The Infrastructure Destruction Squad is a Telegram-based threat actor brand active since at least June 2025 and still operating as of May 2026. While it presents itself as a politically motivated hacktivist collective, its activity shows a strong focus on monetization through intrusions, access sales, and Malware-as-a-Service (MaaS) offerings.

A key part of its ecosystem is the BLACKNET-00 ransomware builder, first sold in April 2026. The tool reflects a wider trend where ideological branding and profit-driven cybercrime increasingly overlap, lowering the barrier for new ransomware operators.

This blog explores the group’s structure, its shift between ideology and crime, and the broader implications of its hybrid threat model.

» Protect your business from ransomware today: Try KELA for free

Who is the Infrastructure Destruction Squad? Ideology vs. Reality

In September 2025, Infrastructure Destruction Squad addressed claims linking their Telegram channel to a pro-Russian hacktivist group known as Dark Engine. They stated that while the channel previously belonged to their "friends," they are a separate, independent organization.

The group claims to have members globally, primarily located in China, with others in Russia, Belarus, and the United States.

The actor frequently uses political messaging to frame its activities, posting in English, Russian, and Chinese. Its stated ideological alignment spans multiple geopolitical narratives, including pro-China, anti-U.S., anti-Israel, pro-Palestinian, and anti-India/pro-Pakistan sentiments.

However, despite this strong hacktivist framing, the group aggressively monetizes its operations.

» Learn more about  how hackers gain entry to your systems

Inside Hybrid Threat Actors

Gain visibility into groups like Infrastructure Destruction Squad that combine political messaging with ransomware tools and profit-driven cybercrime.

Contact Us

The BLACKNET-00 Ransomware-as-a-Service (RaaS) Ecosystem

In February 2026, the group announced BLACKNET-00, explicitly separating their missions. According to the actors, BLACKNET-00 focuses purely on "economic benefits," allowing the Infrastructure Destruction Squad to maintain its politically motivated path.

Telegram message announcing BLACKNET-00 as an affiliated ransomware organization with a separate financially motivated role, KELA platform

Despite this claimed separation, an April 2026 post on PWN Forums, where the group operates under the username "blacknet00" regarding a breach explicitly linked the two, stating: "We are the Infrastructure Destruction Squad the group behind the BLACKNET 00 ransomware organization."

Post linking Infrastructure Destruction Squad to BLACKNET-00, PWN Forums, KELA platform

Lowering the Barrier to Ransomware

The group advertises the BLACKNET-00 ransomware builder as a platform requiring zero programming knowledge. Featuring a graphical user interface (GUI) and a one-click build process, the tool allows beginner threat actors to:

• Configure encryption options and disable security tools (including Windows Defender).
• Generate custom ransom notes and payment QR codes.
• Add data-theft functions (password collection, wallet extraction, screenshots, and webcam access).
• Utilize Tor and Domain Generation Algorithm (DGA) features.

Telegram message advertising BLACKNET-00 with a latest listed price of USD 300, KELA platform

Pricing for the builder has fluctuated rapidly, dropping from an initial USD 2,000 down to USD 300. The tool is marketed as a one-time purchase that includes full source code rather than a standard affiliate split. This aggressive pricing suggests a highly competitive RaaS market and a deliberate strategy to attract lower-tier cybercriminals.

Blacknet-00 ransom note template, shared by Infrastructure Destruction Squad on their Telegram channel, KELA platform

Screenshot showing the BLACKNET-00 ransom demand displayed on a compromised desktop. Shared by Infrastructure Destruction Squad on their Telegram channel, KELA platform

» Learn more: Is Telegram safe to use?

Targeting and Claimed BLACKNET-00 Victims

Currently, BLACKNET-00’s victimology does not appear restricted to a specific sector or geography. In April 2026, KELA observed two major claimed victims:

1. The United States Federal Aviation Administration (FAA): Representing a major government/aviation target.
2. Zaidus Real Estate Investment and General Contracting Company: An Egypt-based real estate firm, where actors claimed to have stolen 20 GB of documents regarding employees in Egypt and Saudi Arabia, demanding a $20,000 ransom.

This relatively low ransom demand aligns with early-stage ransomware activity. While KELA has not observed a dedicated BLACKNET-00 leak site—the group currently publishes claims via Telegram and PWN Forums—it is highly likely this infrastructure will evolve.

» Here are the top 10 Dark Web Telegram channels

EXTERMINATOR: Ransomware for the "Ordinary Individual"

Highlighting their unorthodox approach, the group promoted another ransomware tool in early 2026 called EXTERMINATOR. The actor advertised two versions: one for corporate networks and one specifically designed for "ordinary individuals."

Infrastructure Destruction Squad advertising EXTERMINATOR, KELA platform

Targeting individuals is highly unusual in the modern RaaS landscape, where actors seek massive corporate payouts. This unique positioning further underscores the group’s hybrid nature, blending profit-maximizing ransomware with hacktivist-style harassment and intimidation.

Beyond Ransomware: ICS, SCADA, and Banking Malware Arsenal

Infrastructure Destruction Squad’s commercial offerings extend far beyond ransomware. They have actively promoted a suite of specialized offensive tools on their channels:

• VoltRuptor (USD 25,000): August 2025, Promoted as an ICS/critical-infrastructure tool allowing buyers to scan systems, map connected infrastructure, and propagate across industrial control networks.
• TRK25 Advanced SCADA (USD 500): February 2026, Advertised as a tool for scanning industrial IP ranges, extracting banner data, and recording SCADA system vulnerabilities.
• BLAIIS-820 (USD 400): Announced in May 2026, this is a specialized tool designed to scan and exploit vulnerabilities in IIS servers and related industrial interfaces (HMI and SCADA), extracting passwords from web configuration files.
• BankGhost Builder (USD 300): A banking malware builder supporting over 700 financial institutions. Features include fake login pages, 2FA bypass, clipboard hijacking, polymorphic encryption, mass email campaigns, keylogging, and output configuration as EXE, MSI, or DLL files.

» Here's everything you need to know about infostealers

The Convergence of Ideology and Profit

Infrastructure Destruction Squad exemplifies the growing overlap between hacktivism and financially motivated cybercrime operations. By using geopolitical narratives to build a brand, while simultaneously mass-marketing cheap, destructive tools like BLACKNET-00 and VoltRuptor, they are making advanced cybercrime accessible to unskilled actors.

This hybrid threat model proves that ideological branding and profit-driven operations are no longer mutually exclusive. KELA assesses that similar groups and partnerships will become increasingly prominent in the 2026 threat landscape. We will continue monitoring the Infrastructure Destruction Squad, BLACKNET-00, and their evolving arsenal.

The KELA platform monitors over 8 million threat actor profiles, including members, target territories, sectors, logged cybercrime activities, finished intelligence reports, MITRE ATT&CK mapping, IOCs, and more.

» Ready to begin? Contact us to learn more or try KELA for free