{
	"id": "82cc87fd-01f0-4165-8bb8-6638ac4b0b4c",
	"created_at": "2026-04-06T00:19:36.958946Z",
	"updated_at": "2026-04-10T03:26:36.578422Z",
	"deleted_at": null,
	"sha1_hash": "16bc2fe561ab786a478b50b6b064277f9f0aa7ae",
	"title": "Guidance On an Ongoing Hacktivist Operation #Opspatuk Conducted by The Malaysian Hacktivist Threat Group 'DragonForce' Against Indian Organizations | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68108,
	"plain_text": "Guidance On an Ongoing Hacktivist Operation #Opspatuk\r\nConducted by The Malaysian Hacktivist Threat Group\r\n'DragonForce' Against Indian Organizations | FortiGuard Labs\r\nPublished: 2022-06-15 · Archived: 2026-04-02 12:24:34 UTC\r\nThe 'OpsPatuk' operation began on June 6, 2022. That’s when the Malaysian hacktivist group known\r\nas DragonForce began targeting India in retaliation for controversial comments made by a BJP spokesperson. \r\nAt the time of writing, this operation has compromised over 102 websites and continues to list new targets on\r\nvarious social media platforms, including Telegram, Twitter, and their own DragonForce website. \r\nWidely targeted sectors include financial organizations, government entities, and educational institutions.\r\nFortiGuard Threat Research Team has also observed hosting providers being one of their main targets, enabling\r\nattackers to compromise their customers' websites. Additionally, the threat group has also encouraged other\r\nhackers to join the operation. \r\nHacktivism uses computer-based civil disobedience strategies such as hacking to advocate a political agenda or\r\nsocial change on the Internet. While the roots of hacktivism can be traced back to the 1990s, people worldwide\r\nhave recently begun to adopt this strategy on a vast scale, thanks to the expanding age of digitization and the\r\nparadigm shift brought about by the worldwide pandemic. \r\nOur team is proactively monitoring the OpsPatuk event and will release timely updates as events develop. In\r\naddition, the following advisory contains details about the operation and steps that can be taken to mitigate risks.\r\nWhat is #OpsPatuk?\r\n#OpsPatuk, aka Operation Patuk, is an ongoing operation led by a Malaysia-based hacktivist group dubbed\r\n'DragonForce.' June 6, 2022, witnessed one of the first activities by the group that framed cyberattacks\r\nas retribution for controversial remarks made by a BJP spokesperson (now suspended). BJP (Bharatiya Janata\r\nParty) is one of India's two major political parties.\r\nWhat are the most common attack vectors observed?\r\nSo far, DragonForce and its supporters have predominantly targeted victims using the following techniques:\r\nDDoS\r\nWebsite defacement\r\nCompromising VPN portals with stolen credentials\r\nTargeting web application vulnerabilities\r\nExploiting the recent Atlassian Confluence vulnerability (CVE-2022-26134)\r\nThe group has also publicly released sensitive information about several organizations on its official website.\r\nhttps://www.fortinet.com/blog/threat-research/guidance-on-hacktivist-operation-opspatuk-by-dragonforce\r\nPage 1 of 4\n\nWho are the targets?\r\nAt the time of writing, FortiGuard Threat Research could identify over 100+ Indian websites targeted by the\r\ngroup. They seem to be primarily targeting the government, technology, financial services, manufacturing, and\r\neducation sectors.\r\nWhat steps should an enterprise take to mitigate its risk?\r\nHacktivist groups like DragonForce often respond to specific events and therefore need to be expeditious in\r\nattacking their targets to get their message across as quickly as possible. Due to this time constraint, driven by the\r\nneed to create immediate awareness, they rely on relatively simple but highly visible activities like DDoS attacks\r\nand website defacements. However, we expect other common methods, such as public exploits and stolen\r\ncredentials, will likely be utilized by these groups in the near future.\r\nAs a result, we propose that organization(s) review the following recommendations for mitigating the most\r\ncommon attack vectors to further strengthen their response to acts of hacktivism.\r\nCarry out robust threat hunting based on the compromised account. Check AV/EDR and SIEM logs to\r\nidentify any malicious activities.\r\nOnce the infected system is identified, isolate the system and perform reimaging.\r\nChange the passwords of compromised users.\r\nNotify users about the activity and inform them to change the passwords on all other public profiles and\r\nenable two-factor authentication wherever possible.\r\nOrganizations should conduct periodic security awareness training, which will help to improve the\r\noperational security of their employees. Such training should ensure that users:\r\nare aware of the risks of online fraud\r\nare aware they should never share OTPs\r\nunderstand the techniques used by malicious actors\r\nare conscious of any suspicious activity on their systems and understand who they should report this\r\nto within the organization\r\nFortinet Protections\r\nAs multiple techniques are being used in this operation to make the quickest and most high-profile impact, the list\r\nof Fortinet protections covers many areas. Customers should assess the risk to their organization and implement\r\nappropriate security controls where needed. Here is a selection of ways Fortinet can help.\r\nDDoS attacks\r\nOrganizations should monitor for spikes in incoming network traffic and scale accordingly to mitigate downtime\r\ncaused by such increases in traffic.\r\nOrganizations can deploy server redundancy and network segmentation proactively, ensuring FortiGate\r\nfirewalls, FortiADC load balancers, and other network devices have all necessary rules/ACLs in place.    \r\nTo mitigate against large-scale DDoS, ML-enabled FortiDDoS can be employed.\r\nhttps://www.fortinet.com/blog/threat-research/guidance-on-hacktivist-operation-opspatuk-by-dragonforce\r\nPage 2 of 4\n\nPublic exploits\r\nOrganizations should implement a risk-based vulnerability management process for their IT infrastructure to\r\nensure that critical vulnerabilities and security misconfigurations are identified and prioritized for remediation.\r\nFortiRecon Digital Risk Prevention Service can help organizations gain control and visibility of their attack\r\nsurface before attacks occur.\r\nFortiGate Next-Generation Firewall with FortiGuard IPS can be deployed to ‘virtually patch’ and block\r\nexploits against vulnerabilities before critical systems can be remediated – including against the Atlassian\r\nConfluence RCE vulnerability (CVE-2022-26134) being targeted.\r\nFortiGuard Outlook Alerts enables rapid visibility across your Fortinet estate to identify if you have been\r\nimpacted/protected by 0-day activity such as the Atlassian Confluence RCE vulnerability (CVE-2022-\r\n26134).\r\nDeploy FortiEDR on company-managed devices to prevent malware and ransomware based on the\r\nbehavior of malicious files.\r\nWeb application vulnerabilities\r\nFortiWeb Web Application Firewall can be deployed on-prem or in the cloud to secure web-facing Services\r\nand APIs as a compensating control for code sanitization deficiencies.\r\nLonger-term, to identify code issues, FortiDevSec and FortiPenTest can be employed to detect flaws in\r\nweb applications before they reach production.\r\nLeaked credentials\r\nTo prevent credential stuffing attacks caused by the inevitability of users re-using passwords across multiple sites,\r\norganizations must enforce Multi Factor Authentication (MFA) for all logins.\r\nFortiToken can provide MFA for your FortiGate SSL-VPN and, when combined with FortiAuthenticator,\r\ncan deliver MFA-enabled Single Sign On for all your applications.\r\nTo prevent credential stuffing into your web applications, enable credential stuffing defense on your\r\nFortiWeb Appliance or Cloud service and use FortiRecon External Attack Service Management to identify\r\nuser credential risks to your organization.\r\nUser awareness\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user\r\nawareness and vigilance to phishing threats and to train and reinforce proper practices when users\r\nencounter targeted phishing attacks.\r\nWe also suggest that organizations have their end users undergo our free NSE training: NSE 1 –\r\nInformation Security Awareness. It includes a module on Internet threats designed to help end-users learn\r\nhow to identify and protect themselves from various types of phishing attacks.\r\nAttack remediation and incident response\r\nhttps://www.fortinet.com/blog/threat-research/guidance-on-hacktivist-operation-opspatuk-by-dragonforce\r\nPage 3 of 4\n\nFortiGuard Incident Response Services deliver critical services before/during/after a security incident. Our experts\r\narm your team with fast detection, investigation, containment, and return to safe operation.\r\nIOCs\r\nThese threat actors are using multiple techniques to achieve their goals. The known exploits being used include\r\nthe following recently publicized exploits. However, organizations are cautioned that this list is expected to grow.\r\nAtlassian Confluence vulnerability CVE-2022-26134 (Outbreak Alert)\r\nJava/Websh.D!tr\r\nHTML/Agent.D71B!trW32/Filecoder.1104!tr.ransom\r\nELF/BitCoinMiner.HF!tr\r\nELF/Mirai.A!tr\r\nLinux/Agent.PZ!tr\r\nLinux/CVE_2021_4034.G!tr\r\nRiskware/CoinMiner\r\nAdware/Miner\r\nMSDT Follina CVE-2022-30190 (Outbreak Alert)\r\nWSO2 vulnerability (CVE-2022-29464)\r\nW64/Agent.CY!tr\r\nELF/Agent.AR!tr\r\nELF/BitCoinMiner.HF!tr\r\nJava/Agent.AUJ!tr\r\nJava/Webshell.E!tr\r\nJava/Webshell.0CC4!tr\r\nRiskware/Generic.H2\r\nMalicious_Behavior.SB\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/guidance-on-hacktivist-operation-opspatuk-by-dragonforce\r\nhttps://www.fortinet.com/blog/threat-research/guidance-on-hacktivist-operation-opspatuk-by-dragonforce\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/guidance-on-hacktivist-operation-opspatuk-by-dragonforce"
	],
	"report_names": [
		"guidance-on-hacktivist-operation-opspatuk-by-dragonforce"
	],
	"threat_actors": [
		{
			"id": "6608b798-f92b-42af-a93f-d72800eeb3a3",
			"created_at": "2023-11-30T02:00:07.292Z",
			"updated_at": "2026-04-10T02:00:03.482199Z",
			"deleted_at": null,
			"main_name": "DragonForce",
			"aliases": [],
			"source_name": "MISPGALAXY:DragonForce",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758",
			"created_at": "2025-07-24T02:05:00.538379Z",
			"updated_at": "2026-04-10T02:00:03.657424Z",
			"deleted_at": null,
			"main_name": "GOLD FLAME",
			"aliases": [
				"DragonForce"
			],
			"source_name": "Secureworks:GOLD FLAME",
			"tools": [
				"ADFind",
				"AnyDesk",
				"Cobalt Strike",
				"FileSeek",
				"Mimikatz",
				"SoftPerfect Network Scanner",
				"SystemBC",
				"socks.exe"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434776,
	"ts_updated_at": 1775791596,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/16bc2fe561ab786a478b50b6b064277f9f0aa7ae.pdf",
		"text": "https://archive.orkl.eu/16bc2fe561ab786a478b50b6b064277f9f0aa7ae.txt",
		"img": "https://archive.orkl.eu/16bc2fe561ab786a478b50b6b064277f9f0aa7ae.jpg"
	}
}