This month’s activity reveals coordinated DDoS waves, large-scale data leaks, and new Malware-as-a-Service offerings targeting Android and macOS users alike. We’re diving into the evolving landscape of hacktivism, cybercrime services, and underground innovation — here’s what you need to know.

Hacktivist Activity 

In September, the most active hacktivist groups claiming attacks in their Telegram channels were Malaysia Hacktivist, Tengkorak Cyber Crew, Laskar Pembebasan Palestina, Hezi Rash, and Mr. Hamza. These groups had the most domains in their messages (presumably victims’ domains), a pattern associated with claimed DDoS and defacement, data theft, and other attacks. The following groups were specifically claiming DDoS attacks (based on the attacked websites’ accessibility reports provided as proof): NoName057(16), Keymous, AnonXF34rl3ss, HeziRash, Team Fearless, and DieNet.

KELA also observed hacktivist activity globally, led by the pro-Russian group TwoNet, which claimed to leak attendee data from Spain’s C1b3rWall 2025 cyber conference, exposing over 700 records tied to law enforcement and corporate domains. Concurrently, Enlace Hacktivista published a massive 600 GB leak from China’s Great Firewall project, while Hezi Rash launched #OpJapan DDoS attacks on Japanese sites. Additional activity included DDoS claimed attacks in France by Keymous+ and allies, anti-China operations by Nullsec Philippines, and CyberVolk’s announced campaign against Western and Japanese targets. Finally, Handala Hacktivists claimed a data breach of an Israeli space firm, purporting insider access and data exfiltration.

Cybercrime Services 

KELA has been monitoring new cybercrime services being advertised in September 2025. The types of new services identified included an Elite Malicious Software Suite, a HOOK Android Botnet Rental, and a MacSync macOS Stealer. Here’s the overview: 

Elite Malicious Software Suite: a new, sophisticated malicious software suite being advertised, which combines the functionalities of a RAT, Cracker, Stealer, Loader, VNC, FTP, SOCKS5, Native HVNC, and SEED FINDER. This software is offered via a subscription model priced at $5000 per month and is designed for heavy use, featuring stable connections and a customizable design. Key features advertised include Auto Wallet Cracking, which attempts to crack wallets automatically upon arrival using variations of user passwords, and full support for HVNC, notably bypassing anti-HVNC protections in the latest Chrome-based browsers. The system allows clients to add new wallet or browser definitions without waiting for updates, and importantly, the provider notes that logs are stored locally on the client’s server, meaning the vendor has no access. The suite also offers extensive remote control features, including VNC Reverse Server, FTP Reverse Server, and a powerful File Searcher designed to help find seeds and 2FA codes. KELA observed a few positive feedback comments on this post, from users who asserted to have tested the malicious software suite. 

HOOK Android Botnet Rental: the threat actor "derotei" was advertising the HOOK Android Botnet Rental on the ExploitIn forum on September 24, 2025. The vendor emphasized that this is the completely original software, purchased on XSS, and has been fully updated to work with the newest versions of Android. Renting the service grants the client a panel and a builder, allowing them to create custom application injectors, although the software already comes with over 1,000 injectors. The monthly rental cost for the botnet is $5,000, with an optional additional fee of $1,000 per month for a crypt with a loader and Zombinder (glue). The service also features protection for the client’s server IP address against being blocklisted, effectively providing "free fastflux" for customers. KELA identified no engagements for this post.

MacSync macOS Stealer rental: a post by "macsync" advertised the MacSync macOS Stealer rental on the ExploitIn forum on September 1, 2025. MacSync is a stealer specifically designed for devices running the macOS operating system, supporting both x64_86 and ARM architectures on versions starting from macOS Sierra (>10.12.6). The build is written in C and is lightweight, with a current size of about 50 KB, and logs are decrypted server-side to avoid delays on the victim’s device. The stealer focuses on collecting sensitive information such as passwords, cookies, and autofills from Chromium-based browsers, desktop crypto wallets, browser crypto extensions, and performs decryption of the macOS keychain. The cost for a monthly subscription is $1,500, though an optional module that replaces the legitimate Ledger application for the purpose of phishing seed phrases is sold separately. Notably, the vendor enforces a geopolitical restriction, stating that the builds do not work in CIS countries. KELA identified no notable engagements for this post.

Stay tuned for next month’s update, where we’ll continue to track and analyze the newest cybercrime threats and trends. If you want a deeper dive into the latest threats and services that KELA is tracking, contact us today.