Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

Ikaruz Red Team – Threat Actor

March 2, 2025
Reading Time: 5 mins read
in Threat Actors
Ikaruz Red Team – Threat Actor

Ikaruz Red Team

Location

Turkey

Date of Initial Activity

2004

Suspected attribution

Hactivist Group

Government Affiliation

Unknown

Associated Groups

Turk Hack Team, PHEDS

Motivation

Hacktivism

Associated tools

LockBit Ransomware (modified variants including LockBit 3.0)
JellyFish (Medusa) Ransomware
Vice Society Ransomware
ALPHV Ransomware
BianLian Ransomware
8base Ransomware
Cl0p Ransomware

Software

Windows, Linux

Overview

Ikaruz Red Team (IRT) is a politically motivated hacktivist group that has emerged as a significant threat actor in recent months. Known for leveraging ransomware and other disruptive techniques, IRT primarily targets organizations in the Philippines, using these attacks to draw attention to their political causes. This group’s activities have been notable for their focus on high-profile breaches and the co-opting of official imagery and branding to enhance the perceived legitimacy of their actions. IRT’s recent campaigns have involved using leaked ransomware builders, such as LockBit, to execute attacks against various Philippine entities. These ransomware attacks are not financially motivated but are intended to cause disruption and highlight political grievances. The group’s tactics have included defacements, small-scale Distributed Denial of Service (DDoS) attacks, and ransomware deployments, reflecting a pattern of targeting both government and private sector organizations to maximize impact. The group’s attacks are part of a broader wave of hacktivist activity in the region, which has seen an increase in politically driven cyber operations. IRT’s affiliation with other hacktivist collectives, such as Turk Hack Team and Anka Underground, further underscores its role in the geopolitical landscape. These affiliations and the use of similar tactics suggest a coordinated effort to undermine regional stability, particularly in the context of rising tensions in the Indo-Pacific region. One of IRT’s notable strategies involves co-opting the imagery and branding of official government cybersecurity initiatives, such as the Hack4Gov challenge. This tactic serves to mock or obscure their malicious activities behind official-looking logos and imagery, thereby increasing the visibility of their attacks and sowing further confusion. By incorporating these elements into their defacements and social media profiles, IRT aims to blur the lines between legitimate cybersecurity efforts and their own disruptive activities.

Common targets

The main targets of the Ikaruz Red Team (IRT) are primarily organizations in the Philippines. Their attacks are directed at a range of entities, including: Government Agencies: IRT has targeted various government departments and agencies in the Philippines, including critical infrastructure sectors and government institutions. Notable examples include the Department of Science & Technology and the National Privacy Commission. Private Sector Organizations: The group has also attacked private companies and businesses in the Philippines. These attacks often involve ransomware deployment and data leaks. Cybersecurity and Government Initiatives: IRT has targeted official cybersecurity initiatives and government-sponsored events, such as the Hack4Gov challenge organized by the Philippine Department of Information and Communications Technology (DICT). They co-opted imagery and branding from these initiatives to enhance the visibility of their attacks. Critical Infrastructure: Their attacks extend to critical infrastructure entities, which are essential for the functioning of the country’s economy and public services. This includes sectors such as technology and communications.

Attack Vectors

Phishing

Ransomware

DDoS Attacks

Exploiting Vulnerabilities

Social Engineering

How they operate

IRT’s approach to cyberattacks combines both technical prowess and strategic messaging. Initially known for their web defacements and nuisance attacks, the group has evolved to employ ransomware payloads to further their disruptive objectives. They have utilized modified LockBit 3.0 ransomware payloads, often bundled with custom icons and configurations. This modified ransomware is used to encrypt files across local and networked systems, with encrypted files and ransom notes reflecting IRT’s branding, albeit using default contact information from the LockBit builder. This suggests a primary focus on causing disruption rather than engaging in negotiations typical of more professional ransomware operations. A significant aspect of IRT’s strategy is their use of cloud storage services for communication and data exfiltration. Variations of their ransomware have employed cloud storage platforms like Dropbox and OneDrive to retrieve and upload malicious payloads, circumventing traditional detection methods associated with web shells and direct HTTP communication. IRT’s operations are deeply intertwined with their geopolitical motivations. They have targeted various entities in the Philippines, including government and military organizations, as part of a broader wave of hacktivist activity in the region. This targeting aligns with the geopolitical tensions in the Indo-Pacific and reflects the strategic importance of the Philippines. By co-opting official imagery and branding, such as that from the Philippine Department of Information and Communications Technology (DICT) and their Hack4Gov initiative, IRT not only disrupts but also mocks the government’s cybersecurity efforts, further amplifying their political statements.

MITRE Tactics and Techniques

T1071.001 – Application Layer Protocol: Web Protocols
Used for communication and command-and-control operations.
T1071.003 – Application Layer Protocol: File Transfer Protocols
Employed for transferring stolen data and tools.
T1105 – Ingress Tool Transfer
Used to transfer tools and payloads into the target environment.
T1070.001 – Indicator Removal on Host: Clear Windows Event Logs
Used to clear logs to evade detection.
T1566 – Phishing
Techniques used to deliver malicious payloads through social engineering attacks.
T1203 – Exploitation for Client Execution
Exploits vulnerabilities in client applications to execute malicious payloads.
T1098 – Account Manipulation
Modifying or creating accounts to maintain access.
T1040 – Network Sniffing
Used to gather information from network traffic.
T1027 – Obfuscated Files or Information
Techniques to obfuscate payloads and evade detection.
T1553 – Subvert Trust Controls
Exploits trust relationships and certificates to establish malicious communications.
T1078 – Valid Accounts
Use of compromised valid accounts for maintaining access.

Impact / Significant Attacks

April 8, 2024 – Attack on the Department of Science & Technology (DOST), Philippines. This attack led to a breach of critical government infrastructure and prompted an investigation by the National Privacy Commission (NPC). January 2023 – September 2023 – Various ransomware attacks against multiple entities in the Philippines. The ransomware families used included LockBit, JellyFish (Medusa), Vice Society, ALPHV, BianLian, 8base, and Cl0p. September 2023 – Breach of Yakult Philippines Incorporated. This attack was publicly announced on Ikaruz Red Team’s social media and also listed on Cl0p’s data leak site.  
References:
  • Ikaruz Red Team | Hacktivist Group Leverages Ransomware for Attention Not Profit
Tags: Anka UndergroundDDoSDDoS ATTACKSGovernmentHack4GovHacktivismHacktivistIkaruz Red TeamLinuxLockBitPHEDSPhilippinesPhishingRansomwareThreat ActorsTurk HackTurk Hack TeamTurkeyVulnerabilitiesWindows
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
UAC-0188 (FRwL) – Threat Actor

UAC-0188 (FRwL) – Threat Actor

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial