Reborn in the Shadows: Tracing LulzSec Muslims’ Evolution into SH7 G4NG

This report presents a comprehensive investigation into the group known as LulzSec Muslims, recently rebranded as SH7 G4NG, an ideologically motivated hacktivist entity operating on both the dark web and mainstream platforms such as Telegram. Despite adopting the "LulzSec" moniker, this actor is distinct and unaffiliated with the original LulzSec collective from 2011, which was primarily composed of members from the US and UK.

SH7 G4NG projects itself as a cyber resistance group rooted in Islamist ideological narratives. Their communications and operations exhibit consistent anti-Israel, anti-India, and anti-Western rhetoric, while aligning themselves with broader pro-Palestinian and Islamic hacktivist causes.

While much of their messaging is distributed via Telegram and archived on platforms like Z***-*, the group has adopted a strategy of maintaining an elusive online presence - cycling through aliases, identities, and visual motifs. Their ecosystem spans dark web portals, Telegram propaganda hubs, and short-lived accounts across social platforms.

Over time, this group has evolved from symbolic messaging to more structured defacement campaigns and coordinated ideological alliances. The following sections trace the technical, social, and geopolitical dimensions of this threat actor, unpacking their infrastructure, affiliations, and regional signals in detail.

Initial Discovery and Infrastructure Mapping

The investigation began with the manual identification of a hidden service URL believed to be operated by LulzSec Muslims:

http://7*****************************************************d.onion/

This site, discovered independently by the analyst and later verified through StealthMole’s Darkweb Tracker, served as a critical pivot point. Upon running the onion URL through the platform, four linked Telegram channels were surfaced, including the now-defunct @L**********4 and the currently active @L***********d, which later rebranded to SH7 G4NG.

These channels formed the foundation of the group’s propaganda and announcement infrastructure, often used to post about successful defacements, ideological messages, and alliances. The darkweb site itself appeared rudimentary but functional, with content that echoed the same themes found in their Telegram activity: Islamic resistance, anti-Israel and anti-India narratives, and digital martyrdom.

Through further analysis of the site’s source, a Telegram message ID string was recovered, which redirected to @L*************4, confirming the operational linkage between the dark web infrastructure and their Telegram presence. Although that channel is no longer active, its role in centralizing early messaging efforts was clear.

Within the pages of this site, one actor name stood out prominently: my, mentioned as the administrator. The handle appeared alongside titles like “Admin” and was associated with updates and guidance posted on the platform. While little is known about m*****y’s full identity, the recurring use of their name across both Telegram and the onion site suggested backend management or a senior operational role.

Later, an account under the handle @R*******0 was flagged in StealthMole and linked back to this same .onion domain, adding another name into the periphery. Although the exact relationship remains speculative, the linkage supports a shared ecosystem between R*****f and SH7 G4NG’s infrastructure.

This cross-platform mapping, from Telegram handles and darkweb sites to backlinked HTML traces, provided the first reliable contour of SH7 G4NG’s digital footprint and exposed their adaptive, decentralized infrastructure model.

Operational Evolution: Personas, Handles, and Messaging Layers

SH7 G4NG operates under a rotating set of aliases and channel identities. The original Telegram handle @L*********4 (channel ID: 2*********6) was the earliest known broadcast node linked to the dark web site. Over time, this channel transitioned to @L************d, which itself was eventually renamed SH7 G4NG in early January 2025. The currently active Telegram channel (ID: 2*******8) was created during this transitional phase.

This pattern of rebranding and channel turnover reflects a broader operational strategy focused on evasion and continuity. Each new iteration retains recognizable stylistic elements, logos, slogans, and visual themes, while shifting usernames and identities to escape takedowns.

The group employs several known personas:

• K*****u: Currently listed as an admin in the SH7 G4NG channel.
• L*****y: An older alias appearing in messages from 2023.
• m*****y: Website administrator name found on the dark web portal.

Notably, these personas are often drawn from pop culture, especially anime references (e.g., Ly and Ku from ****e *****e), which helps cultivate a countercultural identity while masking real-world affiliations.

The group has also cycled through different Telegram branding schemes, including “Team:***e e,” before standardizing around “SH7 G4NG.” In July 2024, they declared that all their operations would be logged on Z-, solidifying a more permanent archive strategy that would survive channel bans.

Despite the aesthetic rebranding, the group's ideological tone has remained consistent, rooted in Islamic resistance themes and anti-establishment narratives. These shifting names, personas, and branding strategies serve a dual purpose: enabling persistence across platforms while creating layers of misattribution and confusion for investigators.

Ideological Positioning and Adversarial Targeting

SH7 G4NG operates from a deeply ideological foundation rooted in pan-Islamist activism and anti-Zionist narratives. Their operations are not financially motivated, but are instead aimed at amplifying symbolic resistance against geopolitical adversaries through digital means.

The group consistently frames its cyber defacements as a form of retaliation, symbolic acts of vengeance for what they describe as crimes against Muslims globally. These themes are visible in nearly all of their digital assets, from Telegram messages and channel banners to archived defacements on Z****-*.

Primary adversarial targets include:

• Israel: The central focus of their rhetoric and digital aggression. SH7 G4NG has positioned itself as a supporter of the Palestinian cause, with multiple messages referencing Hamas, Al-Qassam, and slogans like “Free Palestine.”
• India: Regularly targeted due to its pro-Israel foreign policy stance. SH7 G4NG frequently labels India as a “Zionist ally”, “Cow Slaves” and has defaced multiple Indian websites in response to geopolitical events.
• The West: While less frequently attacked, countries such as the US, UK, and France appear in the group’s broader ideological discourse, framed as symbols of Western imperialism and complicity in Muslim oppression.
• Moderate Arab regimes: Occasionally criticized for “betraying Palestine” or collaborating with Israel, though not usually the subject of direct cyber attacks.

SH7 G4NG uses Quranic phrases, martyrdom references, and black-banner symbolism throughout its communications, often mimicking the visual language of more extreme Islamic propaganda, though they stop short of publicly aligning with recognized terrorist groups.

Their defacement messages often include phrases like “Hacked by SH7 G4NG” and “Free Palestine,” framed with visuals designed to provoke fear and assert ideological dominance. These are uploaded to archival platforms like Z****-* and G********b to maximize visibility and preserve a public log of their operations.

This ideological consistency is crucial to the group’s narrative: they portray themselves not merely as hackers, but as digital warriors within a global struggle. This posture has enabled them to attract sympathizers, forge alliances, and build an identity that goes beyond conventional cybercrime.

Alliances and Regional Affiliations

SH7 G4NG does not operate in isolation. Rather, it thrives within a loosely connected network of ideologically aligned hacktivist entities. Analysis of Telegram messages, Z***-* submissions, and shared propaganda reveals recurring collaboration, endorsement, and cross-posting with other groups that espouse similar Islamic cyber resistance narratives. These alliances both bolster SH7 G4NG’s visibility and expand its operational ecosystem.

G**** C**** **********a (******)

G***** C**** ********a, identified by its Telegram handle @l*********h, is one of the more frequently promoted ideological allies of SH7 G4NG. The groups have shared each other’s content and expressed symbolic alignment, especially in the use of Islamic imagery and anti-India/anti-Israel rhetoric.

However, there is no direct evidence of joint defacement campaigns or shared infrastructure. Therefore, this relationship is best characterized as a symbolic and ideological alliance, not an operational one. This connection has reinforced speculation around SH7 G4NG’s symbolic affinity with **********n hacktivist circles, even though operational behavior suggests stronger N****h A********n roots, particularly *********n.

H********1

H*******1 is another group promoted by SH7 G4NG through Telegram forwards and alliance graphics. While the depth of this partnership remains unclear, their joint appearances in pro-Hamas and anti-India messaging suggests a shared narrative framework, if not coordination.

A***********s ******a

Though mentioned less frequently, A**********s *******a was highlighted in one alliance image published by SH7 G4NG. The ideological alignment, anti-Western, pan-Islamist, and activist-driven, likely underpins this alliance. However, no joint operations or linked infrastructure have been confirmed between the two.

S*******t (Group)

SH7 G4NG has explicitly stated alliance with a group labeled S******t (not to be confused with the historic malware campaign). This “S*******t” is presumably a regional cyber actor or cell with Islamic affiliations. While their capabilities and scope remain ambiguous, SH7 G4NG has framed them as part of its cyber resistance bloc.

K** Team

K** Team appears in multiple posts cross-promoting SH7 G4NG activities, often forwarding messages from their Telegram channel. In at least one message, the sign-off included the phrase “From K** Team Leader,” suggesting a collaborative or promotional relationship. However, KMP content also features unrelated groups, so it is more likely that K** Team operates as a propaganda amplifier rather than a formal affiliate.

N*******7(**)

In early 2025, SH7 G4NG publicly declared an alliance with N*******7(**), a prominent Russian-aligned DDoS collective known for conducting disruptive attacks against pro-Western infrastructure. The announcement came in the form of a Telegram post with a banner showing the logos of both groups alongside a handshake emoji, a symbolic but bold endorsement.

While the ideological alignment between the two groups is limited, SH7 G4NG operates under pan-Islamist narratives, while N*******7(**) supports Russian geopolitical interests, their mutual hostility toward Western, pro-Israel governments and institutions appears to form the basis of their cooperation. This kind of cross-ideological tactical alignment is rare and suggests SH7 G4NG’s growing maturity in strategic communication and coalition-building.

So far, no confirmed joint operations or shared infrastructure have been observed, but this public alignment hints at possible future campaign amplification, particularly through coordinated messaging or reciprocal signal boosting across Telegram. It also demonstrates SH7 G4NG’s interest in forging connections beyond the Islamic hacktivist sphere, tapping into the broader anti-Western cyber threat landscape.

Defacement Archives: Z***-* Mirrors

In July 2024, SH7 G4NG announced that all their future operations would be logged via Z***-*, specifically referencing the defacement handle SH7 G4NG. Independent verification through StealthMole’s Darkweb Tracker identified archived pages on z**********s domains where SH7 G4NG signatures were submitted under campaigns such as “Pwned by SH7 G4NG” and “Free Palestine.” These mirrors often included joint tags with groups like G**** C*** ********a or regional shoutouts, strengthening the perception of an active alliance web.

Signal Boosting in the Criminal Ecosystem

While SH7 G4NG primarily identifies as an ideologically motivated hacktivist group, their presence has also begun to surface in non-ideological criminal circles, particularly among dark web drug dealers and poison peddlers operating on marketplaces like G*******b.

Multiple posts advertising cocaine, amphetamines, and synthetic poisons made casual or explicit references to the Telegram group @l*************p, a private chat linked to the public SH7 G4NG propaganda channel. In several instances, these vendors encouraged prospective buyers to join the group, either to "stay safe" or "connect with trusted admins."

While there is no clear indication that SH7 G4NG themselves are engaged in drug trafficking, this recurring reference across illicit commerce platforms suggests one of several possibilities:

• Informal reputational alignment: Vendors may be borrowing the group’s name and imagery to convey credibility or threat-level, similar to how darknet vendors invoke names like Anonymous for branding.
• Shared infrastructure or cross-admin overlap: A more serious hypothesis is that some admins or channel moderators of SH7 G4NG maintain dual roles, contributing to ideological campaigns while facilitating or tolerating illegal trade within peripheral sub-channels.
• Tactical alliances: A hybrid theory is that SH7 G4NG offers channel protection or hosting privileges in exchange for passive signal boosting, allowing vendors to operate under their branding umbrella.

What is clear, however, is that the group's Telegram channels have become reference points in wider criminal conversations, extending their digital footprint into unexpected domains. Whether intentional or opportunistic, this kind of referencing contributes to SH7 G4NG’s perceived credibility, both as an ideological actor and, in some circles, as a shadowy digital gatekeeper.

Conclusion

SH7 G4NG, emerging from the ideological shell of "LulzSec Muslims", represents a distinct evolution in modern hacktivist ecosystems: decentralized, symbolically potent, and strategically fluid. By borrowing the branding of legacy threat groups like LulzSec and merging it with Islamic resistance rhetoric, they have built a hybrid identity that resonates across ideological, cultural, and even criminal spaces.

Their operations do not rely on technical sophistication, but rather on persistent messaging, alliance-building, and symbolic defacement campaigns that target high-visibility adversaries such as Israel and India. Their activity on platforms like Z****-, G*****b, and Telegram shows a pattern of low-cost, high-noise disruptions meant to amplify ideological agendas while evading attribution through continuous channel migrations and evolving aliases.

Geographically, while SH7 G4NG has used **********n flags and promoted S**t A allies, multiple signals including ******-language posts, anti-colonial slogans, and alliance patterns, point toward a Nh *********n operational base, possibly ********a. This regional ambiguity may be deliberate, allowing them to tap into multiple ideological geographies while maintaining plausible deniability.

What makes SH7 G4NG especially notable is their cross-domain presence: not only in hacktivist campaigns, but in digital spaces frequented by poison sellers and cocaine dealers, where their Telegram channels are cited or promoted. Whether this reflects exploitation of their brand or hidden overlaps in infrastructure, it highlights the group’s expanding digital footprint, one that straddles ideological activism and the criminal underworld.

SH7 G4NG does not currently present a national security-level threat. However, their growing alliances, persistent propaganda strategy, and symbolic targeting of geopolitical flashpoints (e.g., Palestine and Israeli alliances) mark them as a rising actor of concern in the realm of narrative cyber warfare.

Editorial Note

While every effort has been made to ensure the accuracy of this report, it is important to acknowledge that attribution in cyber investigations is rarely absolute. The connections drawn here are based on a combination of open-source intelligence and data sourced through StealthMole’s platform. As such, all findings should be viewed as probabilistic assessments, subject to change as new evidence emerges.

Beyond attribution, this report aims to highlight how StealthMole’s integrated toolkit including the Dark Web Tracker, Telegram Tracker, Combo/ULP Binder, and Compromised Data Set, enables intuitive and efficient threat actor profiling. By correlating aliases, infrastructure, and behavior across fragmented ecosystems, the platform empowers analysts to transform raw signals into actionable intelligence.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com