Source Information Reveals TA Kazu’s TTPs for Targeting Organizations, including Government and LEAs

Summary

Cyble Research and Intelligence Labs (CRIL) recently observed a threat Actor (TA) kazu on multiple English-language cybercrime forums including DarkForums, persistently offering unauthorized access and data stolen from multiple organizations, primarily majorly government and law enforcement agencies.

This advisory provides TA’s probable tactics, techniques, and procedures (TTP) based on the information gathered by our source about a threat incident wherein the TA stole data from a government organization and released it for sale. The advisory also highlights general modus operandi (MO) leveraged by the TA to target organizations.

Disclaimer*: The advisory intends to only advise on the TTPs, and therefore, the name of the targeted organization has been withdrawn to maintain confidentiality and operational security.*

Information from Source

Information from source revealed the following details into TA’s mode of operation (MO) to gain initial access into any target:

  • The TA usually uses compromised login credentials obtained via information-stealer malware to gain an initial foothold in an organization and targets where such logs are already available.

  • Information suggests that the TA has used user-level credentials for targeting most organizations to date.

  • Once they gain initial access to the target organization’s environment, usually web portals and panels, they scan the web infrastructure for vulnerabilities and bugs.

  • The TA continues to check the logged-in portals or panels for weaknesses until they can escalate their privileges and extract sensitive databases.

  • The TA believes this method is effective because most organizations secure their external infrastructure better than their internal environment.

TTPs Involving Recent Attack on a Government Organization

• Information from source suggests that the TA supposedly figured out an URL in the targeted government agency’s website which used a base64-encoded ID for referring user profile IDs.

The TA then leveraged IDOR vulnerability by decoding and manipulating the underlying ID before re-encoding and sending it back to the target server. The server was not apparently configured to check the permissions leading to unauthorized access to the resources.

Subsequently, the TA created a python script to automate the batch downloading of PDF files from the targeted web server by iterating through a range of numeric profile IDs.

• To substantiate their claims, the TA also shared a proof-of-concept script with our source, that constructed a profile identifier (e.g., "a2628230") encoded it in base64, and appended it to the download URL.

Furthermore, the script utilized five concurrent threads to speed up the process, and additionally it used a filtering mechanism to skip downloading files whose sizes fell between 43.0 and 43.9 KiB (44,032 to 45,055 bytes), likely to avoid irrelevant files which the TA may have figured out in their reconnaissance stage.

Tactics, Techniques and Procedures – MITRE ATT&CK

TacticsTechnique & Sub-TechniqueID
Initial AccessValid AccountsT1078
Exploit Public-Facing ApplicationT1190
Privilege EscalationExploitation for Privilege EscalationT1068

Overview of the Actor’s Forum Activities

The TA kazu joined the Darkforums in March 2025, and consistently offered data and illicit access to organizations, but at the time of reporting, the TA’s account on Darkforums was found to be deleted.

Research revealed that the TA was also active on presently inactive nuovo BreachForums, and at present continues to operate on other cybercrime forums namely CrackingX, and Sinisterly for offering their illicit goods.

A timeline of TA’s notable activities follows:

  • May 7, 2025: Offered CVs of individuals stolen from a Saudi government agency.

  • May 6, 2025: Offered 152 GB of data allegedly stolen from the Official HR portal of the Senegal Police.

  • April 29, 2025: Offered database allegedly stolen from the National Tuberculosis Program Management Information System (NTPMIS) of the Government of Nepal.

  • April 23, 2025: Offered exploit code weaponizing a vulnerability allegedly impacting the official website of the Nepal Police.

  • April 18, 2025: Offered unauthorized access to the database of Vidal Health Insurance, an Indian third-party health services management.

  • April 14, 2025: Offered database allegedly stolen from the Office of the General Staff of the Bolivian Navy.

Assessment of the Actor & Information

Based on the TA’s overall forum activities and feedback from our source, we assess the reliability of the threat actor as C - Fairly reliable.

Based on the artifacts shared by the TA with our source, we overall assess the credibility of the threat actor's claims as 2 - Probably true.

0
Subscribe to my newsletter

Read articles from FPT Metrodata Indonesia directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

FPT Metrodata Indonesia
FPT Metrodata Indonesia

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.