Intruvent Technologies
Contact us
Threat Intelligence / Threat Hunting Guides / Z-Pentest
High Hacktivist ICS/OT Focus

Z-Pentest

Threat Hunting Guide

Pro-Russian Hacktivist Group Targeting ICS/SCADA Infrastructure

📅
October 2024
Active Since
38 ICS Incidents
Q2 2025 Attacks
📈
150% vs Q1
Attack Growth
🔍
4-6 Hours
Hunt Duration

Download the Complete Hunting Guide

Includes all 8 hunt modules, ICS-specific detection rules, IOCs, and hardening procedures

Download PDF
1

Executive Summary

ICS/OT Targeting Warning

  • Z-Pentest was the #1 most active ICS-targeting hacktivist group in Q2 2025
  • 38 confirmed ICS attacks in Q2 2025, a 150% increase from Q1
  • Targets internet-exposed SCADA/HMI systems with default credentials
  • Records video evidence of access for Telegram propaganda

Z-Pentest is a pro-Russian hacktivist group that emerged in October 2024 and has rapidly become one of the most prolific ICS-targeting hacktivist actors globally. The group claims to operate from Serbia and is a splinter faction of the People's Cyber Army.

Unlike sophisticated nation-state actors, Z-Pentest employs low-sophistication but high-volume attack methods, primarily targeting internet-exposed SCADA and HMI systems with default or weak credentials. The group's primary objective is propaganda generation rather than persistent access, recording video evidence of ICS manipulation for dissemination via Telegram.

Organizations with industrial control systems should prioritize removing internet exposure of OT assets and ensuring all default credentials have been changed. This guide provides 8 hunt modules specifically designed to detect Z-Pentest activity patterns.

2

Hunt Modules

1

Internet Exposure Assessment

45 min Critical Priority
2

Remote Access Audit

30 min Critical Priority
3

Authentication Anomaly Detection

30 min High Priority
4

ICS Protocol Traffic Analysis

45 min High Priority
5

HMI/SCADA Activity Monitoring

30 min High Priority
6

Network Segmentation Verification

30 min Critical Priority
7

Process Value Change Detection

30 min Critical Priority
8

Evidence Capture Detection

20 min Medium Priority
3

Detection Rules

Internet-Exposed ICS Port Detection

Identifies inbound connections to common ICS protocols from external IPs

T0883 
index=firewall OR index=network
| search dest_port IN (102, 502, 4840, 20000, 44818, 47808)
| where NOT cidrmatch("10.0.0.0/8", src_ip) AND NOT cidrmatch("172.16.0.0/12", src_ip) AND NOT cidrmatch("192.168.0.0/16", src_ip)
| stats count by src_ip, dest_ip, dest_port
| sort -count

VNC/RDP to OT Network Segment

Detects remote desktop connections to OT/ICS network zones

T0886 
index=firewall OR index=network
| search dest_port IN (5900, 5901, 3389)
| where dest_zone="OT" OR dest_zone="ICS" OR dest_zone="SCADA"
| stats count, values(src_ip) as source_ips by dest_ip, dest_port
| where count > 5
| sort -count

Default Credential Authentication Attempt

Detects authentication attempts using common default credentials

T0866 
index=auth OR index=ot_auth
| search user IN ("admin", "operator", "user", "guest", "root", "maintenance")
| where action="failure" OR action="success"
| stats count by src_ip, user, dest, action
| where count > 3
| sort -count

Internet-Exposed ICS Port Detection

Identifies inbound connections to common ICS protocols from external IPs

T0883 
CommonSecurityLog
| where TimeGenerated > ago(30d)
| where DestinationPort in (102, 502, 4840, 20000, 44818, 47808)
| where not(ipv4_is_private(SourceIP))
| summarize ConnectionCount = count() by SourceIP, DestinationIP, DestinationPort
| order by ConnectionCount desc

VNC/RDP to OT Network Segment

Detects remote desktop connections to OT/ICS network zones

T0886 
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DestinationPort in (5900, 5901, 3389)
| where DeviceAction == "allow"
| join kind=inner (
    _GetWatchlist('OT_Assets')
    | project DestinationIP = IpAddress
) on DestinationIP
| summarize ConnectionCount = count(), SourceIPs = make_set(SourceIP) by DestinationIP, DestinationPort
| order by ConnectionCount desc

Default Credential Authentication Attempt

Detects authentication attempts using common default credentials

T0866 
SigninLogs
| where TimeGenerated > ago(7d)
| where UserPrincipalName has_any ("admin", "operator", "user", "guest", "root", "maintenance")
| summarize
    FailureCount = countif(ResultType != 0),
    SuccessCount = countif(ResultType == 0)
    by IPAddress, UserPrincipalName
| where FailureCount > 3 or SuccessCount > 0
| order by FailureCount desc

Internet-Exposed ICS Port Detection

Identifies inbound connections to common ICS protocols from external IPs

T0883 
title: Z-Pentest - External ICS Protocol Access
id: z-pentest-ics-exposure-001
status: experimental
description: Detects inbound connections to ICS protocols from external IPs
author: Intruvent Technologies
logsource:
    category: firewall
detection:
    selection:
        dst_port:
            - 102   # Siemens S7
            - 502   # Modbus
            - 4840  # OPC UA
            - 44818 # EtherNet/IP
            - 47808 # BACnet
    filter:
        src_ip|cidr:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16
    condition: selection and not filter
level: critical

VNC/RDP to OT Network Segment

Detects remote desktop connections to OT/ICS network zones

T0886 
title: Z-Pentest - Remote Access to OT Systems
id: z-pentest-ot-remote-001
status: experimental
description: Detects VNC/RDP connections to OT network segments
author: Intruvent Technologies
logsource:
    category: firewall
detection:
    selection:
        dst_port:
            - 5900  # VNC
            - 5901  # VNC
            - 3389  # RDP
        dst_zone:
            - OT
            - ICS
            - SCADA
    condition: selection
level: high

Default Credential Authentication Attempt

Detects authentication attempts using common default credentials

T0866 
title: Z-Pentest - Default Credential Usage
id: z-pentest-default-creds-001
status: experimental
description: Detects authentication with common default usernames
author: Intruvent Technologies
logsource:
    category: authentication
detection:
    selection:
        user:
            - admin
            - operator
            - user
            - guest
            - root
            - maintenance
            - engineer
    condition: selection
level: medium

Need More Detection Rules?

The full guide includes ICS protocol monitoring, OT-specific detection signatures, and network segmentation verification procedures.

Download Full Guide

Disclaimer: These detection rules are provided for defensive security purposes. ICS/OT environments require careful testing before deploying any detection rules. Consult with your OT security team before implementing changes to industrial control system networks.

4

Key Indicators

Target ICS Ports

Port Protocol Risk Level
102 Siemens S7 (ISO-TSAP) Critical if exposed
502 Modbus TCP Critical if exposed
4840 OPC UA High if exposed
44818 EtherNet/IP Critical if exposed
47808 BACnet High if exposed
20000 DNP3 Critical if exposed

Default Credentials Targeted

Username Common Passwords
admin admin, 1234, password
operator operator, 1234
user user, guest
maintenance maintenance, maint

Alliance Network

Group Relationship
Sector 16 Primary Alliance
People's Cyber Army Parent Group
NoName057(16) DDoS Coordination
KillNet Ideological Alignment
Back to Threat Hunting Guides

Protect Your ICS Infrastructure with BRACE

BRACE provides continuous monitoring for hacktivist and nation-state threats targeting industrial control systems.

Learn About BRACE