Full Report
In July 2025, pro-Palestinian hacktivist group zerodayx1 launched its own Ransomware-as-a-Service (RaaS) operation, following the path of other hacktivist teams. They loudly announced the initiative on platforms commonly used for such purposes, including X (formerly Twitter) and Telegram. Zerodayx1 exemplifies the ongoing evolution of these groups, underscoring the importance of studying and understanding their methods […] The post zerodayx1: Hacktivist groups turning to ransomware operations appeared first on Outpost24.
Analysis Summary
# Threat Actor: zerodayx1
## Attribution & Identity
* **Actor Name:** zerodayx1
* **Identity:** A pro-Palestinian hacktivist group.
* **Nature of Group:** Historically focused on hacktivism, the group has evolved into a Ransomware-as-a-Service (RaaS) operator.
* **Associations:** Part of the broader "hacktivist-turned-cybercriminal" trend; the group coordinates activities via social media and encrypted messaging.
## Activity Summary
In July 2025, zerodayx1 officially launched a Ransomware-as-a-Service (RaaS) operation. This marked a significant shift from traditional hacktivism (defacement, DDoS) to financially and ideologically motivated extortion. The group announced this initiative through high-profile advertisements on X (formerly Twitter) and Telegram to recruit affiliates and signal their transition into a more sophisticated threat entity.
## Tactics, Techniques & Procedures
* **Ransomware-as-a-Service (RaaS):** Development and distribution of ransomware payloads for use by affiliates.
* **Publicity & Influence Operations:** Utilizing platforms like X and Telegram for recruitment, propaganda, and victim shaming.
* **Data Extortion:** Shifting toward stealing and encrypting sensitive data to exert pressure on victims.
* **Hacktivism Methods:** Likely maintains capabilities for traditional hacktivist methods such as defacement and DDoS as part of their broader campaign strategy.
## Targeting
* **Sectors:** Organizations perceived as being in opposition to their pro-Palestinian ideological stance; however, the RaaS model suggests a potential broadening toward any target that can provide a financial or political return.
* **Geography:** Primarily entities associated with Israel or organizations perceived as supporting it globally.
* **Victims:** Not specifically listed by name in the provided text, but the group targets entities aligned with their political opposition.
## Tools & Infrastructure
* **Malware Families:** Proprietary Ransomware-as-a-Service (RaaS) payload (unnamed in summary).
* **Social Media:** X (formerly Twitter) for public announcements.
* **Messaging:** Telegram for operational coordination and recruitment.
* **C2/Domains:** The group uses underground platforms for infrastructure management (specific IPs and URLs defanged as: hxxps[://]t[.]me/zerodayx1 and hxxps[://]x[.]com/zerodayx1).
## Implications
The evolution of zerodayx1 indicates a blur between ideological hacktivism and organized cybercrime. By adopting RaaS, the group increases its lethality, financial resources, and reach through affiliates. This transformation makes them more unpredictable, as their motivations are now a hybrid of political ideology and financial gain, potentially leading to more frequent and destructive attacks on global infrastructure.
## Mitigations
* **External Attack Surface Management (EASM):** Monitor for exposed assets that could be leveraged for initial access by ransomware affiliates.
* **Threat Intelligence Monitoring:** Monitor Telegram and X for mentions of your organization or industry by zerodayx1 to identify early-stage targeting.
* **Ransomware Readiness:** Implement robust offline backups and incident response plans specifically tailored for double-extortion scenarios.
* **Phishing Defense:** Enhance email security and employee training, as RaaS affiliates often rely on social engineering for initial entry.
* **Vulnerability Management:** Prioritize patching of known exploited vulnerabilities (KEVs) that are commonly leveraged by ransomware groups to gain a foothold.