3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
BadakSecTeam

BadakSecTeam

ID: 9506ebd1236dfd0413701e17a96dee7040651
Hacktivist Group Hacktivism
Threat types: Hacktivism, Defacement, Intrusion
Indonesia IND, IDN, ISR, THA
Updated: 2026-04-08
Created: 2026-03-30
Progress: 89% Completeness: 88% Freshness: 90%
Operation zone: India, Indonesia, Israel, Thailand
Aliases Limited alias preview
Badak Sec Team BADAK SECURITY Ba***************** Ba***********
Showing 2 of 4 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

BadakSecTeam is an emerging defacement-oriented cluster associated with repeated public-web compromise and page replacement activity observed in late March 2026.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2026-03-31 — Repeated BadakSec Team defacement outcomes across public websites are consistent with exploitation of exposed web applications or misconfigured public-facing services. · ref
  • 2026-03-27 — INFERENCE (confidence: medium): The observed content-replacement pattern and broad public-web victim set imply compromise of internet-facing applications rather than internal network intrusion. · ref
T1110 Brute Force TA0006
  • 2026-03-31 — INFERENCE (confidence: low): Weak administrative credentials are a plausible secondary access path for this kind of low-complexity web defacement, but no direct credential-theft or brute-force telemetry is publicly documented for BadakSecTeam. · ref
T1565.001 Stored Data Manipulation TA0040
  • 2026-03-27 — Mirror pages show direct replacement of publicly served web content with BadakSecTeam-branded material, consistent with stored data manipulation through defacement. · ref
  • 2026-03-27 — The phrase 'Hacked By Komodoxploit && T-Rex BadakSecTeam Was Here' visible in mirrored pages supports repeated actor-branded content replacement. · ref
T1580 Cloud Infrastructure Discovery TA0007
  • 2026-03-31 — INFERENCE (confidence: medium): The breadth of public-web victimology is compatible with internet-facing service discovery and opportunistic target selection across weak sites. · ref
T1583.001 Domains TA0042
  • 2026-04-02 — INFERENCE (confidence: low): Public mirrors and archive visibility suggest use of third-party public hosting/paste resources for mirrored proof-of-compromise pages, but actor-controlled infrastructure is not directly established. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-04-03T15:51:03+00:00

BadakSecTeam — Preliminary Strategic Intelligence

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Cybercrime / Hacktivism / Defacement Cluster — Origin: Unknown; probable Indonesian / Southeast Asian nexus (INFERENCE, confidence: low-to-medium)

Author: iQBlack CTI Team


Executive Summary

BadakSecTeam is a small, recently visible defacement-oriented threat cluster with public archive footprint concentrated around late March 2026. Public evidence supports repeated website compromise and page-replacement activity, carried out under the team label “BadakSec Team” and associated most clearly with the public attacker handles Komodoxploit and T-Rex. The available evidence does not support advanced intrusion, durable persistence, or malware-centric operations.


The current public record suggests an opportunistic, web-facing compromise model focused on speed, scale, and proof-of-compromise visibility. Archive telemetry shows dozens of mirrored defacements across public websites, including multiple Mastodon/fediverse-adjacent domains and at least one Indonesia-labeled educational target. The activity pattern is more consistent with mass web vandalism and archive amplification than with disciplined access operations.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — BadakSecTeam

Classification: Unclassified / OSINT — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — BadakSecTeam


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-04-03T15:43:58+00:00

IOC Appendix — BadakSecTeam

This appendix summarizes currently usable indicators and behavioral patterns associated with BadakSecTeam. The public evidence base is still shallow and heavily weighted toward defacement archive telemetry rather than incident-response casework. As a result, most entries below are better suited for hunting, enrichment, and external exposure monitoring than for high-confidence blocking.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-04-03T15:44:09+00:00

OSINT Library — BadakSecTeam


2026-03-31 — Zone-Xsec — “Team archive for BadakSec Team”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/2
Address Verification SOCMINT
t.me/+eK************** Restricted Not integrated
t.me/+Xs************** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–1 of 1 images
Alliance with BD Anonymous Free Preview
Alliance with BD Anonymous