INDOHAXSEC - Introduction to Threat Actor

INDOHAXSEC is an Indonesian hacktivist group known for conducting politically motivated cyber operations and opportunistic attacks targeting government entities, corporations, and organizations across Southeast Asia and beyond, mostly Israel, India, and Azerbaijan, who known to be Israel supporters.

The group went public in early October 2024, a year after the horrific October 7th massacre by the terror organization Hamas, establishing a strong online presence under names such as “INDOHAXSEC TEAM.”

Their campaigns are characterized by large scale website defacements, DDoS attacks, and data-leak announcements often framed as acts of protest pagainst olitical and ideological adversaries. Among their more notable operations is a claimed breach of Nestlé’s internal systems, where they allegedly accessed and leaked over 28,000 corporate credentials in connection with a boycott campaign against Western-aligned companies.

INDOHAXSEC has also declared cooperation with other hacktivist entities, including the Pakistani group Team Azrael (“Angel of Death”), with stated intentions to conduct cyber operations targeting Indian digital infrastructure.

Despite self-promoted claims of developing a web-based “WannaCry-style” ransomware tool, independent verification of such capabilities remains limited, suggesting the group’s real-world expertise lies primarily in exploiting poorly secured web servers, CMS vulnerabilities, and weak credentials, their data leak operations also reclaimed.

INDOHAXSEC maintains multiple Telegram channels and social-media presence through which they publicize supposed successful intrusions, recruit collaborators, and disseminate propaganda aligned with nationalist and anti-Western narratives.

The following research sheds light on this collective and explores potential affiliations between the group’s online handles, infrastructure usage, and the broader Southeast-Asian hacktivist ecosystem.

Getting To Know INDOHAXSEC

The group has been active since October 2024, with a few dozen posts on different hacking forums, Telegram, and even a WhatsApp channel where they boast about recent cyber operations against Israel, India, Azerbaijan, and basically anyone who is “against Islam” in their opinion.

They are monetizing and promoting themselves through social media, from Instagram to TikTo,k to reach new joiners and to gain sympathy by the audience.

• TikTok: https://www.tiktok.com/@indohaxsec

• Telegram: https://t.me/Indohaxsec_Team

• Instagram: https://www.instagram.com/indohaxsec

• GitHub: https://github.com/INDOHAXSEC

Toolkit & Repositories

INDOHAXSEC maintains a public GitHub presence tied to the group’s October-2024 start, the org page and contribution history show most activity concentrated around that timeframe, and the repo README(s) and commits link back to the group’s Telegram. Their GitHub is essentially a surface-web staging area for scripts, droppers, DDoS tooling, and site-encryption code rather than a polished malware farm.

1. Ark-Cheat-Detector (modified) - A game-related repo was repurposed into a web backdoor delivery mechanism. Low sophistication but an effective way to hide malicious PHP on web hosts.

2. NUKLIR (Python / Node.js DDoS collection) - a set of DDoS scripts available in Python and Node.js formats that enable volumetric flooding against specified targets. NUKLIR is a functional DDoS tooling (simple to use, widely re-shared) and very useful for hacktivist-style disruption, but not an advanced tradecraft.

3. RUDAL & Rudal-shell (Python / PHP) - very similar to NUKLIR but missing some external dependencies. The collection contains PHP backdoors and utility scripts for remote control of compromised web servers (file upload/download, command exec, simple web shells). These artifacts indicate a focus on maintaining web footholds and automating defacement/encryption workflows.

4. ExorLock (ransom/site-encryptor) - ExorLock ransomware project was traced back to earlier group iterations (AnonBlackFlag) via archived README files.
   ExorLock appears in the repository history and was previously claimed to have been used against an Indian target (unconfirmed).

5. XSS_Fucker (scanner / PoC) - a compiled Python scanner intended to find XSS vulnerabilities at scale. This sort of tooling automates the discovery of trivial web vulnerabilities that can then be weaponized for defacement, session theft, or initial access.

INDOHAXSEC’s toolkit is serviceable but generally low-to-moderate sophistication. The group reuses public code, forks benign projects, and injects PHP droppers/backdoors, packages commonly available DDoS/XSS scanners, and simple encryptors.

Their public posture (posting repos and demo videos) shows they favour notoriety and ease of reuse over stealth and rigorous OPSEC.

Hashtags & Focus Areas

An examination of the hashtags appearing in INDOHAXSEC’s Telegram posts offers additional perspective on their targeting patterns and victim selection. The chart below illustrates the distribution of the group’s most used hashtags since October 2024.

Known Collaborations

Ø NoName057(16)

• Nature of alliance: Publicly declared “collaboration” announced via Telegram approximately one month after INDOHAXSEC’s formation.

• Profile of partner: Pro-Russian hacktivist collective known for large-scale DDoS operations against Western and NATO-aligned infrastructure.

• Assessment: Ideological alignment (anti-Western, pro-Palestinian rhetoric) and publicity cooperation rather than formal, coordinated cyber campaigns.

  

  Ø Team Azrael (“Angel of Death”)

• Nature of alliance: Tactical, event-driven collaboration announced during India-Pakistan cyber tensions.

• Profile of partner: Pakistani hacktivist group linked to politically motivated campaigns targeting Indian entities.

• Assessment: Typical of hacktivist surge behaviour, a temporary alliance focused on geopolitical flashpoints, with no proof of long-term shared command or infrastructure.

  

  Deep Diving

  The username “INDOHAXSEC” is not common, and it is the official name of the group, so this is the starting point. When searching for that username, their Instagram profile popped up.
  By using API manipulations, I found the ID of the profile (68343877461) and managed to associate the profile to the registered email address (indohaxsec@gmail.com), and a new username - “K3T0PR4K”.

  

  The email address was also shown on the cached website of the group (that already went off-line), a thing that validates the relation of this email address to the hacking group.

  

  

  The username itself was found several times in relation to previous cyber-attacks (mostly data leaks, defacements, and DDoS attacks) against India and Israel, exactly as the group targets.

  

  The Email As a Pivot Point

  As the username itself provided only superficial evidence, I dug more into the email address itself.

  An active Google account (GMAIL) was found with a photo of two guys, covering their faces with COVID masks, one of them is wearing a hoodie with a code sample on it, and the second wears a hoodie with the logo “SurabayXploit”.

  When searing this term, I found that Surabay(a)Xploit (often seen as SurabayaBlackhat / Surabaya Xploit / Barrabravaz) appears to be an Indonesian language hacking/defacement persona or small collective that publishes exploit code, web shells, and “toolbox” repositories (PHP shells, arbitrary-file-download exploits, short URL tools, DDoS/scan scripts) on GitHub and related sites - basically a regional exploit/defacement repo hub rather than a sophisticated APT.
  
  Also, it came out that it is an annual event held in Surabaya, Indonesia, that aims to provide a platform for high school and vocational students to channel their interest in information technology.

  The alternative name mentioned above, “SurabayaBlackHat”, is in the source code of the website (view-source:https://berkeleyschools.net/B4.html) that has been hacked, including other related references, such as “indonesianblackhat”, “Jakarta Anonymous,” and “Indonesia_Hacker”

  

  

  When searching this term, a LinkedIn profile appeared, under the name “M.REIHAN FATAHILLAH”, A person from Surabaya, Jawa Timur, Indonesia, who claims to be an IT Security and Bug Hunting in Surabaya xploit, the only one that was found in this association.

  As shown in his LinkedIn BIO, he “plays your code with xploit”, and he owns a Cyber ​​Security community, namely SurabayaXploit.