Cyber Threat Actor: Kuroi'SH

Kuroi’SH isa threat actor known by the alias Kuroi’SH, with an indicated association to Brazil. The actor has appeared in multiple public incidents targeting a range of sectors, including multinational video services, commercial airlines, major technology firms, and educational institutions. In these operations the actor has stated ideological aims, such as raising awareness of geopolitical tensions, demonstrating the universal vulnerability of online services, highlighting perceived security shortcomings, and expressing support for the Palestinian cause. No explicit financial or espionage objectives have been reported in the available sources.

Observed tactics, techniques, and procedures include DNS hijacking to redirect traffic and display defaced messages, as seen in the compromises of a South Korean airline’s website and Google Brazil’s domain. Web defacement is a recurring theme, with alterations to YouTube video titles, airline homepages, Google Brazil’s homepage, university domains, and previously NASA subdomains. The actor has also claimed administrative control over connected servers and has leaked plain‑text login credentials containing military email addresses from a university breach. Social media account compromise, specifically the takeover of Twitter accounts belonging to major news outlets, was referenced in relation to the Vevo YouTube incident. No specific malware families or custom tooling are described in the public reports.

Public attribution does not link Kuroi’SH to any state sponsor or criminal consortium; the actor operates independently as far as disclosed information shows. Representative campaigns cited in open sources include the 2018 hijacking of Vevo’s YouTube account where high‑profile music videos were retitled and deleted, the 2017 DNS hijacking of Google Brazil that displayed a defaced homepage and claimed additional compromises, and the 2015 breach of the Uniformed Services University that resulted in the defacement of eight domains and the leakage of military‑related credentials. These examples illustrate the actor’s focus on ideological messaging through service disruption and data exposure rather than profit‑driven motives.