# Threat Actor Profile: KryptonSec_My

## **Background**

Threat actor (TA) KryptonSec\_My has been the member of BreachForums since June 18, 2024. The TA has created 32 posts out of which 17 are newly created threads. The TA does not have any reputation score on the forum. In fact, the TA was banned from the forum after posting an advertisement for selling under the guise of a data leak (likely sensitive or unauthorized information) with the intention of promoting or selling something which is against the forum’s rules.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1741918749568/d1b176ed-d173-47dd-856a-a3f72ec42154.png align="center")

**Summary of the Activities and Overall Presence.** 

TA KryptonSec\_My has been active on cybercrime forums and is primarily observed for sharing databases, documents and Government IDs of individuals. The TA has mainly been observed targeting Indonesian government entities and Individuals from Indonesia.

**The activities by the TA on the nuovo BreachForums as follows:**  

| **Activity Date** | **Post Type** | **Comments** |
| --- | --- | --- |
| Feb 25, 2025 | Data | TA shared sensitive documents from the Indonesian Ministry of Religious Affairs |
| Feb 21, 2025 | Database | TA shared a database pertaining to be from the Integrated Operations System of the Indonesian National Police |
| Feb 19, 2025 | Database | TA shared multiple documents of Individuals from the Boyolali Regency of Indonesia |
| Feb 19, 2025 | Data | TA shared Data from Badan Pengawasan Keuangan dan Pembangunan (BPKP) a government body responsible for auditing and supervising financial and development affairs. |
| Feb 12, 2025 | Data | TA shared data pertaining to the High Religious Court of Mataram in Indonesia. |
| Feb 08, 2025 | Database | TA shared a Database containing users od Mojokerto City, Indonesia |
| Feb 07, 2025 | Data | TA shared documents from the Government Agency for the Development of Pancasila Ideology |
| Feb 06, 2025 | Data | TA shared Documents Bandung City Government, Indonesia" |
| Feb 06, 2025 | Data | TA shared Documents from the Indonesian National Narcotics Agency BNN (Badan Narkotika Nasional) |
| Feb 06, 2025 | Data | TA shared multiple documents and files from KOMINFO CLOUD (Kementerian Komunikasi dan Informatika) Indonesia’s Ministry of Communication and Informatics |
| Feb 01, 2025 | Data | TA shared a ID cards of employees working for Telkomsel, a major telecom provider in Indonesia |
| Jan 28, 2025 | Data | TA shared documents from GoKUPS: Indonesia's Integrated Social Forestry Information System |
| Jan 28, 2025 | Database | TA shared a database from the Fort De Kock University, based in Indonesia |
| Jan 24, 2025 | Database | TA shared Database from SMK 3 Perguruan Cikini which is an Indonesian Vocational High School |
| Nov 29, 2024 | Database | TA shared a Database from Dana Pensiun BPK Penabur a pension fund for the employees of Yayasan BPK Penabur, an educational institution in Indonesia. |

The TA was also observed to be involved in website defacements mainly targeting Indonesian government organizations. Open source revealed that the web pages defaced by the threat actor/group usually displayed the banner “hacked by TheSweetNight” as shown the below screenshots (Figures 2 and 3).

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1741918801862/2535251b-ff7f-4179-b350-48bf64a4b203.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1741918819885/b6bf0844-ecb5-46e0-8b23-aeed70aa37c1.png align="center")

The TA also referenced ‘TheSweetNight’ in multiple posts on the nuovo BreachForums. One of the posts where the TA has mentioned ‘TheSweetNight’.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1741918860970/2e0273ca-bd4e-49f4-a328-76d509ed6cbd.png align="center")

One of the posts suggests that the TA’s banner handle is related to the “TheSweetNight Malware” referenced by the TA in multiple posts. The malware kit provides the TA with a dashboard to distribute malware and gain initial access to systems/servers and to exfiltrate data. 

The dashboard (Figure 5) provided the following abilities: 

* File Explorer
    
* Data/File Encryption
    
* Camera and Mic Access
    
* Network scan
    
* Devices List
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1741918900728/119ab925-ae3d-4d12-8a05-a4d4c74c2c96.png align="center")

After successful scan the dashboard also provides details of the infected system/server and also provides the system information (specifications).

The TA was apparently involved in conducting a phishing campaign to disseminate the malware. Their method involved using a mass emailing script to send out malicious PDF files disguised as resumes. These files contained the malicious payload. As demonstrated by the screenshot (Figure 6), the script seems to be target multiple government officials with these fraudulent emails.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1741918920241/e265a65d-a39a-4336-a5f4-d96f23440fdf.png align="center")

Other instances revealed that the TA also used “Malware Has Been remove by KryptonSec\_My, The Website Is going to be saved” as the banner description.

## **Information from Open Source** 

Open-source research also found a HackerOne profile with the similar username ‘KryptonSec\_My’. The profile was created in May 2024. However, the profile has been completely inactive.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1741918991220/638bc2a1-2ff5-42ba-b50b-40cd996eac71.png align="center")
