Hax.or Drives Indonesia-Focused Attacks; Squidbleed, OXLOADER Threats Emerge

Summary

Today's threat landscape is defined by a sharp concentration of activity targeting Indonesian government and infrastructure entities, driven primarily by the actor Hax.or. Simultaneously, critical vulnerabilities and novel malware campaigns -- including the decades-old Squidbleed proxy flaw and the OXLOADER loader -- demand immediate defensive attention from security teams globally. The volume of alleged data breaches and leaks, particularly in healthcare and government sectors, underscores a persistent and opportunistic threat environment.

Today's developments

The most significant cluster of activity today centers on Indonesia, which recorded the highest number of victim events. Actor Hax.or is responsible for a substantial portion of these, with 12 events tracked. Specific alleged breaches include incidents against Badan Nasional Penanggulangan Bencana (the national disaster management agency), Kejaksaan Republik Indonesia (the Attorney General's Office), and multiple regional government administrations such as Pemerintah Provinsi Kalimantan Utara and Pemerintah Kabupaten Bantul. This pattern suggests a coordinated campaign against Indonesian public sector digital infrastructure.

Healthcare and government sectors globally remain prime targets. In the United States, an alleged breach affecting former Mayo Clinic patients was reported, alongside a breach claim against Dr. Jeffrey D. Reuben Practice. In Mexico, the Centro Nacional de Trasplantes (National Transplant Center) appears in two separate alleged incidents, one attributed to actor cenfecracked and another to MVP. French targets include Mairie de Paris (Paris City Hall) and the Fédération Sportive de la Police Nationale. A significant alleged breach of Korek Telecom in Iraq was also reported.

Military and defense sectors are under sustained pressure. Multiple alleged incidents target Bangladesh Military assets, attributed to actors Mosad Leaks and mossad, with claims of internal document leaks. The Nigerian Army also appears in an alleged breach by actor Stunxet. In the Philippines, claims involve the Tourism Infrastructure and Enterprise Zone Authority and Clark International Airport.

Industry context from external analysis highlights several urgent technical threats. Researchers disclosed Squidbleed, a 29-year-old heap over-read vulnerability in the Squid web proxy that can leak cleartext HTTP requests, including credentials and session tokens. This flaw, present in default configurations, is described as a Heartbleed-style risk. Separately, a new campaign uses malicious Google Ads to deliver the OXLOADER malware loader, which subsequently deploys the CastleStealer information stealer. The campaign is attributed to a likely Russian-speaking, financially motivated threat actor. A supply chain attack on the Mastra NPM ecosystem, blamed on North Korean hackers, added malicious dependencies to over 140 packages to target cryptocurrency extensions. Finally, a suspected cyberattack in Brazil triggered false emergency alerts through the Civil Defense Alert system, highlighting the potential for kinetic disruption from cyber operations.

Threat landscape signals

The data reveals a pronounced actor concentration, with Hax.or (12 events), Niles in Cyber Threat Intelligence Feeds (10 events), and The Gentlemen (9 events) leading activity. This suggests that a small number of groups are responsible for a disproportionate share of today's events, potentially indicating coordinated campaigns or the release of shared tooling or access. The victim geography is heavily skewed toward Asia-Pacific, with Indonesia (22), Thailand (15), and the United States (19) as the top three.

The mix of incident types shows a near-even split between data breaches (40) and defacements (33), with ransomware (25) and DDoS (25) also prominent. The high number of defacements, often a lower-sophistication tactic, may be used by actors like Hax.or for visibility and reputation-building. Security teams should prioritize patching for the Squidbleed vulnerability, review defenses against ad-driven malware delivery (OXLOADER), and monitor for supply chain risks in development environments, particularly those using NPM packages. The persistent targeting of government and healthcare entities demands rigorous access controls and incident response readiness.