DieNet Threat Advisory — DDoS-as-a-Service | HAWK-EYE Threat Intelligence

📋

Executive Summary

DieNet (also tracked as DieNet Network and DieNet Network V5) is a pro-Iranian, pro-Palestinian hacktivist group that emerged on March 7, 2025 and has rapidly become one of the most prolific DDoS threat actors operating in the Middle East and against Western critical infrastructure. Between its founding and the 2026 Iran-US-Israel conflict escalation, DieNet amassed over 60 confirmed DDoS attack claims within its first two months alone.

Following Operation Epic Fury on February 28, 2026, Radware analysis confirmed that DieNet and Keymous+ together drove nearly 70% of all hacktivist DDoS activity globally between February 28 and March 2 — covering 16 countries and 110 distinct organizational targets.

DieNet's operational model is built on DDoS-as-a-Service (DaaS) infrastructure, shared with affiliated groups OverFlame and DenBots Proof. This model enables the group to generate high-frequency attack campaigns without maintaining independent botnet infrastructure, dramatically lowering operational costs and raising the volume ceiling.

CloudSEK has confirmed DieNet Network V5 led large-scale DDoS campaigns targeting government portals, telecom providers, airports, and financial institutions across Bahrain, Qatar, UAE, Kuwait, Saudi Arabia, and the United States. Unit 42 specifically documented DieNet claims against airports in Bahrain, Sharjah (UAE), and the UAE; Riyadh Bank; Bank of Jordan; and Kuwait government websites.

🚨 CRITICAL ASSESSMENT

DieNet is the highest-volume DDoS threat actor currently targeting GCC aviation, financial, and government sectors. Its DaaS model means attack frequency and intensity can spike overnight in response to geopolitical events with no advance warning. The group's structured target lists — explicitly enumerating ministries, airports, banks, and telecom providers across Qatar, Bahrain, UAE, Kuwait, and Saudi Arabia — make it the primary DDoS threat to GCC critical infrastructure operators in the current conflict environment.

🎯 Context: Post-Operation Epic Fury Escalation

DieNet activated within hours of the February 28, 2026 US/Israel strikes on Iran as part of the Electronic Operations Room hacktivist coalition. The group published structured target lists across GCC nations and expanded its geographic threat posture to include Cyprus due to British military base hosting — signaling willingness to expand the aperture based on political justification.

🎭

Threat Actor Profile: DieNet

Group Name

DieNet / DieNet Network / DieNet Network V5

First Observed

March 7, 2025 (Telegram announcement)

Motivation

Pro-Iranian, Pro-Palestinian; anti-Trump, anti-Zionist

Primary Method

DDoS-as-a-Service (DaaS) — TCP SYN, DNS/NTP Amplification

Infrastructure

Shared DaaS with OverFlame & DenBots Proof

Attack Volume

70% of global hacktivist DDoS (Feb 28 – Mar 2, 2026)

Current Status

ACTIVE — Highest operational tempo since founding

TLP Classification

TLP:WHITE

Origins & Emergence

DieNet announced its existence via Telegram on March 7, 2025, immediately garnering promotion and endorsement from three established hacktivist groups: Mr.Hamza, Sylhet Gang-SG, and LazaGrad Hack. This rapid embrace by the existing pro-Palestinian and anti-Western hacktivist ecosystem provided DieNet with an immediate operational amplification network.

Within two days of its founding announcement, activity surged — coinciding with the arrest of a Columbia University pro-Palestinian activist, which the group cited as a catalyst. The group's initial Telegram channel was subsequently banned; operations continued through successor channels under the DieNet Network and DieNet Network V5 designations.

NETSCOUT and Radware assessments confirm that the DaaS infrastructure DieNet uses predates the group itself — meaning operators plugged into pre-existing attack infrastructure rather than building from scratch. This pattern is characteristic of ideologically motivated individuals or small cells that leverage existing criminal-adjacent DDoS service providers to generate political impact disproportionate to their actual technical capability.

Ideology & Targeting Doctrine

DieNet's stated ideological positions are anti-Trump, anti-Zionist, pro-Palestinian, and pro-Iranian. Target selection follows a consistent doctrine of maximizing visible disruption to symbols of US, Israeli, and GCC government and economic power:

Transportation hubs — airports (Bahrain, UAE, Sharjah) and transit authorities (LA Metro, Chicago Transit, Port of LA) targeted for maximum public visibility
Financial institutions — NASDAQ, Coinbase, Riyadh Bank, Bank of Jordan, Axos Bank targeted for economic disruption signaling
Energy infrastructure — PG&E, NERC targeted for strategic narrative value
Government portals — across Qatar, Bahrain, UAE, Kuwait, Saudi Arabia, and US agencies including FBI Crime Data Explorer, US Department of Commerce
Technology platforms — SpaceX, NASA, TikTok, X (Twitter) targeted for brand value and media amplification
Healthcare — Epic Systems, Meditech, NEMSIS targeted, demonstrating willingness to attack civilian health infrastructure

The DaaS Model — Operational Architecture

DieNet's defining capability is its exploitation of DDoS-as-a-Service infrastructure. Rather than operating a proprietary botnet, the group rents attack capacity from shared infrastructure providers — specifically the OverFlame and DenBots Proof services. NETSCOUT confirmed that individual attack traffic sources observed in DieNet campaigns had previously been used by other threat actors, confirming shared infrastructure.

Zero infrastructure investment — any ideologically motivated cell can achieve nation-state-scale disruption volume overnight
No persistent infrastructure to seize — traditional law enforcement infrastructure disruption is ineffective
Rapid geographic pivot — the same DaaS infrastructure can be directed at any target globally within hours
Plausible deniability — the DaaS provider can claim ignorance of end-user motivation
Attribution complexity — attack sources are shared across multiple groups, obscuring per-group traffic volumes

Evolution: V2 to V5 & Coalition Positioning

Orange Cyberdefense documented the group's internal evolution through successive versioning. DieNet-v2 was referenced in early communications indicating expanded capabilities. By 2026, the group is operating under the DieNet Network V5 designation, suggesting either genuine capability iteration or rebranding following channel bans.

DieNet operates as a high-volume DDoS specialist within the broader pro-Iranian hacktivist coalition. Unlike 313 Team (Gulf government portals) or Handala (hack-and-leak/destructive operations), DieNet's comparative advantage is raw attack volume and geographic breadth. Radware's data confirms DieNet as the second most active actor after Keymous+, with its structured target list publications serving as coordination signals for the broader Electronic Operations Room hacktivist coalition.

Target Sectors & Geographic Distribution

Sector Targeting Distribution

Geographic Target Distribution

⏱️

Attack Timeline (March 2025 – March 2026)

Mar 7, 2025

FOUNDING — DieNet Announces via Telegram

Immediately promoted by Mr.Hamza, Sylhet Gang-SG, and LazaGrad Hack. Rapid establishment within pro-Palestinian hacktivist ecosystem.

Mar 9, 2025

Activity Surge — First Multi-Target Campaign

Triggered by arrest of Columbia University pro-Palestinian activist. First coordinated DDoS campaign launched against multiple US targets.

Mar 11–17, 2025

61 Attacks Against 19 US Organizations

Targets include SpaceX, NASDAQ, TikTok, Trump-affiliated businesses. Radware confirmed attack volume — establishing DieNet as a serious threat actor within first 10 days.

Mar–Apr 2025

60+ DDoS Claims in First Two Months

US targets: LA Metro, Port of LA, Chicago Transit, NERC, US Dept of Commerce, NASA, USPS, PG&E, WaterOne, FBI Crime Data Explorer, Epic Systems, Meditech, Coinbase, Axos Bank, Lyft, Azure, X, Northeastern University.

Apr–May 2025

Geographic Expansion

Targets expand to Iraq (Ministry of Foreign Affairs), Israel, Egypt, Netherlands, Sweden. NETSCOUT publishes threat profile confirming shared DaaS infrastructure with OverFlame and DenBots Proof.

May 2025

DieNet-V2 Designation Emerges

Internal capability evolution. Original Telegram channel banned by platform moderation.

Jun 2025 (12-Day War)

Pro-Iranian Coalition Activation

DieNet activates following Israeli nuclear facility strikes. Group-IB documents DieNet as most-referenced channel — quoted 79 times across 5,800+ hacktivist messages Jun 13–20.

Jun–Dec 2025

Sustained Campaign Activity

DieNet establishes itself as primary high-volume DDoS actor in pro-Iranian hacktivist ecosystem alongside Keymous+. DieNet Network V5 designation active.

Feb 28, 2026

🔴 Operation Epic Fury — Immediate Activation

US/Israel launch strikes on Iran. DieNet activates within hours as part of Electronic Operations Room coalition. DDoS campaigns against Bahrain airport, Sharjah Airport, UAE airport, Riyadh Bank, Bank of Jordan — confirmed by Unit 42.

Mar 1–2, 2026

Structured GCC Target Lists Published

DieNet publishes comprehensive target lists across Qatar, Bahrain, UAE, Kuwait, and Saudi Arabia — explicitly naming ministries, airports, banks, electricity, and water authorities.

Mar 2–3, 2026

70% of Global Hacktivist DDoS Activity

DieNet + Keymous+ confirmed by Radware as driving 70% of all global hacktivist DDoS activity in 72-hour window. Kuwait government website DDoS claimed. Electronic Operations Room coordinated campaigns.

Mar 3–5, 2026

Geographic Expansion Beyond Middle East

DieNet frames Cyprus as legitimate target due to British military bases. Provides tooling to smaller affiliated collectives. Expands threat posture beyond traditional target set.

Mar 6–11, 2026

Continued Structured GCC Campaign

Target lists updated. Coordination with Sylhet Gang-SG and other coalition members for synchronized claim amplification.

⛓️

Behavioral Patterns & TTPs

Reconnaissance

Target List Research & Government Portal Enumeration

Resource Dev

DaaS Infrastructure Rental (OverFlame/DenBots)

Coordination

Telegram Target List Publication & Coalition Sync

Execution

TCP SYN / DNS Amp / NTP Amp / HTTP Flood

Validation

Check-Host.net Proof Screenshots

Amplification

Telegram Claim Posts & Media Narrative

DDoS Attack Methodology

DieNet employs three primary DDoS attack vectors through its shared DaaS infrastructure. All three are volumetric or amplification techniques designed to overwhelm network capacity:

TCP SYN Flood — Layer 4 attack exhausting server connection tables by sending large volumes of SYN packets without completing the three-way handshake
DNS Amplification — Uses open DNS resolvers to amplify attack traffic (ANY, DNSSEC queries). Amplification ratios of 28–54x
NTP Amplification — Exploits NTP monlist responses with amplification ratios up to 556x — the most bandwidth-efficient attack type in DieNet's arsenal
HTTP Flood — Application-layer attacks against government web portals

⚡ Sub-60-Second Burst Pattern

Most high-impact DieNet DDoS attacks last less than 60 seconds — consistent with Radware's 2025 global finding that the majority of high-impact Web DDoS attacks now operate sub-minute to defeat manual mitigation. This tactic specifically defeats human-in-the-loop security operations that require analyst review before response.

Structured Target List Publication

A defining and strategically significant DieNet behavior is the pre-attack publication of structured target lists on Telegram. Unlike opportunistic hacktivists who announce targets post-attack, DieNet publishes target enumerations including specific domain names, IP ranges, and organizational sectors before campaigns begin. These lists serve multiple functions:

Coordinate timing with coalition partners
Generate media anticipation that amplifies psychological impact
Create advance warning that security teams can use but often cannot act on quickly enough
Establish the ideological narrative framing for the attack

Coalition Infrastructure Provision

Multiple intelligence sources confirm DieNet acts not only as a threat actor but as an infrastructure provider to smaller affiliated collectives. The group supplies tooling, attack infrastructure access, and target intelligence to less technically capable groups within the pro-Iranian hacktivist ecosystem. This multiplier effect means DieNet's effective operational impact exceeds what direct attribution alone would suggest.

Geopolitical Trigger Response Pattern

DieNet exhibits a consistent and predictable pattern of activating within hours of major geopolitical events. Documented activation triggers include: US airstrike announcements (Yemen, Iran), pro-Palestinian activist arrests, Israeli military operations, and Abraham Accords-related diplomatic developments.

🎯 Predictability Note

When major US or Israeli military actions are announced, DieNet attack probability against named sectors spikes within 2–6 hours. The structured target lists published during the Operation Epic Fury activation (Feb 28–Mar 2, 2026) represent the most comprehensive targeting framework the group has produced.

Attack Impact Assessment

Critical analytical note: NETSCOUT documented that many of DieNet's early claimed attacks appeared to have no verifiable impact on targets. This is consistent with the DaaS model — the infrastructure may generate traffic that is mitigated by upstream providers before reaching targets. Impact varies significantly based on the target's DDoS protection posture.

GCC government portals are frequently identified by security researchers as under-protected for volumetric DDoS. Unprotected or minimally protected government and SME targets in the GCC region are at significantly higher risk than major Western corporate infrastructure with cloud-based DDoS scrubbing.

🗺️

MITRE ATT&CK Mapping

Tactic	Technique ID	Technique Name	DieNet Context
Resource Dev.	T1583.005	Acquire Infrastructure: Botnet	DaaS shared with OverFlame, DenBots Proof — rented botnet capacity
Resource Dev.	T1585	Establish Accounts	Telegram channels: DieNet, DieNet Network, DieNet Network V5
Reconnaissance	T1593	Search Open Websites/Domains	Target list research — government portal enumeration for structured lists
Initial Access	T1133	External Remote Services	DNS amplification abusing open resolvers; NTP abuse of public time servers
Impact	T1498.001	Network DoS: Direct Network Flood	TCP SYN flood — primary L4 DDoS technique
Impact	T1498.002	Network DoS: Reflection Amplification	DNS amplification (28-54x); NTP amplification (up to 556x)
Impact	T1499.003	Endpoint DoS: Application Exhaustion Flood	HTTP flood against government web portals
Impact	T1491.002	Defacement: External Defacement	Website defacement claimed (secondary to primary DDoS focus)
C&C	T1071.001	Application Layer Protocol: Web Protocols	Telegram coordination; check-host.net verification beacons
Defense Evasion	T1205	Traffic Signaling	Sub-60-second attack bursts to defeat manual mitigation workflows

📏

Sigma Detection Rules

SIGMA — DNET-SIGMA-001

title: DieNet TCP SYN Flood Against GCC Government Portals
id: dnet-sigma-001-2026-dienet
status: stable
description: |
    Detects volumetric TCP SYN flood patterns consistent with DieNet DaaS-sourced
    attacks targeting Gulf government web portals across .gov.kw, .gov.bh, .gov.sa,
    .gov.ae, .gov.qa TLDs
author: HAWK-EYE Threat Intelligence
date: 2026/03/12
tags:
    - attack.impact
    - attack.t1498.001
    - DieNet
    - SYN_flood
    - GCC_gov
logsource:
    category: network
    product: firewall
detection:
    selection:
        dst_port|in:
            - 80
            - 443
        tcp.flags: 'S'
        dst_host|endswith:
            - '.gov.kw'
            - '.gov.bh'
            - '.gov.sa'
            - '.gov.ae'
            - '.gov.qa'
    threshold:
        field: src_ip
        count: '>300'
        timespan: '10s'
    condition: selection and threshold
falsepositives:
    - Legitimate traffic spikes (validate via geographic distribution)
level: critical

SIGMA — DNET-SIGMA-002

title: DieNet DNS Amplification via Open Resolver
id: dnet-sigma-002-2026-dienet
status: stable
description: |
    Detects DNS reflection/amplification pattern consistent with DieNet DaaS
    infrastructure — spoofed source IPs querying for large record types (ANY, DNSSEC)
    with 28-54x amplification ratio
author: HAWK-EYE Threat Intelligence
date: 2026/03/12
tags:
    - attack.impact
    - attack.t1498.002
    - DieNet
    - DNS_amplification
    - reflection
logsource:
    category: network
    product: ids
detection:
    selection:
        dst_port: 53
        dns.query.type|in:
            - 'ANY'
            - 'DNSKEY'
            - 'RRSIG'
            - 'NSEC3'
        dns.query.response_size: '>512'
    spoofed_pattern:
        src_ip|not-cidr: '10.0.0.0/8'
        packets_per_second: '>100'
        src_ip: unique_count: '>50'
    condition: selection and spoofed_pattern
falsepositives:
    - DNSSEC validation queries (correlate with spike pattern)
level: high

SIGMA — DNET-SIGMA-003

title: DieNet NTP Amplification — Monlist Response Flood
id: dnet-sigma-003-2026-dienet
status: stable
description: |
    Detects NTP monlist amplification attack pattern consistent with DieNet DaaS;
    NTP monlist provides up to 556x amplification ratio making it the most
    bandwidth-efficient DieNet attack vector
author: HAWK-EYE Threat Intelligence
date: 2026/03/12
tags:
    - attack.impact
    - attack.t1498.002
    - DieNet
    - NTP_amplification
    - monlist
logsource:
    category: network
    product: ids
detection:
    selection:
        dst_port: 123
        udp.payload|contains: '\x17\x00\x03\x2a'
    volumetric:
        bytes_per_second: '>10000000'
        src_ip: unique_count: '>20'
        timespan: '30s'
    condition: selection and volumetric
falsepositives:
    - Legitimate NTP synchronization (review response size)
level: high

SIGMA — DNET-SIGMA-004

title: DieNet Sub-Minute DDoS Burst Pattern
id: dnet-sigma-004-2026-dienet
status: experimental
description: |
    Detects rapid sub-60-second traffic burst pattern used by DieNet to defeat
    human-in-the-loop manual mitigation workflows.
    Pattern: high PPS spike, then sudden drop, then repeat
author: HAWK-EYE Threat Intelligence
date: 2026/03/12
tags:
    - DieNet
    - sub60s_burst
    - DDoS_evasion
    - pattern_detection
logsource:
    category: network
    product: waf
detection:
    burst_pattern:
        pps_spike: '>5000'
        spike_duration_seconds: '<60'
        repeat_count: '>3'
        interval_seconds: '<300'
    same_target:
        dst_ip: same_value
    condition: burst_pattern and same_target
falsepositives:
    - Flash crowd events, CDN cache misses
level: high

SIGMA — DNET-SIGMA-005

title: DieNet Check-Host Attack Proof Collection
id: dnet-sigma-005-2026-dienet
status: stable
description: |
    Detects outbound connections to check-host.net or similar uptime monitoring
    services querying DieNet-declared GCC target domains. Used by DieNet to
    generate proof screenshots for Telegram claim posts
author: HAWK-EYE Threat Intelligence
date: 2026/03/12
tags:
    - DieNet
    - check_host
    - proof_collection
    - Telegram_claim
logsource:
    category: proxy
    product: proxy
detection:
    selection:
        cs-host|endswith:
            - 'check-host.net'
            - 'uptime.is'
            - 'isup.me'
    gcc_targets:
        cs-uri-query|contains:
            - '.gov.bh'
            - 'bahrain-airport'
            - 'sharjah-airport'
            - '.gov.kw'
            - 'riyadhbank'
            - 'bankofajordan'
    condition: selection and gcc_targets
falsepositives:
    - Very low — uptime check for named GCC targets is specific
level: medium

SIGMA — DNET-SIGMA-006

title: DieNet Telegram Attack Coordination Communication
id: dnet-sigma-006-2026-dienet
status: experimental
description: |
    Detects outbound Telegram Bot API POST requests from network hosts —
    DieNet coordination channel communication pattern for attack timing
    synchronization and target list distribution
author: HAWK-EYE Threat Intelligence
date: 2026/03/12
tags:
    - DieNet
    - Telegram
    - coordination
    - C2_pattern
logsource:
    category: proxy
    product: proxy
detection:
    selection:
        cs-host|endswith: 'api.telegram.org'
        cs-method: 'POST'
        cs-uri-path|contains: '/bot'
    internal_src:
        src_ip|cidr:
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
    condition: selection and internal_src
falsepositives:
    - Legitimate Telegram bot integrations
level: low

SIGMA — DNET-SIGMA-007

title: DieNet Aviation Infrastructure DDoS Pattern
id: dnet-sigma-007-2026-dienet
status: stable
description: |
    Detects volumetric DDoS against airport web infrastructure consistent with
    DieNet targeting of Bahrain, Sharjah, UAE airports. Airport systems often
    include passenger-facing portals, flight info, and operational portals.
author: HAWK-EYE Threat Intelligence
date: 2026/03/12
tags:
    - DieNet
    - airport
    - aviation
    - DDoS
    - GCC
    - attack.t1498
logsource:
    category: network
    product: firewall
detection:
    selection:
        dst_port|in:
            - 80
            - 443
        dst_host|contains:
            - 'airport'
            - 'aviation'
            - 'bah.aero'
            - 'sharjahairport'
            - 'dubaiairports'
    threshold:
        field: src_ip
        count: '>200'
        timespan: '30s'
    condition: selection and threshold
falsepositives:
    - Legitimate traffic peaks during travel seasons
level: high

SIGMA — DNET-SIGMA-008

title: DieNet Financial Institution DDoS Pattern
id: dnet-sigma-008-2026-dienet
status: stable
description: |
    Detects volumetric DDoS patterns against banking web infrastructure —
    DieNet has explicitly targeted Riyadh Bank, Bank of Jordan, Coinbase,
    Axos Bank, and GCC financial institutions
author: HAWK-EYE Threat Intelligence
date: 2026/03/12
tags:
    - DieNet
    - finance
    - banking
    - DDoS
    - GCC
    - attack.t1498
logsource:
    category: network
    product: waf
detection:
    selection:
        dst_host|contains:
            - 'riyadhbank'
            - 'alrajhibank'
            - 'bankjordan'
            - 'kfh.com'
            - 'nbk.com'
    flood:
        requests_per_second: '>500'
        src_ip: unique_count: '>30'
        timespan: '60s'
    condition: selection and flood
falsepositives:
    - Legitimate high-traffic promotional events
level: high

SIGMA — DNET-SIGMA-009

title: DieNet Shared DaaS Infrastructure Source — OverFlame/DenBots
id: dnet-sigma-009-2026-dienet
status: experimental
description: |
    Detects traffic patterns from known shared DaaS infrastructure sources
    associated with OverFlame and DenBots Proof groups that provide attack
    capacity to DieNet. Source ASNs and IPs overlap across multiple groups
    per NETSCOUT analysis.
author: HAWK-EYE Threat Intelligence
date: 2026/03/12
tags:
    - DieNet
    - DaaS
    - OverFlame
    - DenBots
    - shared_infra
logsource:
    category: network
    product: firewall
detection:
    known_daas_asns:
        src_asn|in:
            - 'ASN_OVERFLAME_1'
            - 'ASN_DENBOTS_1'
    shared_infra_pattern:
        src_ip|cidr:
            - '185.220.0.0/16'
            - '195.206.0.0/16'
        dst_port|in:
            - 80
            - 443
            - 53
            - 123
        pps: '>1000'
    condition: known_daas_asns or shared_infra_pattern
falsepositives:
    - Legitimate cloud hosting (validate via packet inspection)
level: medium

SIGMA — DNET-SIGMA-010

title: DieNet Pre-Attack Reconnaissance — Structured Target Domain Lookup
id: dnet-sigma-010-2026-dienet
status: experimental
description: |
    Detects bulk DNS resolution of DieNet-declared target domains prior to
    attack initiation — DieNet publishes structured lists before campaigns.
    Pre-attack DNS lookups of named targets indicate imminent attack.
author: HAWK-EYE Threat Intelligence
date: 2026/03/12
tags:
    - DieNet
    - recon
    - pre_attack
    - target_list
    - DNS
logsource:
    category: dns
    product: dns
detection:
    selection:
        dns.query.name|in:
            - 'bahrainairport.com'
            - 'sharjahairport.ae'
            - 'riyadhbank.com.sa'
            - 'bankofajordan.com'
            - 'moi.gov.kw'
            - 'moci.gov.bh'
    rate_anomaly:
        query_rate: '>20'
        timespan: '60s'
        src_ip: unique_count: '>10'
    condition: selection and rate_anomaly
falsepositives:
    - Search engines, CDN health checks, monitoring services
level: medium

🔍

Indicators of Compromise (IOCs)

ℹ️ IOC Context Notice

DieNet operates via shared DaaS infrastructure — traditional file hash and IP-based IOCs are less applicable than for intrusion-focused threat actors. IOCs below focus on target domains, behavioral indicators, and infrastructure patterns. Monitor DieNet Telegram channels for real-time target list updates.

Confirmed GCC Target Organizations

Target	Sector	Attack Type / Confirmation
bahrainairport.com	Aviation	DDoS — Unit 42 confirmed claim
sharjahairport.ae	Aviation	DDoS — Unit 42 confirmed claim
UAE Airport (unspecified)	Aviation	DDoS — Unit 42 confirmed claim
riyadhbank.com.sa	Finance	DDoS — Unit 42 confirmed claim
bankofajordan.com	Finance	DDoS — Unit 42 Telegram board confirmed
Kuwait Government Portals	Government	DDoS — Intel 471 confirmed claims
Qatar Government Portals	Government	DDoS — Structured target list published
Bahrain Government Ministries	Government	DDoS — Structured target list published
UAE Government Portals	Government	DDoS — Structured target list published
Saudi Arabia Ministries	Government	DDoS — Structured target list published
GCC Telecom Providers	Telecommunications	DDoS — CloudSEK confirmed sector targeting
GCC Electricity/Water Authorities	Utilities	DDoS — Structured target list published

Confirmed US Critical Infrastructure Targets

Target	Sector
LA Metropolitan Transportation Authority / Port of Los Angeles	Transportation
Chicago Transit Authority	Transportation
North American Electric Reliability Corporation (NERC)	Energy
Pacific Gas and Electric Company (PG&E)	Energy
WaterOne (Kansas City water utility)	Water
NASDAQ Stock Exchange	Finance
Coinbase / Axos Bank	Finance
SpaceX / NASA	Aerospace / Government
US Department of Commerce / International Trade Administration	Government
FBI Crime Data Explorer	Government
USPS (US Postal Service)	Logistics
Epic Systems / Meditech / NEMSIS	Healthcare
Northeastern University / ProductionHUB	Education / Technology
X (Twitter) / TikTok / Lyft / Azure	Technology

Infrastructure & Attribution Indicators

Indicator	Type	Context
DieNet Network (Telegram)	Telegram	Primary operational announcement and target list channel
DieNet Network V5 (Telegram)	Telegram	Current active designation (March 2026)
OverFlame	DaaS Provider	Shared DDoS-as-a-Service infrastructure — confirmed NETSCOUT
DenBots Proof	DaaS Provider	Shared DDoS-as-a-Service infrastructure — confirmed NETSCOUT
Shared traffic sources pre-dating DieNet	Infrastructure	Attack source IPs used by multiple groups — confirmed NETSCOUT
check-host.net	Behavioral	Attack validation and proof screenshot collection
Sub-60-second high-PPS burst pattern	Behavioral	Signature DDoS burst to defeat manual mitigation
TCP SYN, DNS ANY/DNSSEC, NTP monlist	Protocol	Primary DDoS attack vector signatures

Affiliated Groups

Group	Relationship
Keymous+	Coalition partner — jointly responsible for 70% of global DDoS activity Feb 28–Mar 2, 2026
Mr.Hamza	Initial promoter and supporter — endorsed DieNet at founding
Sylhet Gang-SG	Initial promoter; ongoing coalition partner for claim amplification
LazaGrad Hack	Initial promoter — pro-Palestinian, anti-Western shared ideology
OverFlame	DaaS infrastructure provider — shared botnet capacity
DenBots Proof	DaaS infrastructure provider — shared botnet capacity
313 Team	Coalition member — Electronic Operations Room coordination
Handala	Coalition member — Electronic Operations Room coordination

🛡️

Defensive Recommendations

🔴
DDoS Mitigation — CRITICAL Immediate Actions

Deploy cloud-based DDoS scrubbing upstream of all public-facing services — Cloudflare Magic Transit, Akamai Prolexic, AWS Shield Advanced, or Azure DDoS Protection. On-premises DDoS appliances alone are insufficient against DieNet's DaaS-scale volumetric attacks
Enable BGP blackhole routing (RTBH) with your upstream ISP for emergency traffic diversion with <15 minute SLA — critical for airport operational portals where outages create public safety implications
Configure ISP-level rate limiting for SYN packets, DNS ANY/DNSSEC queries, and NTP traffic — coordinate with upstream providers before attacks begin, not during
Implement SYN cookies on all edge firewalls to defeat TCP SYN flood without dropping legitimate connections
Disable NTP monlist on all public-facing NTP servers — run 'ntpdc -c monlist' to verify; this eliminates DieNet's highest-amplification attack vector (556x)

🟡
Aviation-Specific Controls

Segregate passenger-facing web portals (flight info, check-in, booking) from operational aviation systems (ATC, gate management, baggage) at the network level — DDoS against the former should not impact the latter
Pre-position DDoS incident response contracts with scrubbing providers that have specific aviation sector SLAs — most offer sub-5-minute activation for pre-onboarded customers
Establish out-of-band communication channels for airport operations — ensure DDoS against public-facing web systems does not disrupt inter-team communications
Brief airport IT teams on DieNet target list pattern — when DieNet publishes a list including your airport, activate DDoS standby posture immediately

🟢
Financial Sector Controls

Protect internet banking portals with application-layer WAF rules in blocking mode — configure rate limiting for unauthenticated page requests (>100 requests/10s from single IP should trigger CAPTCHA or block)
Pre-test DDoS failover procedures for online banking portals — confirm backend banking operations can continue during a front-end portal outage
Brief fraud and operations teams: DieNet DDoS may be used as a distraction technique while other fraud operations run against temporarily degraded monitoring systems

🏛️
Government Portal Controls

Prioritize DDoS protection for e-government portals and citizen-facing services — explicitly named in DieNet structured target lists with lower inherent traffic volumes making them more vulnerable to modest-sized attacks
Deploy DNET-SIGMA-001, -002, and -003 as critical network monitoring rules for SYN flood, DNS amplification, and NTP amplification detection
Establish GCC-CERT threat intelligence sharing protocol for DieNet target list intelligence — when lists are published on Telegram, all named organizations should receive immediate notification

📡
Monitoring & Intelligence

Subscribe to threat intelligence feeds — Radware Threat Intelligence, NETSCOUT ATLAS Intelligence Feed, and Cloudflare Radar for real-time DieNet activity tracking
Monitor DieNet Telegram channels (DieNet Network, DieNet Network V5) for target list publications — structured lists published before attacks provide 12–48 hours advance warning window
Deploy DNET-SIGMA-005 (Check-Host validation beacon detection) to identify when your infrastructure is being targeted for proof screenshot collection — a near-real-time attack indicator

🎯 PREDICTABILITY NOTE

DieNet's geopolitical trigger pattern is highly predictable. Any major US military action, Israeli military operation, or pro-Palestinian political event should be treated as a DieNet elevated-threat condition. Pre-activate DDoS scrubbing, alert on-call teams, and monitor DieNet Telegram channels during and immediately after such events. The 2–6 hour post-event activation window is the critical monitoring period.

📊

Threat Landscape Visualization

Attack Techniques by Frequency

Campaign Timeline: DieNet Operations

📚

References & Intelligence Sources

Radware (2026) — "149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries" — Keymous+ and DieNet driving 70% of activity. Radware Global Threat Analysis, March 2026
Palo Alto Unit 42 (2026) — "Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran" — DieNet claims confirmed. unit42.paloaltonetworks.com, March 9, 2026
CloudSEK (2026) — "Situation Report: Middle East Escalation Feb 27–Mar 1, 2026" — DieNet Network V5 confirmed GCC campaigns. cloudsek.com, March 2026
Intel 471 (2026) — "Israeli, US Strikes Against Iran Triggers Surge in Hacktivist Activity" — DieNet Kuwait claims. intel471.com, March 2026
NETSCOUT ASERT (2025) — "Profiling DieNet: A New Hacktivist Threat" — DaaS infrastructure analysis, OverFlame/DenBots Proof confirmation. netscout.com, May 2025
Flare.io (2026) — "Monitoring Cyberattacks Directly Linked to the US-Israel-Iran Military Conflict" — DieNet March 2025 origin. flare.io, March 2026
Orange Cyberdefense (2025) — "Cyber Insight: DieNet v2 Group" — Origin analysis, ideology, alliances. orangecyberdefense.com
Cyber Florida / USF (2025) — "DieNet: A Rising Hacktivist Group Targeting Critical Infrastructure" — Recorded Future US target list. cyberflorida.org, April 2025
SOCRadar (2026) — "Iran vs. Israel & US Cyber War 2026: Operation Epic Fury" — DieNet structured target list publication Mar 2. socradar.io
CIS (2025) — "Threat Actor Profile: Emerging Hacktivist Group DieNet Claims DDoS Attacks against US Critical Infrastructure"
Cybersecurity News (2026) — "Iran-Linked Hackers Target US Critical Infrastructure" — TCP SYN, DNS, NTP techniques confirmed. cybersecuritynews.com, March 2026
SOCRadar / Group-IB (2025) — DieNet most-referenced Telegram channel (quoted 79 times) in June 2025 hacktivist activity analysis
Rescana (2026) — "Global Surge: 149 Hacktivist DDoS Attacks Target SCADA and Critical Infrastructure" — rescana.com, March 2026
RH-ISAC (2026) — "Middle East Conflict Cyber Threat Landscape" — DieNet structured target list enumeration. rhisac.org, March 2026
MITRE ATT&CK — T1498 Network Denial of Service; T1498.001 Direct Network Flood; T1498.002 Reflection Amplification; T1491.002 External Defacement. attack.mitre.org