Z-Pentest
Pro-Russian Hacktivist Group Targeting ICS/SCADA Infrastructure
Also known as: ZPT | Splinter of People's Cyber Army
Z-Pentest emerged in October 2024 and has rapidly become the #1 ICS-targeting hacktivist actor globally. The group targets internet-exposed SCADA and HMI systems with default credentials, recording video evidence of ICS manipulation for Telegram propaganda.
Executive Summary
Unlike sophisticated nation-state actors, Z-Pentest employs low-sophistication but high-volume attack methods, primarily targeting internet-exposed SCADA and HMI systems with default or weak credentials. The group's primary objective is propaganda generation rather than persistent access, recording video evidence of ICS manipulation for dissemination via Telegram.
Z-Pentest claims to operate from Serbia and is a splinter faction of the People's Cyber Army, from which they separated in February 2025. The group has established close operational ties with Sector 16 and maintains loose alliances with NoName057(16), Cyber Army of Russia Reborn, and KillNet.
The group frames its operations as "anti-NATO activism" and specifically targets organizations in countries that support Ukraine. Geographic targeting includes the United States, Canada, Australia, France, South Korea, Taiwan, Italy, Romania, Germany, and Poland.
Alliance Network
Typical Attack Sequence
MITRE ATT&CK for ICS Mapping
This mapping uses the MITRE ATT&CK for ICS framework, which documents adversary behaviors specific to Industrial Control Systems environments.
Primary attack vector - exposed HMIs and PLCs
VNC, RDP, SSH access to OT systems
Screenshots and video of HMI interfaces
Observing industrial process values
Changing setpoints, toggling valves/pumps
Preventing operator control of processes
Hunt Modules
The full threat hunting guide includes 8 detailed hunt modules with KQL queries and Sigma rules. Key modules include:
Identify ICS/SCADA systems exposed to the internet that could be targeted by Z-Pentest. Any internet-exposed ICS system represents critical exposure requiring immediate remediation.
Audit all remote access paths to OT environments, focusing on VNC and RDP which Z-Pentest commonly exploits. Pay attention to connections from Eastern European countries or VPN service IP ranges.
Detect default credential usage and brute-force attempts against OT systems. Z-Pentest primarily gains access through default or weak credentials on HMI and SCADA systems.
Detect unauthorized changes to process setpoints, valve states, or other control parameters. Z-Pentest operators demonstrate access by making minor changes to process values.
Detect screenshot and screen recording activity on OT workstations—Z-Pentest's signature behavior for propaganda generation. This indicates active attacker presence.
Download Full ICS Threat Hunting Guide
Complete 8-module hunting guide with KQL queries, Sigma rules, and OT-specific detection logic.
Download PDF — FreeIndicators of Compromise
Note: Z-Pentest is a hacktivist group that exploits existing access methods rather than deploying custom malware. Traditional file-based IOCs are limited. Detection focuses on behavioral indicators and network exposure patterns.
Targeted Ports/Services
| Port | Protocol | Service | Risk |
|---|---|---|---|
502 |
TCP | Modbus TCP | Critical |
102 |
TCP | Siemens S7 (ISO-TSAP) | Critical |
44818 |
TCP | EtherNet/IP | Critical |
20000 |
TCP | DNP3 | Critical |
4840 |
TCP | OPC UA | High |
5900-5903 |
TCP | VNC | High |
3389 |
TCP | RDP | High |
Common Default Credentials to Hunt
| System Type | Username | Password |
|---|---|---|
| Generic HMI | admin | admin |
| Generic HMI | operator | operator |
| Siemens | admin | admin |
| Rockwell | admin | 1234 |
| Schneider | USER | USER |
| VNC | (none) | password / vnc |
Detection & Response
Behavioral Indicators
External ICS Access
- Inbound connections from internet to ports 502, 102, 44818, 20000
- External VNC/RDP to OT segments
- Access from Eastern European or Russian IP ranges
Credential Abuse
- Successful authentication with admin/admin, operator/operator
- Failed login brute-force attempts
- After-hours OT system access
Evidence Capture
- Screenshot tools or recording software on OT workstations
- Large image/video file creation in short timeframe
- PowerShell screen capture commands
Process Manipulation
- Rapid binary state changes (valve/pump toggling)
- Unauthorized setpoint changes
- Process value modifications without change orders
Immediate Defense Actions
- Remove internet exposure of all ICS/SCADA/HMI systems immediately
- Change all default credentials on OT devices
- Implement network segmentation following IEC 62443 / Purdue Model
- Require VPN for all remote OT access
- Deploy ICS-specific monitoring (Dragos, Claroty, Nozomi)
- Enable audit logging on all HMI/SCADA workstations
Track Z-Pentest with BRACE
BRACE delivers monthly sector-specific threat intelligence covering Z-Pentest and ICS-targeting hacktivist activity, including:
- Z-Pentest TTP analysis and campaign tracking
- ICS/SCADA targeting patterns and indicators
- Detection rules for OT environment monitoring
- MITRE ATT&CK mappings for industrial threats
- Sector-specific threat hunting playbooks
Download Complete Z-Pentest Threat Hunting Guide
Get the full 8-module ICS hunting guide including all KQL queries, Sigma rules, and OT-specific IOCs.
Download PDF — FreeStay Informed on ICS/SCADA Threats
BRACE delivers monthly threat intelligence on Z-Pentest and other ICS-targeting groups with detection rules and hunting playbooks for your sector.