We Red Evils – Threat Actor

We Red Evils
Date of initial activity	2022
Other Names	Red Evil
Location	Israel
Suspected Attribution	Hacktivists
Motivation	Cyberwarfare Hacktivism
Software	Servers Network

Overview

The We Red Evils is a nascent yet increasingly prominent Israeli hacker collective that emerged in October 2023. The group has swiftly garnered attention for its cyber operations targeting nations and organizations perceived as aligned with pro-Palestinian and pro-Hamas agendas. Demonstrating a clear ideological stance, We Red Evils has carried out disruptive cyberattacks, including breaching systems tied to the Iranian Revolutionary Guards Corps and impacting critical infrastructure such as power grids in Iran. These actions signal a focused effort to leverage cyber capabilities in the broader geopolitical and ideological conflict in the Middle East.

Operating across multiple platforms, We Red Evils utilizes a blend of public-facing propaganda channels and clandestine methods to coordinate and publicize their activities. Their campaigns have included defacing websites, compromising sensitive data, and executing denial-of-service attacks designed to disrupt essential services. While their tactics and techniques are not considered highly advanced compared to sophisticated nation-state actors, their operations effectively exploit vulnerabilities in targeted systems, causing significant disruptions and amplifying psychological and infrastructural impacts on their adversaries.

The emergence of We Red Evils is emblematic of the growing intersection between cyberterrorism and modern geopolitical conflicts. Cyberattacks, such as those conducted by this group, serve as both a strategic and symbolic weapon, undermining confidence in critical institutions and spreading fear among civilian populations. This cyber activity also reflects a broader trend in the ongoing conflict between Israel and Hamas, where cyber warfare has become an integral tool in a multifaceted battle for control and influence.

Common targets

Information
Public Administration
Individuals
Lebanon
Iran

Attack Vectors

Software Vulnerabilities

Web Browsing

How they operate

We Red Evils primarily employs a suite of techniques that target known vulnerabilities in web applications and network infrastructures. The group uses reconnaissance tools to identify misconfigured servers, outdated software, and insecure endpoints within their target networks. Exploiting these weaknesses, they deploy web defacement scripts, ransomware payloads, or denial-of-service (DoS) attacks. Notably, their attacks lack the sophistication of advanced persistent threats (APTs); instead, they rely on readily available tools and frameworks, often modifying open-source hacking kits to suit their purposes. This approach minimizes their operational complexity while maximizing the reach and impact of their campaigns.

Phishing remains another key tactic in We Red Evils’ arsenal. The group creates phishing campaigns tailored to exploit geopolitical tensions, using themes designed to elicit emotional responses or manipulate victims into divulging sensitive information. These campaigns often target email accounts of government officials, media personnel, and key figures in organizations aligned with pro-Palestinian efforts. Once access is gained, the attackers leverage stolen credentials to infiltrate larger systems or spread misinformation.

On the infrastructural front, We Red Evils has demonstrated a particular interest in critical systems such as energy grids, telecommunications networks, and media outlets. The group employs basic penetration testing tools like Metasploit and Burp Suite to identify exploitable vulnerabilities in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) environments. While these attacks have been disruptive, they appear to focus more on causing immediate chaos rather than achieving sustained control over systems.

The group’s communication and coordination heavily rely on encrypted messaging platforms such as Telegram and Signal, where they share operational updates, recruit new members, and disseminate propaganda. Public channels are also used to amplify the psychological impact of their operations, with announcements and visual evidence of successful breaches designed to spread fear among their adversaries. Furthermore, We Red Evils actively monitors pro-Hamas social media channels to identify potential targets and shape their attack narratives.

We Red Evils’ operations highlight the growing accessibility of cyber tools and the rising influence of ideologically driven threat actors in global conflicts. By combining opportunistic tactics with strategic targeting, the group has demonstrated the potential for relatively unsophisticated actors to create significant disruption. Understanding their technical methods is critical for designing defenses against the evolving threat landscape they represent. Robust cybersecurity measures, enhanced monitoring of critical infrastructure, and proactive threat intelligence sharing are essential to mitigating the risks posed by groups like We Red Evils.