3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
IndoXploit

IndoXploit

ID: 7b4939a8af28c814f0c757bb10f40d3d61533
Hacktivist Group Collective Defacement Crew Hacktivism
Threat types: Defacement, Intrusion, WebShell
Indonesia IDN
Updated: 2026-01-13
Created: 2025-10-17
Progress: 51% Completeness: 52% Freshness: 50%
Operation zone: Indonesia
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

IndoXploit — Indonesian hacking/defacement community active since at least 2017. Public indicators include a GitHub org (indoxploit-coders) linked to indoxploit.or.id and the widely documented ‘IndoXploit PHP Shell’ used to compromise LAMP/CMS stacks. Mirrors on Zone-H tie the notifier ‘IndoXploit’ to multiple defacements through 2022.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2017-09-29 — Alert Logic: IndoXploit PHP shell used post exploitation to control CMS on LAMP stacks. · ref
  • 2017-11-20 — Alert Logic: IndoXploit shell suite leveraged to compromise CMS, upload content. · ref
T1491.002 External Defacement TA0040
  • 2022-03-27 — Zone-H archive lists multiple mirrors notified by ‘IndoXploit’. · ref
T1585 Establish Accounts TA0042
  • 2025 — GitHub org ‘indoxploit-coders’ (verified) linked to indoxploit.or.id (community presence/branding). · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-17T21:40:34+00:00
IndoXploit - Hacktivist / Defacement Community

CLASSIFICATION: Unclassified / Open Source


Executive Summary

IndoXploit operates as a community/crew with a dual footprint: (1) a development side producing/maintaining the IndoXploit PHP shell (2017), and (2) a defacement footprint visible in Zone-H mirrors (2017–2022). The shell is documented by vendors as post-exploitation tooling on LAMP/CMS stacks, implying a tradecraft path of public-facing app exploitation → webshell drop → content replacement. Confidence: medium (vendor advisories + mirrors + verified GitHub org).

  • 2017-09–11. Alert Logic details IndoXploit PHP Shell capabilities and usage post-exploitation.
  • 2017–2022. Zone-H shows repeated IndoXploit defacement mirrors.
  • 2025. GitHub org “indoxploit-coders” verified; links to indoxploit.or.id.
  • T1190 – Exploit Public-Facing Application. Observed via shell’s intended use on CMS/LAMP.
  • T1491.002 – Defacement (External). Mirrors attributed to IndoXploit notifier.
  • T1585 – Establish Accounts/Presence. Public developer org and site branding. 
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.