sabotage Operations
   • January 2026 Events
5. Targeted Organizations - January 2026
   • Consolidated Threat Actor Timeline - January 2026
6. ICS/SCADA Access Claims - January 2026
   • ICS Exploitation Methodology (CISA AA25-343A)
   • Defense Industrial Base
   • Energy Sector
   • Government
   • Financial Sector
   • Transportation
   • Private Sector
7. Threat Actors
   • Key Groups Active in January 2026
   • Ransomware Operators
   • THE GENTLEMEN Ransomware - Detailed Profile
8. Threat Actor Details
   • Sandworm (GRU Unit 74455) - APT44
   • NoName057(16)
   • DDoSia Project - ICS Access Claims
   • Z-PENTEST ALLIANCE (CARR)
   • Sector16
   • Dark Storm Team
   • Server Killers
   • BD Anonymous
   • QuietSec
9. Campaign Analysis
   • Coordination Evidence
   • DDoS Campaign Assessment
   • Pattern Analysis: Threat Actor Coordination
10. Threat Landscape: December 2025 → January 2026
    • Dark Web Activity Summary
11. MITRE ATT&CK Mapping
    • Enterprise Techniques
    • ICS/OT Techniques (per CISA AA25-343A)
12. Sources and References
    • Government & Law Enforcement
    • Think Tanks & Research
    • News & Investigative Journalism
    • Threat Intelligence
13. Confidence Levels

BLUF (Bottom Line Up Front)

In December 2025, Sandworm (GRU Unit 74455) deployed DynoWiper against Polish energy infrastructure. Throughout January 2026, 40+ pro-Russian threat actors targeted 50+ Polish organizations across defense, energy, and government sectors. Key actors NoName057(16) and Z-PENTEST ALLIANCE have confirmed GRU ties per DOJ December 2025 indictments.

Executive Summary

Poland faces coordinated Russian hybrid warfare operations combining physical sabotage, destructive malware, and sustained cyber activity. This assessment covers January 2026 cyber operations, December 2025 DynoWiper attack and past physical sabotage for broader context. (Marywilska arson, railway attacks).

The January operations show coordination beyond typical hacktivism: systematic sector rotation (government → defense → energy), multi-group same-day targeting, and timing correlated with geopolitical events. DDoS activity provides visible disruption while ICS access claims and ransomware represent more significant capability development.

Key Findings

Key Assessments

Credential Exposure

Stolen credentials represent a persistent threat enabling future intrusions.

In a sample of recent infostealer logs, we identified credentials for 50,000+ Polish domains - companies, banks, healthcare, government, financial services, energy, defense. This includes both government employee credentials and Polish citizen credentials for government service portals.

A single infostealer dump: 4.1 million credentials across 1.38 million domains.

Polish credentials harvested by infostealers (RedLine, Raccoon, Vidar, LummaC2) are actively traded on Russian-language forums and Telegram. These credentials will be tested against Polish systems. Attackers exploit credential reuse across VPNs, email, cloud services, and internal systems.

Examples of Polish credential listings on Russian-language Telegram channels:

Telegram channel sharing Polish credential dump

Telegram channel sharing Polish credential dump

Telegram post advertising Polish credentials

Telegram channel sharing Polish credential dump

Telegram channel sharing Polish credential dump

Telegram “cloud” channel distributing fresh infostealer logs.

Telegram credential channels are frequently banned, but new ones emerge within hours.

Geopolitical Context

Russia’s Hybrid Warfare Campaign

Russia has dramatically escalated hybrid warfare operations against Poland and Europe since 2022. Per IISS analysis, sabotage operations increased 4x in 2024 compared to previous years. GLOBSEC research documented 219 Russian hybrid warfare incidents since 2014, with 86% occurring since 2022.

Three Pillars of Russian Hybrid Warfare:

Physical Sabotage Timeline (2024-2026)

Marywilska Shopping Center Fire (May 2024):

On May 12, 2024, Warsaw’s largest shopping center was destroyed by arson. Polish government officially attributed the attack to GRU in May 2025:

• PM Donald Tusk: “We already know for sure that the large fire at Marywilska was the result of arson ordered by the Russian security services”
• Impact: 1,400+ shops destroyed, €500M+ damage
• Attribution basis: Lithuanian intelligence corroborated Polish findings
• Sources: Reuters, BBC, CNN

Marywilska Shopping Center fire, Warsaw, May 2024. Source: Reuters

Firefighters respond to Marywilska Shopping Center blaze. GRU attribution confirmed by Polish government May 2025. Source: Reuters

Railway Sabotage (November 2025):

FSB-directed railway sabotage in Poland, November 2025. Attack carried out via recruited Ukrainian proxies.

Energy Grid Attack - DynoWiper (December 2025):

On December 29-30, 2025, Sandworm (GRU Unit 74455) deployed a previously undocumented wiper malware called DynoWiper against Polish energy infrastructure. The attack occurred on the 10th anniversary of Sandworm’s 2015 Ukrainian power grid attack.

Targets:

• Two combined heat and power (CHP) plants
• Renewable energy management systems (wind turbines and photovoltaic farms coordination infrastructure)

DynoWiper Technical Capabilities:

• Erases files and disables system recovery mechanisms
• Removes Shadow Copies and restore points
• Designed to destabilize critical infrastructure systems

Attribution Basis:

• ESET attributed with “medium confidence due to a strong overlap with numerous previous Sandworm wiper activity”
• Links based on overlaps with prior wiper activity associated with Sandworm, particularly post-February 2022 Ukraine invasion
• ESET’s Q2-Q3 2025 APT Activity Report documented regular wiper attacks against Ukrainian targets by this group

IOC:

• SHA-1: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6
• Detection: Win32/KillFiles.NMO

Assessment: This attack represents the most significant cyber operation against Polish critical infrastructure in years. The targeting of both conventional CHP plants and renewable energy coordination systems demonstrates sophisticated operational planning aimed at cascading infrastructure failures. While unsuccessful, the attack confirms Sandworm’s continued focus on energy sector disruption in NATO countries.

Sources: ESET Research, The Hacker News, Security Bez Tabu

Telegram Recruitment for Sabotage Operations

Per OCCRP investigation, Russian intelligence services are actively recruiting European citizens via Telegram to conduct sabotage operations:

• Recruitment method: Anonymous Telegram channels offer €500-€2,000 for tasks ranging from graffiti to arson
• Target countries: Poland, Germany, France, Estonia, Latvia, Lithuania, Czech Republic
• Tasks assigned: Arson, reconnaissance, infrastructure damage, Molotov cocktail attacks

January 2026 Events

Targeted Organizations - January 2026

50+ Polish organizations were targeted across defense, energy, government, financial, and transportation sectors.

Consolidated Threat Actor Timeline - January 2026

Timeline of all threat actors targeting Poland, derived from Baysec CTI:

40+ unique threat actors targeted Poland and Europe in January 2026. This timeline shows major activities.

Verification: Confirmed = independently verified; Claimed = threat actor post only; Unverified = no supporting evidence.

Source: Baysec CTI

ICS/SCADA Access Claims - January 2026

10+ claims of unauthorized access to Polish industrial control systems. Per CISA Advisory AA25-343a, pro-Russian groups are actively targeting ICS via VNC exploitation and default credentials.

Verification Key:

• Claimed = Threat actor posted evidence (screenshots/video) on Telegram - not independently verified
• Assessed = Attribution based on TTP alignment with CISA AA25-343A

Note: Z-PENTEST ALLIANCE is the primary water/wastewater sector threat actor per Cyble 2025 Threat Landscape Report. These are threat actor claims - actual ICS compromise has not been independently confirmed.

ICS Exploitation Methodology (CISA AA25-343A)

Per CISA Advisory AA25-343A, pro-Russian hacktivist groups employ the following TTP chain to compromise ICS/SCADA systems:

Attack Chain:

HMI Manipulation Actions (observed):

• Modify usernames/passwords (T0892) - operator lockout
• Modify parameters and setpoints (T0836) - process disruption
• Modify device/instrument settings (T0831) - calibration tampering
• Disable alarms (T0878) - hide intrusion/effects
• Create loss of view (T0829) - force manual intervention
• Device restart/shutdown (T0816) - service disruption

Targeted Sectors (per CISA):

• Water and Wastewater Systems - Treatment facilities, distribution
• Food and Agriculture - Dairy farms, food processing
• Energy - Oil wells, heating systems, power distribution

Why These Attacks Succeed:

• VNC services exposed to internet on default ports
• Default or weak credentials on HMI devices
• Lack of MFA on critical control systems
• No network segmentation between IT and OT
• Insufficient monitoring of OT access attempts

Assessment: These actors have limited technical sophistication but cause real harm. Per CISA, they frequently misunderstand the processes they aim to disrupt, but their willingness to manipulate systems creates genuine safety risks.

Defense Industrial Base

NoName057(16) targeted 7 PGZ (Polska Grupa Zbrojeniowa) subsidiaries in 48 hours (13-14 January):

Assessment: Target selection suggests familiarity with Polish defense structure. Attacks caused temporary website unavailability - no data breaches confirmed.

Energy Sector

Government

Financial Sector

Transportation

Private Sector

Threat Actors

Key Groups Active in January 2026

Confidence Key:

• CONFIRMED = Official attribution (DOJ indictment, CISA advisory, OFAC sanctions)
• UNCONFIRMED = Self-declared alignment; no official attribution

Ransomware Operators

Source: Baysec CTI

THE GENTLEMEN Ransomware - Detailed Profile

Background:

THE GENTLEMEN ransomware group emerged in August 2025 and rapidly became a significant threat. Per Ransomware.live and Cybereason analysis, the group operates a sophisticated RaaS platform.

Operation Restrictions:

THE GENTLEMEN ransomware includes explicit restrictions prohibiting operations in Russia and CIS countries:

“Work prohibited in Russia and CIS countries”

This restriction is a common indicator of Russia-based or Russia-aligned ransomware operations, providing operators with protection from Russian law enforcement.

Technical Capabilities:

• Encryption: XChaCha20 stream cipher with Curve25519 key exchange
• Driver Abuse: Exploits CVE-2025-7771 (ThrottleStop.sys BYOVD - Bring Your Own Vulnerable Driver)
• Target Platforms: Windows workstations/servers, Linux systems, VMware ESXi hypervisors
• Exfiltration: Pre-encryption data theft for double extortion leverage

Poland Activity:

• 07 JAN 2026: Wamtechnik (Polish manufacturing company) - data encrypted and exfiltrated (DeXpose)

European Energy Sector Targeting:

• 26 DEC 2025: Oltenia Energy Complex (Romania) - major energy infrastructure victim (BleepingComputer)

Victim Profile (63+ total):

• Manufacturing, energy, healthcare, professional services
• Geographic distribution: Europe, North America, Asia-Pacific
• Average ransom demands: Undisclosed (negotiated per victim)

Assessment: THE GENTLEMEN represents a sophisticated, likely Russia-based ransomware operation. The CIS restriction, combined with targeting patterns focused on NATO countries and Ukraine allies, suggests alignment with Russian strategic interests. The group’s rapid victim accumulation (63+ in ~6 months) indicates effective operations and affiliate recruitment.

Source: Ransomware.live, Cybereason, Baysec CTI

Threat Actor Details

Sandworm (GRU Unit 74455) - APT44

Background:

Sandworm is Russia’s most destructive cyber threat actor, operated by GRU Unit 74455. The group has conducted numerous attacks against critical infrastructure, most notably the 2015 and 2016 Ukrainian power grid attacks and the NotPetya global wiper attack in 2017.

December 2025 Poland Attack:

On December 29-30, 2025, Sandworm deployed DynoWiper (Win32/KillFiles.NMO) against Polish energy infrastructure:

DynoWiper Malware:

Attack Outcome: The attack was unsuccessful with no confirmed service disruption. However, the attack represents the most significant cyber operation against Polish critical infrastructure in recent years.

Attribution Basis (ESET):

• Medium confidence attribution based on “strong overlap with numerous previous Sandworm wiper activity”
• Attack timing on 10th anniversary of 2015 Ukrainian power grid attack
• Consistent with Sandworm’s documented pattern of energy sector targeting

Assessment: Sandworm’s targeting of Polish energy infrastructure demonstrates Russia’s willingness to conduct destructive operations against NATO member states. While this specific attack failed, it confirms Poland as a priority target for Russian state-sponsored destructive cyber operations.

Sources: ESET Research, The Hacker News

NoName057(16)

NoName057(16) is a state-sanctioned project whose membership includes employees of CISM (Center for Study and Network Monitoring of Youth Environment / Центр изучения и сетевого мониторинга молодёжной среды), an IT organization established by presidential order in 2018. US Department of Justice identified following facts:

• Russian government provided financial support
• DDoSia infrastructure created by CISM employees
• Cryptocurrency payments to volunteer attackers
• Targeted government agencies, financial institutions, railways, and ports
• Victoria Eduardovna Dubranova (Ukrainian national) indicted; extradited to US; trial scheduled February 2026

Rewards: US State Department offers up to $10 million for information on NoName members.

January 2026 Poland Activity Timeline:

Summary: 30+ attacks on Polish targets with concentrated 48-hour defense sector campaign (13-14 JAN)

DDoSia Operational Model:

NoName057(16) operates a crowdsourced DDoS platform where volunteers install client software to participate in attacks:

1. Recruitment: Volunteers join via Telegram channels
2. Registration: Users register with the bot and receive a unique ID
3. Client Installation: Volunteers download and install the DDoSia client (Windows, Linux, macOS, Android versions available)
4. Target Distribution: The C2 server pushes target lists to installed clients automatically
5. Attack Execution: Clients generate Layer 7 HTTP floods against assigned targets
6. Payment: Participants earn cryptocurrency (USDT, BTC) based on attack contribution - tracked via unique ID
7. Verification: Attacks verified via check-host.net; results posted to Telegram

DDoSia Client Technical Details:

• Written in Go (cross-platform)
• Connects to C2 infrastructure for target lists
• Generates HTTP/HTTPS requests with randomized headers
• Supports proxy configuration for anonymization
• Leaderboards track top contributors (gamification)

Payment Structure:

• Volunteers paid in cryptocurrency based on “attack units” contributed
• Top performers receive bonuses

TTPs:

• Layer 7 HTTP flood attacks via volunteer botnet
• Cryptocurrency payments to DDoSia participants (~$10-50/month per active participant)
• Telegram-based target coordination and recruitment
• check-host.net for public attack verification
• GitHub used for client distribution (repositories frequently removed)

Law Enforcement:

• Europol Operation Eastwood (July 2025):
  • 2 arrests (France, Spain)
  • 8 arrest warrants issued
  • 100+ servers disrupted across 8 countries (Poland, Ukraine, Germany, France, Netherlands, UK, USA, Switzerland)
  • Source: Eurojust
• Group rebuilt infrastructure within months - operational by September 2025
• December 2025 DOJ indictments confirmed state funding and CISM employee involvement

Assessment:

NoName057(16) is not technically sophisticated. Their model depends on recruiting volunteers to install a simple DDoS client. The attacks are basic Layer 7 HTTP floods - no exploitation, no malware, no persistence. Any organization with proper DDoS mitigation (CDN, rate limiting, WAF) can defend against these attacks.

Their actual capability is organizational, not technical:

• Effective propaganda and recruitment via Telegram
• Gamified payment system that incentivizes participation
• Rapid infrastructure rebuild after law enforcement takedowns
• State backing provides funding and coordination

DDoSia Project - ICS Access Claims

NoName057(16)’s DDoSia Project has expanded beyond DDoS to ICS access claims, coordinating with Z-PENTEST ALLIANCE.

January 2026 ICS Claims:

Russian-language Telegram post from DDoSia Project (forwarded from NoName057(16)) claiming access to Polish TechnoAlpin snow production system. Text states volunteers control compressors, water supply, temperature/humidity, and highlights ammonia refrigerant as critical element. Interface shows Polish-language HMI with real-time sensor data.

Russian-language Telegram post from DDoSia Project (forwarded from NoName057(16)) announcing collaboration with Z-Pentest Alliance on Czech 850kW industrial boiler. Text claims full control over fuel supply, augers, pumps, ventilation, and temperature/pressure monitoring.

Russian-language Telegram post from DDoSia Project (forwarded from NoName057(16)) claiming access to Clairion Clean Air Technology ICS in France. System handles hydrogen sulfide and hydrogen peroxide - toxic/hazardous gases. Interface shows industrial process control data.

Assessment: ICS access claims show capability development. Systems with hazardous materials present safety risks if manipulated.

Source: SOCRadar, Picus Security, Baysec CTI

Z-PENTEST ALLIANCE (CARR) - GRU-Directed ICS Threat Actor

CARR/Z-PENTEST ALLIANCE was founded, funded, and directed by the GRU (Russian military intelligence). U.S. Department of Justice identified that:

• GRU officer (“Cyber_1ce_Killer”) instructed CARR leadership on targeting
• GRU financed access to DDoS-for-hire services
• 100+ members including juveniles; 75,000+ Telegram followers
• US Critical Infrastructure attacks: Public water systems (multiple states), meat processing facility (Los Angeles - ammonia leak, meat spoilage), US election infrastructure
• Victoria Eduardovna Dubranova indicted; faces up to 27 years federal prison

U.S. Office of Foreign Assets Control Sanctions (July 2024):

• Yuliya Pankratova (leader) and Denis Degtyarenko (primary hacker) sanctioned
• Treasury confirmed: “In January 2024, CARR claimed responsibility for the overflow of water storage tanks in Abernathy and Muleshoe, Texas”
• Attacks on US critical infrastructure including water systems in multiple states

Rewards for Justice: US State Department offers up to $2 million for information on CARR/Z-PENTEST members.

January 2026 Poland Activity:

• Industrial boiler house access claim (ELTA - Zakład Automatyki Przemysłowej)
• Wastewater treatment CCTV access (12 JAN)
• Industrial dosing equipment access (19 JAN)

Observed Capabilities (from Telegram posts):

• Temperature, pressure, fuel supply control
• Auger and pump operation
• Ventilation and alarm systems
• Contact information exfiltration

Russian-language Telegram post from Z-Pentest Alliance (forwarded via Nullsec Philippines) claiming full access to ELTA (Zakład Automatyki Przemysłowej) industrial boiler house in Poland. Text states: “We have gained full access to the equipment developer” and claims control over temperature, pressure, fuel supply, augers, pumps, ventilation, and alarm systems. Post includes developer contact information. Interface shows Polish-language HMI displaying real-time boiler parameters (553°C, O₂ levels, fuel status).

CISA Warning: AA25-343a (December 2025) specifically warned of Z-PENTEST ALLIANCE and affiliated groups targeting water, energy, and food/agriculture sectors via internet-exposed ICS.

Source: Telegram, Baysec CTI

Sector16 - Z-Pentest Affiliate ICS Group

Background:

Per CISA AA25-343A, Sector16 is a novice pro-Russia hacktivist group that emerged through collaboration with Z-Pentest in January 2025. The group maintains a public Telegram channel where they share videos, statements, and claims of compromising critical infrastructure.

Key Intelligence:

• Members may have received indirect support from the Russian government in exchange for conducting specific cyber operations that further Russian strategic goals
• Aligns with broader Russian cyber strategies that involve leveraging non-state threat actors for certain cyber activities, adding a layer of deniability
• Communications often align with pro-Russia narratives and reflect self-proclaimed support for Russian geopolitical objectives
• Jointly claimed US system intrusion with Z-Pentest; subsequently began posting additional intrusions claiming sole responsibility

Observed Targets:

• US energy infrastructure (claimed)
• European ICS/SCADA systems (Italy, Portugal, Spain, Czech Republic)
• HMI and web-based SCADA interfaces

TTPs (per CISA):

• Uses same methodology as Z-Pentest: VNC exploitation, default credentials
• Targets internet-exposed HMI devices
• Likely received TTP training/sharing from Z-Pentest partnership

Assessment: Sector16 represents the propagation model described in CISA AA25-343A - hacktivist groups working together, amplifying each other’s posts, and sharing TTPs. The group’s emergence from Z-Pentest collaboration demonstrates how pro-Russian ICS targeting capabilities spread across the hacktivist ecosystem.

Source: CISA AA25-343A, Baysec CTI

Dark Storm Team

Profile:

Dark Storm Team emerged in September 2023 with dual Pro-Palestinian and Pro-Russian alignment. The group gained prominence after claiming responsibility for the March 2025 attack on X (Twitter). Per Cyble threat profile, the group operates across multiple Telegram channels and coordinates attacks with other pro-Russian groups.

January 2026 Poland Activity Timeline:

Summary: 10+ attacks. Peak activity 08 JAN (5 targets in single day). Active same days as Server Killers and NoName057(16).

Source: Wikipedia, Baysec CTI

Server Killers

January 2026 Poland Activity:

European Coordination (January 2026):

Server Killers operates as part of a broader pro-Russian hacktivist coalition targeting NATO member states.

Telegram post from Server Killers announcing DDoS attacks on Polish government websites. Text states: “We attacked Poland again because of they are supporting Ukraine with military equipment.” Lists targets with check-host.net verification links: msw.gov.pl (Ministry of Interior - mislabeled as “Justice”), edowod.gov.pl (e-Services/Digital Identity). Russian flag emoji and Kremlin imagery indicate pro-Russian alignment.

Timing: 15 JAN surge coincided with PM Tusk’s public attribution of December energy attack to Russia.

Source: Baysec CTI

BD Anonymous

January 2026 Poland Activity:

• Ministry of Interior - multiple attacks
• BLIK (Polish payment system) - 17 JAN
• rozklad-pkp.pl - 11 JAN
• Electronic Documents Archive

Coordination: Attacks on same targets as Dark Storm Team and Server Killers within 24-48 hours.

Source: Baysec CTI

QuietSec

Full Activity Timeline (December 2025 - January 2026):

Ukraine Targeting: QuietSec systematically targeted Ukrainian banks (Ukrexim, Oschadbank, Ukrgasbank), Ukraine support organizations (Come Back Alive, StandWithUkraine, Support Ukrainian Defenders), and conducted data breaches against Ukrainian entities (dush.com.ua, Charitable Foundation International Unity Movement, financial records of Ukraine support funds). Targets indicate anti-Ukraine motivation with intelligence collection capability.

Poland Targeting:

• Energy sector campaign (19 JAN): URE, PSE, ARE
• ICS access claim (17 JAN): MTK-ACMO heating controllers
• Transportation/travel portals (22 JAN): rozkład-pkp.pl, e-podróżnik.pl

Targeting Pattern: QuietSec follows a geographic rotation - Denmark (21-23 DEC) → France (24 DEC) → Ukraine support orgs (27-29 DEC) → Ukraine data breaches (31 DEC - 09 JAN) → Ukraine government/banks (04-20 JAN) → Poland energy/ICS (17-22 JAN). This systematic targeting of NATO countries and Ukraine suggests coordination.

Assessment: QuietSec demonstrates multi-vector capabilities (DDoS, ICS claims, data exfiltration) that distinguish it from typical single-vector hacktivists. The combination of Ukrainian banking sector targeting and systematic NATO country rotation indicates clear pro-Russian alignment. However, no government attribution exists linking QuietSec to Russian state agencies. State nexus remains unconfirmed, behavioral patterns are consistent with pro-Russian ideology but could represent independent hacktivist activity.

Source: Baysec CTI

Campaign Analysis

Coordination Evidence

The January 2026 campaign shows indicators of coordination rather than independent hacktivism:

1. Sequential Sector Targeting:

• Week 1 (01-07 JAN): Government services
• Week 2 (08-14 JAN): Defense industrial base + ransomware
• Week 3 (15-20 JAN): Energy sector + ICS probing

2. Multi-Group Same-Day Operations:

• 08 JAN: Dark Storm Team - 5 targets
• 12 JAN: 4 groups, 7+ targets
• 15 JAN: Server Killers + Dark Storm - 9+ targets

3. Geopolitical Correlation:

DDoS Campaign Assessment

Attack Volume by Actor (January 2026):

Attack Verification:

• Actors use check-host.net for public verification
• Some claims are exaggerated or unverifiable
• Actual downtime varies from minutes to hours

Pattern Analysis: Threat Actor Coordination

Evidence of Coordination:

Communication Patterns:

• NoName057(16) and Z-PENTEST ALLIANCE share content via Telegram
• DDoSia Project forwards ICS access claims from affiliated groups
• Attack announcements often appear within hours of each other

Assessment: The campaign structure suggests central coordination rather than independent hacktivist activity.

Threat Landscape: December 2025 → January 2026

Source: Baysec CTI

Dark Web Activity Summary

Polish credential data is actively traded across multiple dark web forums and marketplaces. Activity levels observed in January 2026:

Source: Baysec CTI dark web monitoring

MITRE ATT&CK Mapping

Enterprise Techniques

ICS/OT Techniques (per CISA AA25-343A)

Sources and References

Government & Law Enforcement

Think Tanks & Research

News & Investigative Journalism

Threat Intelligence

Confidence Levels:

• CONFIRMED: Multiple independent sources, government attribution
• ASSESSED: Technical indicators align with known patterns
• CLAIMED: Threat actor statement only, unverified