FOCUS MODE
EXTRACT IOC
Threat Research

INDOHAXSEC Indonesian Hacking Collective | Arctic Wolf – Arctic Wolf

iocOne
The article discusses the activities of an Indonesian hacktivist group called INDOHAXSEC, which has been conducting cyberattacks, including DDoS and ransomware attacks, motivated largely by political beliefs, particularly targeting entities associated with Israel and Malaysia. They utilize custom tools and social media for coordination and propaganda. Affected: INDOHAXSEC, Indonesia, Malaysia, Israel, Indian websites.

Keypoints :

  • INDOHAXSEC is a newly formed hacktivist group from Indonesia, established in October 2024.
  • They engage in DDoS and ransomware attacks against governmental and private entities in the region.
  • The group has pro-Palestinian motivations and often targets organizations perceived to support Israel.
  • INDOHAXSEC collaborates with pro-Russian hacktivist group NoName057(16) to expand their ideological agenda.
  • Their tools are available on a GitHub repository, including various rudimentary scripts for cyberattacks.
  • They have launched doxxing campaigns in retaliation for geopolitical tensions, notably against Malaysian officials.
  • Arctic Wolf Labs monitors this group, utilizing threat intelligence for customer protection.
  • Indications show that the group’s activities are heavily promoted via Telegram and TikTok.
  • Despite being new, INDOHAXSEC exploits advanced tools and popular platforms to amplify their operations.

MITRE Techniques :

  • TA0040: Impact – The collective’s objectives often include disrupting services of targeted entities.
  • TA0039: Resource Development – Utilizes GitHub for hosting custom tools and scripts.
  • TA0011: Command and Control – Employs Telegram for coordination and execution of attacks.
  • TA0031: Exfiltration Over Command and Control Channel – Claims to leak data from infiltrated organizations, such as the PhpMyAdmin database.
  • TA0011: Application Layer Protocol – Engages in web defacements and ransomware deployments using PHP scripts.

Indicator of Compromise :

  • [SHA256] cd8a7350b07311f2257eba7ed5d992cf7f00e869461f9a2c3c2003a05bfdcce0 (indohaxsec.php)
  • [SHA256] 9391014b5a567f4821603c97802c38d8f3053469f47533c57bcfdb787fd9cd57 (404.php)
  • [SHA256] e9a2379991d7ad9f3031c9cd62eab9277b9a2d0179a066b36dd95737182574c8 (masal.php)
  • [SHA256] ac9b107e35f7a8055bb4a556a1835b824f7b32bbc8af0c05dc67164678f25008 (minishell.php)
  • [SHA256] 658f468bc8a762ebef233d284bccb97d64d5b214ea49d9c1cac8b9976ee6c3dc (xss.pyc)

Full Story: https://arcticwolf.com/resources/blog-uk/indohaxsec-indonesian-hacking-collective/

Tags: EXFILTRATION, PROXY, LEAK, MDR, IMPACT, SOCIAL MEDIA, TOOL, XSS