Cyber Threat Actor: The Exploit3rs
| Actor Type | Location | Known Incidents |
Sensationalist
|
Morocco
|
3 incidents |
|---|
Profile
The Exploit3rs isa hacking group identified by the alias The Exploit3rs and is known to operate from Morocco. The actors have been observed targeting technology and financial sectors, focusing on multinational corporations such as Google, Microsoft, Kaspersky Labs, Yahoo, HSBC, Twitter, Vodafone, Dell, Samsung, VISA, Norton, Nike and others. Their activities have included compromising country‑code top‑level domain registries to gain control over .ma domains, which they then used to deface the websites of major firms. The primary objective demonstrated in their operations appears to be disruption, as they replaced legitimate content with messages asserting control over the affected domains and claimed the ability to own any .ma website. No explicit evidence of financial gain or espionage motives is provided in the source material.
The group's tactics, techniques and procedures involve gaining unauthorized access to the ccTLD infrastructure, enabling DNS hijacking that redirects traffic to attacker‑controlled servers where defacement pages are hosted. They rely on defacement as their main tooling style, leaving a consistent message that highlights their control over the domain namespace. No specific malware families, exploit kits, or initial access vectors beyond the registry compromise are described in the available reports. Attribution to a state sponsor or a larger criminal consortium is not established in the public sources; the actors are presented solely as a Moroccan hacker collective. Their most notable campaign occurred on July 25, 2015, when they simultaneously defaced the Moroccan domains of Google, Microsoft, Kaspersky Labs and the NIC Morocco registry, an incident that was quickly remedied after the hijacking was discovered. This event mirrors earlier DNS hijacking attempts, such as the February 2015 disruption of Google’s Vietnam homepage, indicating a recurring focus on domain‑level attacks to achieve visibility and disruption.
