Menu
Browse

Cyber Threat Actor: The Horsemen Of Lulz

Actor Type Location Known Incidents
 Icon
Activist
United Arab Emirates
1 incident
Profile

The Horsemen Of Lulz, also known as TheHorsemenLulz, is a threat actor group that has been linked to the United Arab Emirates in open source reporting. The group operates under an alias that references a collective moniker and has been observed collaborating with the hacker collective NullCrew, specifically with its NullCrew FTS faction. Public attributions note the alliance between these entities during coordinated intrusions against targeted organizations.

The actor’s observed targeting focuses on media and telecommunications entities, with confirmed incidents involving a Middle Eastern media organization and a major United States‑based cable and broadcasting company. Their public statements indicate that the intrusions are intended to expose unpatched security flaws and to criticize the victims’ perceived negligence, thereby aiming to cause embarrassment and draw attention to inadequate patch management. No explicit financial or espionage motives are documented in the available sources; the group's messaging centers on highlighting security shortcomings rather than pursuing monetary gain or state‑directed intelligence.

In terms of tactics, the Horsemen Of Lulz have repeatedly exploited the CVE‑2013-7091 vulnerability in Zimbra mail servers as an initial access vector, leveraging the unpatched flaw to obtain credential information from local configuration files such as localconfig.xml. Their tooling appears limited to the use of this known exploit and subsequent manual extraction of usernames and passwords, without reference to custom malware families or advanced persistence mechanisms. Notable operations include the February 2014 breach of Comcast’s servers and the April 2014 compromise of Al Arabiya’s mail infrastructure, both of which were jointly claimed with NullCrew and publicized via Pastebin posts detailing the extracted data and the exploit used. These incidents demonstrate a pattern of targeting organizations that have failed to apply available security patches, using the resulting access to disclose internal credentials and underscore the victims’ security lapses.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source