Lone Wolf Russian Hacker: PalachPro
The solo operator behind the Kongsberg breach, classified as APT-level threat UAC-0252 by Ukrainian and international intelligence, and linked to a missile strike that killed over 50 people.
PalachPro is a Russian hacker who operates alone. A former associate of the now-notorious KillNet collective, he has since gone independent, conducting cyber espionage, data exfiltration, and DDoS operations against Ukrainian military systems, NATO-aligned defense contractors, and Western infrastructure.
In January 2025, PalachPro breached the servers of Norwegian defense company Kongsberg Defence & Aerospace, the manufacturer of the NASAMS air defense system. He exfiltrated classified documents revealing a secret $3 billion arms deal between Norway and Ukraine, including delivery schedules, NASAMS deployment locations, and anti-drone development funding. The documents were subsequently passed to Russian intelligence services.
In August 2025, PalachPro's six-month surveillance of a former Ukrainian military officer, conducted through data obtained from the Kongsberg breach, allegedly provided the coordinates and timing for a Russian Iskander missile strike on a training base in Chernihiv that killed more than 50 people, including foreign mercenaries.
By 2026, Ukrainian CERT and international agencies classified PalachPro's activity under the APT designation UAC-0252. His operations have been documented by CERT-UA, Google Threat Intelligence, SOC Prime, Acumen Cyber, and Recorded Future, with custom malware tools including SHADOWSNIFF and SALATSTEALER attributed to his campaigns. He has also claimed involvement in DDoS attacks on ChatGPT alongside the 22c group, and has publicly stated his capability to track Western weapons systems deployed in Ukraine.
Daily Dark Web reached out to PalachPro directly. What follows is his unfiltered response, published in full, without editorial alteration. The views expressed are entirely those of the individual and do not reflect the positions of Daily Dark Web.
⚠ EDITORIAL NOTE: The statements below are published for informational and journalistic purposes. Daily Dark Web does not endorse, promote, or support the activities or ideology of PalachPro or any threat actor. Claims made in this interview have not been independently verified unless stated otherwise.
There was no such clear hierarchy in Killnet. We are very good friends with KillMilk. We worked for the good of the Motherland.
Very easy. On the official Killnet channel, in major media you can see our joint work.
I am a person who does not like the structure of any groups of people. There is always a risk of information leakage, or a person will not be what he claimed to be. See? I find it easier to work alone, or rarely coordinate with groups like NoName057(16) in some attacks.
I cannot disclose the internal group for security reasons. Sorry.
The most complex operations were related to cyber espionage. There was an incident, in the summer. When I identified a training ground with foreign mercenaries, through hacking the phone. A rocket flew there. More than 50 people were killed.
I prefer intrusion, and long-term stay in the system for pumping out especially important data. In simple words, consolidation in the system. I also use DDoS, but it's more like a secondary tool.
There are a lot of entry points into the system. I mostly use different types of malware to hack. And also, sometimes I use self-written exploits, accompanying it with very strong and good reconnaissance. Sometimes I can combine some methods, and for example, through vulnerabilities of archivers like WinRAR, infect the system with malicious payload.
You know, I'll put it this way. Knowledge is good, of course, but experience is the most important resource in our business. Over the years, I have fully learned and studied the behavior of the enemy, the systems they use, and so on. It is easier for me alone than to do something with a whole crowd, and 90% of not well-structured groups, without a clear division of roles and so on, slide into the abyss.
Of course, I've been working with the group, running some cyber operations. For example, DDoS attacks with NoName057(16), and other hackers.
I am a strong patriot of my country. I don't work for money or medals. I defend my homeland on the invisible front. And there is a place for excitement.
Sometimes people think that such groups, with great resonance, have hundreds, or even thousands of people with them. Although not so. Also, not all hacker groups work for the special services. And then, because of these rumors about the special services, people condemn the government of the country for allowing such things.
Over all these years, I have seen a lot of people and things in this area. Those who exaggerate their so-called "successes" or simply blatantly lie are the usual script kiddies and schoolchildren. Successful groups or individuals will not tarnish their reputations with unnecessary statements.
If we talk about errors, and not technical errors such as the use of outdated programs and utilities, since any resource is vulnerable on the Internet, then... Basically, organizations do not train their employees well in digital hygiene, or distrust. If you pull out at least some non-public information through a supply-chain attack, de-anonymization, email spoofing, and so on, then most people fall for it.
The problem is that absolute protection is impossible. Many leave the doors open themselves. As long as they have a mess with access, old accounts and phishing, methods, and so on, we don't even have to look for an "entry point", they give it to us themselves. But as soon as they put things in order, the game changes: each attempt becomes more expensive, noisier and riskier. But we are not lagging behind either. It is a matter of time, in any new defense, we will find a new hole, and it will be endless.
Following the initial interview, we received additional questions from our audience and relayed them to PalachPro. Below are his responses.
Ahaa, that's an interesting question. My field is slightly different. I'm more of a military person. I've never thought about it.
I started doing this more than 10 years ago, and it was the starting point of my hacking career. Yes, I had to train on ordinary people who fell for these tricks by mistake. The programs were harmless, but because the computer virus spread and caused some damage, I began to gain valuable experience from it. Over time, I moved on to actively attacking foreign users and companies that criticized Russia.
I have separate sources of income, and I can't disclose the exact sources, but I have enough money to live and support my tools.
As I said, I'm not interested in income. I'm a big patriot of my country, and I'm doing this for my homeland.
Imagine that you're the best at building very complex models, and you even come up with new parts. And big "smart adults" like Google, Recorded Future, and even the Ukrainian CERT-UA said, "Yes, he's really good at this."
You know, theory and knowledge are great, but in most cases, it's just a good starting point. To truly master something that yields excellent results, you need to understand the structure, hierarchy, and mindset of the enemy. Over time, this knowledge allows you to identify vulnerabilities in various systems. Therefore, I believe that experience is always superior to theoretical knowledge.
PalachPro represents a profile that is increasingly difficult for the security community to categorize. He is neither a hacktivist collective nor a state employee, neither a financially motivated cybercriminal nor a script kiddie. He is a solo operator with demonstrated APT-level capabilities who openly describes passing intelligence to military forces, resulting in kinetic strikes.
The intersection of his activity with real-world violence, specifically the Chernihiv training base strike, places PalachPro in a category where cyber operations directly translate to battlefield outcomes. His classification as UAC-0252 by CERT-UA, with custom tooling (SHADOWSNIFF, SALATSTEALER) documented by Google and SOC Prime, confirms that his operational footprint is taken seriously by professional threat intelligence organizations.
APT Designation: UAC-0252 (CERT-UA)
Custom Malware: SHADOWSNIFF, SALATSTEALER (infostealer variants)
Notable Breach: Kongsberg Defence & Aerospace (January 2025) exposing $3B NASAMS arms deal
Linked Kinetic Event: Chernihiv training base Iskander strike (August 2025, 50+ killed)
Known Associations: Former KillNet affiliate, informal coordination with NoName057(16)
Documented By: CERT-UA, Google Threat Intelligence, SOC Prime, Recorded Future, Acumen Cyber
His candor about operational methods, from WinRAR exploits to supply-chain attacks and long-term system persistence, offers genuine insight for defenders. His assessment that "90% of not well-structured groups slide into the abyss" and that organizations "give entry points to us themselves" reflects a practitioner's perspective that, regardless of one's view on his activities, carries operational weight.
Daily Dark Web will continue monitoring PalachPro's activity and reporting on developments as they emerge.
- Radio KP: PalachPro Biography
- SOC Prime: UAC-0252 Attack Detection: SHADOWSNIFF and SALATSTEALER
- RIA Novosti: PalachPro Interview (March 2026)
- RIA Novosti: Ukrainian Armed Forces Report (February 2026)
- RIA Novosti: Armed Forces Report (January 2026)
- Google Threat Intelligence: Threats to the Defense Industrial Base
- Acumen Cyber: Threat Intelligence Digest (January 2026, Week 3)
- Acumen Cyber: Threat Intelligence Digest (November 2025, Week 44)
- Acumen Cyber: Threat Intelligence Digest (December 2025, Week 52)
- Acumen Cyber: Threat Intelligence Digest (December 2025, Week 49)
- Acumen Cyber: Threat Intelligence Digest (August 2025, Week 33)
- Mail.ru News: Special Military Operation Coverage






