Skip to main content

Command Palette

Search for a command to run...

Threat Actor Profile: KryptonSec_My

Published
4 min readView as Markdown
Threat Actor Profile: KryptonSec_My
F

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.

Background

Threat actor (TA) KryptonSec_My has been the member of BreachForums since June 18, 2024. The TA has created 32 posts out of which 17 are newly created threads. The TA does not have any reputation score on the forum. In fact, the TA was banned from the forum after posting an advertisement for selling under the guise of a data leak (likely sensitive or unauthorized information) with the intention of promoting or selling something which is against the forum’s rules.

Summary of the Activities and Overall Presence.

TA KryptonSec_My has been active on cybercrime forums and is primarily observed for sharing databases, documents and Government IDs of individuals. The TA has mainly been observed targeting Indonesian government entities and Individuals from Indonesia.

The activities by the TA on the nuovo BreachForums as follows:

Activity DatePost TypeComments
Feb 25, 2025DataTA shared sensitive documents from the Indonesian Ministry of Religious Affairs
Feb 21, 2025DatabaseTA shared a database pertaining to be from the Integrated Operations System of the Indonesian National Police
Feb 19, 2025DatabaseTA shared multiple documents of Individuals from the Boyolali Regency of Indonesia
Feb 19, 2025DataTA shared Data from Badan Pengawasan Keuangan dan Pembangunan (BPKP) a government body responsible for auditing and supervising financial and development affairs.
Feb 12, 2025DataTA shared data pertaining to the High Religious Court of Mataram in Indonesia.
Feb 08, 2025DatabaseTA shared a Database containing users od Mojokerto City, Indonesia
Feb 07, 2025DataTA shared documents from the Government Agency for the Development of Pancasila Ideology
Feb 06, 2025DataTA shared Documents Bandung City Government, Indonesia"
Feb 06, 2025DataTA shared Documents from the Indonesian National Narcotics Agency BNN (Badan Narkotika Nasional)
Feb 06, 2025DataTA shared multiple documents and files from KOMINFO CLOUD (Kementerian Komunikasi dan Informatika) Indonesia’s Ministry of Communication and Informatics
Feb 01, 2025DataTA shared a ID cards of employees working for Telkomsel, a major telecom provider in Indonesia
Jan 28, 2025DataTA shared documents from GoKUPS: Indonesia's Integrated Social Forestry Information System
Jan 28, 2025DatabaseTA shared a database from the Fort De Kock University, based in Indonesia
Jan 24, 2025DatabaseTA shared Database from SMK 3 Perguruan Cikini which is an Indonesian Vocational High School
Nov 29, 2024DatabaseTA shared a Database from Dana Pensiun BPK Penabur a pension fund for the employees of Yayasan BPK Penabur, an educational institution in Indonesia.

The TA was also observed to be involved in website defacements mainly targeting Indonesian government organizations. Open source revealed that the web pages defaced by the threat actor/group usually displayed the banner “hacked by TheSweetNight” as shown the below screenshots (Figures 2 and 3).

The TA also referenced ‘TheSweetNight’ in multiple posts on the nuovo BreachForums. One of the posts where the TA has mentioned ‘TheSweetNight’.

One of the posts suggests that the TA’s banner handle is related to the “TheSweetNight Malware” referenced by the TA in multiple posts. The malware kit provides the TA with a dashboard to distribute malware and gain initial access to systems/servers and to exfiltrate data.

The dashboard (Figure 5) provided the following abilities:

  • File Explorer

  • Data/File Encryption

  • Camera and Mic Access

  • Network scan

  • Devices List

After successful scan the dashboard also provides details of the infected system/server and also provides the system information (specifications).

The TA was apparently involved in conducting a phishing campaign to disseminate the malware. Their method involved using a mass emailing script to send out malicious PDF files disguised as resumes. These files contained the malicious payload. As demonstrated by the screenshot (Figure 6), the script seems to be target multiple government officials with these fraudulent emails.

Other instances revealed that the TA also used “Malware Has Been remove by KryptonSec_My, The Website Is going to be saved” as the banner description.

Information from Open Source

Open-source research also found a HackerOne profile with the similar username ‘KryptonSec_My’. The profile was created in May 2024. However, the profile has been completely inactive.

More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com