Cyber Threat Actor: Dr.MwNs

The threatactor known by the alias Dr.MwNs has been identified as operating from Sri Lanka, according to publicly available sources. This individual describes themselves as a hacktivist and has been linked to activities supporting the #ForSyria cause. Targeting patterns show a focus on governmental websites, exemplified by the defacement of the Sri Lankan Prime Minister’s Office portal, and on telecommunications infrastructure, as evidenced by intrusions into Bhutan Telecom’s servers that subsequently provided access to the Google Bhutan domain. Additionally, the actor has claimed responsibility for compromising hundreds of Turkish websites, indicating a broader regional scope that includes South Asia and the Middle East. The stated objective of these actions appears to be disruption and the promotion of a geopolitical message rather than financial gain or espionage.

Technical details from the reported incidents reveal that Dr.MwNs employs website defacement as a primary technique, replacing legitimate content with a “Hacked by Dr.MwNs” notice and embedding an audio track of the Islamic devotional song “Thank You Allah” by Maher Zain. The actor’s activity is documented on zone‑h, a mirror site that archives defacement pages, where numerous submissions link to the Turkish website compromises. Social media posts, particularly on Twitter under the handle @DrMwNs, have been used to announce intrusions, demonstrate Arabic language proficiency, and claim access to the Bhutan Telecom server and consequently the Google Bhutan domain. No specific malware families or custom tooling are mentioned in the available reports; the observed tooling consists of web‑based exploitation methods aimed at gaining unauthorized access to web servers for the purpose of defacement and audio insertion.

Among the publicly reported operations, the August 5, 2015 defacement of the Sri Lankan Prime Minister’s Office website stands out as a representative example of the actor’s modus operandi, combining a political message with multimedia elements. The same timeframe also references the actor’s earlier intrusions into Turkish web properties and the Bhutan Telecom incident, which together illustrate a pattern of targeting both governmental and telecommunications entities across multiple countries. Attribution to a specific state sponsor or criminal consortium has not been established in the sources; the actor is presented as an independent hacktivist motivated by the #ForSyria affiliation. These incidents collectively define the known footprint of Dr.MwNs within the threat landscape.