Executive Summary
During routine monitoring of the cyber threat landscape in Southeast Asia, the Arctic Wolf Labs team came across a relatively recent Indonesian-based hacktivist collective calling themselves “INDOHAXSEC” that has been active within this region.
Throughout the last couple of months this group has conducted cyberattacks such as distributed denial-of-service (DDoS) and has carried out ransomware attacks against numerous entities and governmental bodies within this geopolitical region, utilizing a mixture of both their own custom tooling and others collected from the wider Internet.
Largely politically motivated, but also occasionally financially driven, this collective maintains GitHub, Telegram and social media accounts on the surface web with a seeming disregard for operational security in favour of notoriety and goal-driven impact.
What is Hacktivism?
Hacktivism has been around in one form or another since at least the late 80s and has evolved as the digital reach of the Internet has grown. Typically conducted by individuals as a form of online resilience against political, ethical, or social causes, it usually involves website defacements, cyberattacks, denial of service (DOS), data leaks and more, conducted against government or corporate entities they deem responsible for whatever cause they support.
Who are INDOHAXSEC?
According to their posts via the group’s Telegram channel, INDOHAXSEC originated within Indonesia and was officially established in early October 2024. Typical attacks by the group include website defacements, DDoS attacks, ransomware deployments and hack-and-leak operations. The group uses these tactics both as a form of protest against numerous entities and countries spread throughout the region, and to advance their own political ideologies and objectives.
Investigations into many of their latest activities reveal a group that appear to be largely motivated by pro-Palestinian sentiments and religious ideology, as the group frequently targets entities perceived as supporting Israel. Additionally, one month after they started operations, INDOHAXSEC announced an alliance with the known pro-Russian hacktivist group NoName057(16), which had themselves quite recently begun forming partnerships with other hacktivist groups with anti-Western aligned agendas.
While this collaboration suggests a potential broadening of INDOHAXSEC’s ideological scope, there has been little activity since to indicate growth of this relationship.
While this group is relatively new to the cyber threat landscape, various members have been previously associated with other hacktivist groups within this region such as:
| AnonBlackFlag | Hacktivists Indonesia | PaluAnonCyber |
| KUNINGAN EXPLOITER | CIPINANG BL4CK | FoxCrack-ID |
| HIZBULLAH CYB3R TEAM | Esteem Restoration Eagle | QLAVER XPLOIT SECURITY |
More recently, the goals and focus of INDOHAXSEC appear to have changed, shifting to include a more nationalistic and politically motivated agenda. The group has been observed launching cyberattacks against entities they believe have acted against their core interests and beliefs related to Indonesia.
Toolkit
INDOHAXSEC maintain a GitHub repository containing their custom tooling along with a link to their official group Telegram account.
Based on monitoring of their “contributions” page, most activity is clustered around the timeframe from when the group was initiated in October 2024.
Their repository contains a variety of malicious scripts and tools authored in various programming languages, most of them rudimentary in nature and designed for a range of basic nefarious purposes, including the previously mentioned DDoS attacks, the defacing of websites, and assorted basic cyberattacks.
| Name | Type | Description |
|---|---|---|
| Ark-Cheat-Detector | Batch file and PHP | A forked and modified repository for detecting cheats related to ARK: Survival Evolved. INDOHAXSEC has modified the repository to include “white.php, ” a PHP dropper used to download a multipurpose PHP backdoor called Avaa Bypassed from GitHub user @thinhcmd. |
| NUKLIR | Python | A collection of DDoS tools available in both Python and Node.js formats for launching attacks against specified targets |
| RUDAL | Python | RUDAL closely resembles NUKLIR but appears to be missing some external dependencies. |
| Rudal-shell | PHP | A collection of PHP script including backdoors, Exorlock ransomware and other types of tools designed for compromising web servers. |
| Xss_Fucker | Python | A compiled python (.pyc) file designed to scan a given target website for cross-site scripting (XSS) vulnerabilities. |
In addition, various members of the collective maintain their own personal GitHub repositories that contain other tooling, such as the user “fidzxploit,” whose repository was created in early 2025 and includes scripts for the DDoSing and defacing of websites.
Additionally, the group’s TikTok video channel (which comes complete with the motto: “Cyber security is an illusion”) suggests a broad interest in utilizing OpenAI’s ChatGPT tool, specifically for information around the alteration of file permissions and file encryption.
Most notably, the timestamp of the relevant video was one day prior to the GitHub commit history timestamps of the “website destroying malware” called “Dancokware.” On TikTok, we found a short demo video of this malware posted by a user with the handle @akunthisiadi, captioned “MALEWARE DANCOKWARE! A new PHP code made by FidzXploit from INDOHAXSEC TEAM… This code is capable of encrypting all files on a website, both the contents and the file names.” It is highly plausible that ChatGPT was used to make improvements to the original malware, which was “warning.php”. While it is not possible to ascertain this with any degree of certainty, it would not be surprising if this were the case.
Threat actors abusing ChatGPT is not a particularly new development. All kinds of cybercriminals have already begun to dive headlong into the use of ChatGPT and other AI-driven tooling to assist with various facets of malicious activities, from crafting legitimate-sounding phishing emails to debugging and code-rewriting. This lowers the barrier to entry for such activities and increases the potency of a potential attack.
In addition, through some historical investigation via “archive.org,” the Internet archive site, it was found that the ExorLock ransomware was written by an earlier iteration of the group when they were active under the name AnonBlackFlag.
In May 2024 a user named CyberKnow on the social platform X (formerly known as Twitter) claimed that Exorlock was allegedly used against an Indian website during their elections.
Telegram and Social-Media
Like many malicious entities today, INDOHAXSEC maintain a Telegram channel which has over 4,000 subscribers. They primarily use this channel for communication, coordination and propaganda. The platform’s minimal use of moderation, large group chat capabilities and ability to broadcast a user’s messages to a wide audience make it an ideal tool for spreading non-mainstream narratives and organizing illicit activities. Unlike some of the more mainstream social media platforms that actively moderate content, Telegram has historically maintained a hands-off approach, allowing cybercriminals to operate with relative freedom and impunity.
Interestingly, there are several posts within their channel where the group boasts about developing a successor to the infamous WannaCry ransomware that they dubbed WannaCry 2.0. It should be noted that due to a lack of an available sample for investigation, code comparison and relationship to the WannaCry 2.0 global ransomware attacks of 2017 are unconfirmed; that particular ransomware strain was previously linked by the Department of Justice (DoJ) to the government-sponsored North Korean hacking team known as the Lazarus Group. It is more likely that the group picked that name to garner attention and ride on the coat-tails of a more notorious cyberthreat group.
The group also claims to have deployed this malware in the wild to target Indian based entities such as technology and product engineering firm Solace Infotech Pvt. Ltd. The group boasted to have infiltrated and leaked the company’s PhpMyAdmin database of about 200 thousand records. That claim is unsubstantiated at this point.
An analysis of the group’s use of hashtags in their Telegram communications provides further insights into their targeting and victims. The following chart breaks down the most frequently used hashtags used by the group since October 2024. (Note: The chart excludes any hashtag that includes the group name itself.)
Further analysis of their Telegram communications, specifically focusing on the countries mentioned since the group’s inception, provides more insights into their targeting, with India, Israel and Malaysia receiving most of the mentions.
Figure 13 below shows a visual representation of those countries targeted by the group since October 2024.
As previously mentioned, the group uses social media platforms like TikTok to showcase their activities and spread their message, leveraging the platform’s popularity to attract attention from a wider audience.
More recently, they have turned to X (formerly Twitter) to escalate their tactics by carrying out doxxing campaigns, exposing personal information of Malaysian officials in response to a fatal shooting of an Indonesian migrant worker. On 24th January, officers from the Malaysian Maritime Enforcement Agency (MMEA) opened fire on a boat for allegedly trespassing in the waters of Tanjung Rhu in Selangor state. A 50-year-old migrant was killed and four others were wounded. The incident caused a rare diplomatic rift between the two countries and angered human rights groups and labor unions, and Malaysia has opened investigations into the shooting.
INDOHAXSEC’s apparently retaliatory actions against Malaysian officials suggest that doxxing is becoming part of their operational playbook, specifically targeting government agencies with an emphasis on the Maritime sector.
In response to persistent targeting, the National Cyber Coordination and Command Center (NC4) released an advisory on the heightened cyber threat of “Hacktivist Activities Targeting Malaysia”.
INDOHAXSEC announced on their Telegram channel that they were seeking judicial steps from the Malaysian government in response to the incident. However, in a statement on their Telegram channel on the 20th of February, INDOHAXSEC announced a temporary halt to attacks on Malaysia, citing their intent to avoid interference with ongoing domestic protests in Indonesia. They emphasized their independence from the Indonesian government and warned that if Malaysian hackers launched attacks on Indonesian sites, they were prepared to retaliate, including the potential release of a large Malaysian government database.
How Arctic Wolf Protects its Customers
Arctic Wolf is committed to ending cyber risk with its customers, and when active campaigns are identified we move quickly to protect our customers.
Arctic Wolf Labs has leveraged threat intelligence around INDOHAXSEC activity to implement new detections in the Arctic Wolf Platform to protect Managed Detection and Response (MDR) customers. As we discover any new information, we will enhance our detections to account for additional indicators of compromise and techniques leveraged by this threat actor.
Conclusion
The Indo-Pacific region is a complex landscape of opposing political and religious ideologies which so often clash with one another. Hacktivist groups are a digital extension of this, fuelled by the constantly changing geopolitical landscape and tensions. The cyber operations conducted by INDOHAXSEC against Malaysian entities as described in this report are a typical example of this.
Arctic Wolf is committed to continuing its monitoring of this region for further cybersecurity threats. Politically driven groups like INDOHAXSEC value impact and disruption as their main goals, with few qualms in targeting both private and government entities.
In terms of practicalities, the group has a wide arsenal of tools and malicious cyber weapons at its disposal, utilised to disrupt, deface and cripple those it sees as its enemies. Hardening internet facing assets and maintaining compliance with recognized information security standards are essential to mitigating risks posed by INDOHAXSEC, especially by those organizations and individuals operating within the scope of their previous victimology.
Explore Arctic Wolf’s latest threat research with the 2025 Arctic Wolf Threat Report.
See how Arctic Wolf utilizes security operations to stop threats before they escalate with the Arctic Wolf 2024 Security Operations Report.
APPENDIX 1 – Indications of Compromise (IoCs)
| SHA256 | Filename |
|---|---|
| cd8a7350b07311f2257eba7ed5d992cf7f00e869461f9a2c3c2003a05bfdcce0 | indohaxsec.php |
| 9391014b5a567f4821603c97802c38d8f3053469f47533c57bcfdb787fd9cd57 | 404.php |
| 09092c5061322e3cdc33e3eb4d8379f77ec20ff121acd42b159e87407e421a57 | x.php |
| e9a2379991d7ad9f3031c9cd62eab9277b9a2d0179a066b36dd95737182574c8 | masal.php |
| 3b1cb2248bf6b2c9cb493f6ef226a943042ccd8a5e98f4869c55a4efe0a0f835 | selbaru.php |
| ac9b107e35f7a8055bb4a556a1835b824f7b32bbc8af0c05dc67164678f25008 | minishell.php |
| 464087d09b85c0bbed20e5369264ae21537926da24efca8aed4136c70fe5b1e0 | ihs_ori.php |
| eae18c62dbb29bc6749347d410a16b190cb1b2fdaff6d8318ca9ecb5e572391d | GOD.php |
| efd85fd28bcf10f32f0ac934ee0e9e71d34a0cbae66ee83abad9a929c3ca91f9 | bocil.php |
| 9325343e22181eda59efce7b9d6a54c5565c1798337cb42f07a24dbe93f5b117 | ikeh.php |
| 7fd271225602c021306c68157a2e17ace5f42853b4762c49f4d82ae8a4e2ebe3 | pwssd.txt |
| 02c3d44ec9a44558f516a5922b09b736c5786d2a675b89b2e86ce8f16e4041b6 | ihs.php |
| 0c5e744a5aefe6d6d432b85c33f92f2e2beb75af311421806acb550f766dda41 | lock.html |
| 658f468bc8a762ebef233d284bccb97d64d5b214ea49d9c1cac8b9976ee6c3dc | xss.pyc |
| f9a3f810fb81b3a605038d997341223eb6914aed4f13f4d93466906dc83b1942 | rudal1.py, misil.py |
| 1ba3ce9a93262e82a660b8b566134e08fa9680de8716a2893e4e4617086276f4 | rudal3.py, nuklir.py |
| 959cce59fc5d15540e348945b0a18516d9afb56b1f21fd2db4ed209e87cf2657 | rudal2.js, Rudal.js |
| 393bff0edb5c229064ba54343eb38ba1b301246caaa30c20021776c822383bf2 | proxy.txt |
| a5c8d558af0e8e3853cdd03be91dc7d915113a291466383005dbe1951809f663 | scrape.py |
| 49cf4ae0d9ffbfc0ff4918e34b1c5b066e62663eeee6da4d0fa91172850e03d6 | white.php |
| a82e254ec16d3505322b487cfa2cc0f9e629ef72a4f474dbae81b1ec5bd7f2c2 | dancokware.php |
| b3a7f14df7b52a0acadc02c58d602bd21e28b7968621f9181531d4977e216ba1 | ransomweb.php |
