Cyber Threat Actor: Apophis Squad

Apophis Squad, also known as the Apophis Squad group, is a threat actor that has been publicly linked to Russia, although the group itself has denied any Russian affiliation in private communications. The actor first came to prominence in June 2018 when it claimed responsibility for a prolonged distributed denial‑of‑service attack against ProtonMail, an encrypted email service based in Switzerland, which also briefly targeted the similar service Tutanota. The attack was motivated by retaliation after ProtonMail’s chief technology officer publicly referred to the group as “clowns” on social media, indicating a disruption‑oriented objective rather than financial gain or espionage. The assault lasted several hours, caused message delivery delays and intermittent VPN disruptions, and produced outages that typically lasted only a few minutes with the longest lasting about ten minutes. During the incident the attackers employed a multi‑vector approach that peaked at 500 Gbps, utilizing UDP reflection attacks, TCP bursts, and SYN floods, and later launched a follow‑up TCP‑SYN flood that reached 70 Gbps. These operations demonstrate a focus on overwhelming network bandwidth to disrupt service availability.

The group’s tactics, techniques, and procedures are centered on volumetric DDoS methods rather than malware deployment or credential theft. Apophis Squad has advertised the development of a DDoS booter service that promises multi‑vector capabilities leveraging protocols such as NTP, DNS, SSDP, Memcached, LDAP, HTTP, CloudFlare bypass, VSE, ARME, Torshammer, and XML‑RPC, indicating a tooling style built around readily available reflection and amplification techniques. No specific malware families, initial access vectors, or exploit kits are referenced in the available reporting. Attribution remains ambiguous; while external assessments and the group’s alleged base point to Russia, the actors have explicitly denied such ties, and no state nexus or criminal consortium affiliation has been conclusively established in public sources. The most notable publicly reported operation remains the June 2018 ProtonMail campaign, which exemplifies the actor’s reliance on high‑volume, multi‑vector DDoS attacks to achieve disruption objectives.