Dark Web Informant
Threat Intelligence
Lone Wolf Russian Hacker: PalachPro
The solo operator behind the Kongsberg breach, classified as APT-level threat UAC-0252 by Ukrainian and international intelligence, and linked to a missile strike that killed over 50 people.
PalachPro is a Russian hacker who operates alone. A former associate of the now-notorious KillNet collective, he has since gone independent, conducting cyber espionage, data exfiltration, and DDoS operations against Ukrainian military systems, NATO-aligned defense contractors, and Western infrastructure.
In January 2025, PalachPro breached the servers of Norwegian defense company Kongsberg Defence & Aerospace, the manufacturer of the NASAMS air defense system. He exfiltrated classified documents revealing a secret $3 billion arms deal between Norway and Ukraine, including delivery schedules, NASAMS deployment locations, and anti-drone development funding. The documents were subsequently passed to Russian intelligence services.
In August 2025, PalachPro’s six-month surveillance of a former Ukrainian military officer, conducted through data obtained from the Kongsberg breach, allegedly provided the coordinates and timing for a Russian Iskander missile strike on a training base in Chernihiv that killed more than 50 people, including foreign mercenaries.
By 2026, Ukrainian CERT and international agencies classified PalachPro’s activity under the APT designation UAC-0252. His operations have been documented by CERT-UA, Google Threat Intelligence, SOC Prime, Acumen Cyber, and Recorded Future, with custom malware tools including SHADOWSNIFF and SALATSTEALER attributed to his campaigns. He has also claimed involvement in DDoS attacks on ChatGPT alongside the 22c group, and has publicly stated his capability to track Western weapons systems deployed in Ukraine.
Daily Dark Web reached out to PalachPro directly. What follows is his unfiltered response, published in full, without editorial alteration. The views expressed are entirely those of the individual and do not reflect the positions of Daily Dark Web.
⚠ EDITORIAL NOTE: The statements below are published for informational and journalistic purposes. Daily Dark Web does not endorse, promote, or support the activities or ideology of PalachPro or any threat actor. Claims made in this interview have not been independently verified unless stated otherwise.
You stated you were previously involved with KillNet. What exactly was your role, and how closely did you work with them?
There was no such clear hierarchy in Killnet. We are very good friends with KillMilk. We worked for the good of the Motherland.
Many individuals claim affiliation with well-known groups like KillNet. What proof can you provide to support your involvement?
Very easy. On the official Killnet channel, in major media you can see our joint work.
Why did you choose to operate independently instead of remaining part of a group?
I am a person who does not like the structure of any groups of people. There is always a risk of information leakage, or a person will not be what he claimed to be. See? I find it easier to work alone, or rarely coordinate with groups like NoName057(16) in some attacks.
From your experience, how organized are groups like KillNet internally? Are they structured or loosely coordinated?
I cannot disclose the internal group for security reasons. Sorry.
What kind of operations have you personally conducted that you consider technically significant?
The most complex operations were related to cyber espionage. There was an incident, in the summer. When I identified a training ground with foreign mercenaries, through hacking the phone. A rocket flew there. More than 50 people were killed.
Do you focus more on disruption (e.g., DDoS) or intrusion (data access, exfiltration)?
I prefer intrusion, and long-term stay in the system for pumping out especially important data. In simple words, consolidation in the system. I also use DDoS, but it’s more like a secondary tool.
What is your typical entry point into a target: misconfigurations, known vulnerabilities, or human error?
There are a lot of entry points into the system. I mostly use different types of malware to hack. And also, sometimes I use self-written exploits, accompanying it with very strong and good reconnaissance. Sometimes I can combine some methods, and for example, through vulnerabilities of archivers like WinRAR, infect the system with malicious payload.
You describe yourself as a “loner.” How do you handle operational security without the support of a team?
You know, I’ll put it this way. Knowledge is good, of course, but experience is the most important resource in our business. Over the years, I have fully learned and studied the behavior of the enemy, the systems they use, and so on. It is easier for me alone than to do something with a whole crowd, and 90% of not well-structured groups, without a clear division of roles and so on, slide into the abyss.
Have you ever collaborated informally with other actors, even if you are not part of a formal group?
Of course, I’ve been working with the group, running some cyber operations. For example, DDoS attacks with NoName057(16), and other hackers.
What motivates your activities today: financial gain, ideology, challenge, or visibility?
I am a strong patriot of my country. I don’t work for money or medals. I defend my homeland on the invisible front. And there is a place for excitement.
Looking back at your time around KillNet, what do you think people misunderstand most about such groups?
Sometimes people think that such groups, with great resonance, have hundreds, or even thousands of people with them. Although not so. Also, not all hacker groups work for the special services. And then, because of these rumors about the special services, people condemn the government of the country for allowing such things.
Do you believe most cyberattacks attributed to hacktivist groups are accurately claimed, or is there exaggeration in the ecosystem?
Over all these years, I have seen a lot of people and things in this area. Those who exaggerate their so-called “successes” or simply blatantly lie are the usual script kiddies and schoolchildren. Successful groups or individuals will not tarnish their reputations with unnecessary statements.
What is the biggest mistake organizations make that allows someone like you to gain access?
If we talk about errors, and not technical errors such as the use of outdated programs and utilities, since any resource is vulnerable on the Internet, then… Basically, organizations do not train their employees well in digital hygiene, or distrust. If you pull out at least some non-public information through a supply-chain attack, de-anonymization, email spoofing, and so on, then most people fall for it.
If defenders could fix one thing tomorrow, what would make your work significantly harder?
The problem is that absolute protection is impossible. Many leave the doors open themselves. As long as they have a mess with access, old accounts and phishing, methods, and so on, we don’t even have to look for an “entry point”, they give it to us themselves. But as soon as they put things in order, the game changes: each attempt becomes more expensive, noisier and riskier. But we are not lagging behind either. It is a matter of time, in any new defense, we will find a new hole, and it will be endless.
Following the initial interview, we received additional questions from our audience and relayed them to PalachPro. Below are his responses.
Have you ever hacked any government or institution and acquired information related to UFOs or something that proves any kind of alien life?
Ahaa, that’s an interesting question. My field is slightly different. I’m more of a military person. I’ve never thought about it.
How did you start? Would you do anything differently?
I started doing this more than 10 years ago, and it was the starting point of my hacking career. Yes, I had to train on ordinary people who fell for these tricks by mistake. The programs were harmless, but because the computer virus spread and caused some damage, I began to gain valuable experience from it. Over time, I moved on to actively attacking foreign users and companies that criticized Russia.
What is your regular income source? How do you take care of monthly dues?
I have separate sources of income, and I can’t disclose the exact sources, but I have enough money to live and support my tools.
Are you doing it for the money, or a purpose, or the dopamine?
As I said, I’m not interested in income. I’m a big patriot of my country, and I’m doing this for my homeland.
How do you understand a hacker’s skill level, explained simply? What level are you at?
Imagine that you’re the best at building very complex models, and you even come up with new parts. And big “smart adults” like Google, Recorded Future, and even the Ukrainian CERT-UA said, “Yes, he’s really good at this.”
How did you get to this stage? I want to become like you.
You know, theory and knowledge are great, but in most cases, it’s just a good starting point. To truly master something that yields excellent results, you need to understand the structure, hierarchy, and mindset of the enemy. Over time, this knowledge allows you to identify vulnerabilities in various systems. Therefore, I believe that experience is always superior to theoretical knowledge.
PalachPro represents a profile that is increasingly difficult for the security community to categorize. He is neither a hacktivist collective nor a state employee, neither a financially motivated cybercriminal nor a script kiddie. He is a solo operator with demonstrated APT-level capabilities who openly describes passing intelligence to military forces, resulting in kinetic strikes.
The intersection of his activity with real-world violence, specifically the Chernihiv training base strike, places PalachPro in a category where cyber operations directly translate to battlefield outcomes. His classification as UAC-0252 by CERT-UA, with custom tooling (SHADOWSNIFF, SALATSTEALER) documented by Google and SOC Prime, confirms that his operational footprint is taken seriously by professional threat intelligence organizations.
APT Designation: UAC-0252 (CERT-UA)
Custom Malware: SHADOWSNIFF, SALATSTEALER (infostealer variants)
Notable Breach: Kongsberg Defence & Aerospace (January 2025) exposing $3B NASAMS arms deal
Linked Kinetic Event: Chernihiv training base Iskander strike (August 2025, 50+ killed)
Known Associations: Former KillNet affiliate, informal coordination with NoName057(16)
Documented By: CERT-UA, Google Threat Intelligence, SOC Prime, Recorded Future, Acumen Cyber
His candor about operational methods, from WinRAR exploits to supply-chain attacks and long-term system persistence, offers genuine insight for defenders. His assessment that “90% of not well-structured groups slide into the abyss” and that organizations “give entry points to us themselves” reflects a practitioner’s perspective that, regardless of one’s view on his activities, carries operational weight.
Daily Dark Web will continue monitoring PalachPro’s activity and reporting on developments as they emerge.
- Radio KP: PalachPro Biography
- SOC Prime: UAC-0252 Attack Detection: SHADOWSNIFF and SALATSTEALER
- RIA Novosti: PalachPro Interview (March 2026)
- RIA Novosti: Ukrainian Armed Forces Report (February 2026)
- RIA Novosti: Armed Forces Report (January 2026)
- Google Threat Intelligence: Threats to the Defense Industrial Base
- Acumen Cyber: Threat Intelligence Digest (January 2026, Week 3)
- Acumen Cyber: Threat Intelligence Digest (November 2025, Week 44)
- Acumen Cyber: Threat Intelligence Digest (December 2025, Week 52)
- Acumen Cyber: Threat Intelligence Digest (December 2025, Week 49)
- Acumen Cyber: Threat Intelligence Digest (August 2025, Week 33)
- Mail.ru News: Special Military Operation Coverage
Daily Dark WebRead More
T1
