Ongoing geopolitical tensions involving Iran, Israel, and the United States are driving a rise in cyber activity that poses a growing risk to India’s digital ecosystem. Recent threat intelligence highlights a concentration of attacks against Indian organizations and online services, as regional conflicts spill over into cyberspace and expand the potential threat surface for Indian entities.

Observed activity includes website defacements, Distributed Denial-of-Service (DDoS) attacks, ransomware operations, data theft and leak claims, and repeated attempts to gain unauthorized access to exposed systems. Adversaries are predominantly abusing weaknesses in internet-facing infrastructure such as web servers, government and public service portals, and content management systems to achieve disruption and enable possible data exfiltration.

These operations have affected a wide range of Indian sectors, including government services, education, private industry, financial institutions, religious organizations, and infrastructure-related companies.

This hacktivist threat group is involved in mass website defacement campaigns targeting Indian organizations. The group has defaced multiple Indian websites and publicly claimed responsibility for several attacks through Telegram channels. Their targets primarily include educational institutions, NGOs, and private sector companies.

Impact : Website defacement is one of the most common impacts of hacktivist cyberattacks. In this type of incident, attackers gain unauthorized access to a website and alter its content to display political statements, ideological messages, or propaganda. Government and corporate websites are frequent targets, as defacing these platforms allows attackers to attract public attention and amplify their message. Although the modifications are often temporary, they can still cause reputational damage and disrupt normal website operations.

Victims : Bangalore Highgrounds – rotary3191[.]org , Sri Kuvempu Mahavidyalaya First Grade College – skmvkengal[.]org

BABAYO EROR SYSTEM

BABAYO EROR SYSTEM is a hacktivist collective known for conducting website defacement campaigns targeting small and medium-sized organizations and regional entities. The group typically compromises vulnerable web servers and publicly displays ideological or political messages on the affected websites.

Impact : Website defacement activities can disrupt online services and damage the credibility of targeted organizations. By embedding ideological or political messages within compromised websites, attackers aim to spread propaganda and gain public attention. Such incidents may also indicate the presence of unpatched vulnerabilities within the affected systems.

Victims: Multiple small and regional organization websites (reported in defacement monitoring platforms)

INDOHAXSEC is a hacktivist group observed targeting educational institutions in India through website defacement activities. The group typically exploits vulnerabilities in publicly accessible web applications or administrative panels to gain unauthorized access and alter website content.

Impact: Website defacement targeting educational institutions can interrupt access to academic resources and online services while also damaging the institution’s public reputation. These incidents may also expose underlying vulnerabilities in web applications and administrative systems.

Victims : St Joseph's College Pilathara – stjosephscollege[.]ac[.]in, admin[.]stjosephscollege[.]ac[.]in

Team Insane Pakistan is a hacktivist group associated with anti-India cyber activities and has previously conducted cyber campaigns targeting government and organizational websites. The group frequently claims responsibility for attacks through online platforms and messaging channels.

Impact: Website defacement of government portals can disrupt public access to services and create reputational concerns for affected institutions. Such incidents may also highlight security weaknesses in publicly accessible government infrastructure.

Team Azrael Angel Of Death is a hacktivist collective known for targeting organizational websites through defacement campaigns. The group often modifies website content to display group signatures or ideological messages following successful compromise.

Impact: Website defacement can disrupt website availability and harm the public image of targeted organizations. These incidents typically occur when attackers exploit vulnerabilities in web applications or poorly secured administrative interfaces.

Victims: Vidyawan – vidyawan[.]in

LEVSTRESS.SU is a Distributed Denial-of-Service (DDoS)-for-hire platform used by threat actors to launch large-scale traffic flooding attacks against targeted websites. Such platforms allow attackers to overwhelm servers with excessive traffic, resulting in service disruptions.

Impact : DDoS attacks can temporarily disable websites or online services by overwhelming servers with high volumes of malicious traffic. These attacks can disrupt business operations, reduce service availability, and impact user access to online platforms.

Victims: Veegaland Homes – veegaland[.]com

TBDF is a hacktivist group observed targeting religious organizations through disruptive cyber activities, including attempts to affect the availability of publicly accessible websites.

Impact : Disruptions to religious organization websites can affect communication channels and online services used by communities and followers. Such incidents may also highlight weaknesses in website security and hosting infrastructure.

Victims: International Society for Krishna Consciousness (ISKCON) – iskcon[.]org

DragonForce Ransomware

The DragonForce ransomware group is a cybercriminal group known for conducting ransomware and data-extortion operations. The group typically gains unauthorized access to organizational networks, exfiltrates sensitive data, and threatens to publish the stolen information unless ransom demands are met.

Impact: Ransomware attacks involving data exfiltration can lead to exposure of sensitive corporate information, financial losses, and regulatory consequences. Public release of stolen data may also result in reputational damage and long-term operational risks for affected organizations.

Victims: Mumbai-based Indian investment banking company

Attack Details : Claimed exfiltration of approximately 123.6 GB of organizational data ,

Data reportedly published on the ransomware leak blog operated by the group

Targeted Countries

Government Administration
Education and Academia
Financial Services
Manufacturing
Private Sector Enterprises
Religious Institutions
Construction and Infrastructure
Non-Profit Organizations
Industrial and Mineral Sector

Targeted Applications / Platforms

Web servers and CMS platforms
Government portals
Educational institution websites
Corporate websites
Financial platforms
Public-facing infrastructure portals

Common Vulnerabilities Exploited

Outdated CMS installations
Weak administrative credentials
Unpatched web server vulnerabilities
Misconfigured access controls

Attack Methods

Attackers exploit vulnerable web applications or CMS platforms to gain unauthorized access and replace legitimate website content with propaganda, political messages, or group signatures using following techniques:

Exploiting vulnerable plugins
SQL injection
File upload vulnerabilities
Weak credential brute forcing

Threat actors utilize botnets or DDoS-for-hire platforms to flood targeted servers with excessive traffic, rendering services unavailable using following techniques :

HTTP flood attacks
SYN flood attacks
UDP amplification attacks

Ransomware groups deploy malware to encrypt organizational systems while exfiltrating sensitive data using following techniques :

Initial access via phishing or exploited vulnerabilities
Privilege escalation
Lateral movement across internal networks
Data exfiltration
File encryption and ransom demand

Attackers obtain or leak login credentials associated with organizational systems, potentially enabling unauthorized access to internal services and administrative portals using following techniques :

Credential harvesting
Password brute force attacks
Credential reuse from previously leaked databases

Threat actors publicly claim breaches via Telegram channels or Tor-based leak sites, threatening to release stolen data unless ransom demands are met.

z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid[.]onion

MITRE ATT&CK Techniques

Organizations are advised to implement the following security measures to reduce the risk of cyber attacks and minimize potential impact: