Cyber Threat Actor: KuroiSH

The threat actor known as KuroiSH and Amar^SHG operates primarily under these aliases, with public reporting indicating activity originating from France. Their operations span multiple years, with documented incidents between 2015 and 2018 demonstrating a pattern of high-profile website defacements and unauthorized access. The actor’s activities consistently involve replacing legitimate web content with political or ideological messages, though they have also engaged in credential leaks and content deletion. Their targets include government entities, multinational corporations, media organizations, and critical infrastructure providers, with operations affecting France’s national weather service (Météo France), Google’s country-specific domains in Brazil and Paraguay, South Korea’s Asiana Airlines, the Uniformed Services University of the U.S. military, and entertainment platforms like Vevo’s YouTube channels.

Strategic objectives center on disruption and message propagation rather than financial gain or data exfiltration. The actor explicitly cited goals such as promoting anti-war sentiments, supporting Palestinian causes, and advocating for Serbian geopolitical interests during various campaigns. Their techniques include exploiting SQL injection vulnerabilities in third-party service providers—as seen in the Météo France compromise via registrar OXYD’s extranet—and DNS hijacking attacks against Asiana Airlines and Google Brazil domains. The actor referenced tooling or capabilities termed “INVULP” and “VRTMS” during the Vevo intrusion but provided no technical specifics. Public statements emphasize demonstrating security vulnerabilities in high-value targets, with claims of prior access to NASA systems and U.S. military networks. No verifiable affiliations with state actors or criminal groups have been established in available reporting, though some operations involved collaboration with another individual using the alias Prosox. Significant incidents include the 2015 breach of Uniformed Services University, which resulted in leaking military credentials in plain text, and the 2018 coordinated takeover of Vevo’s YouTube channels that disrupted content for multiple artists. The actor’s operations typically conclude with rapid restoration by affected organizations, with no observed escalation to destructive attacks or persistent network access.