Skip to main content

Intelligence Bulletin – MinionGhost Reemerges

March 22, 2018

At approximately 9:30am EDT on 20 March 2018, hacktivist collective, MinionGhost, announced planned cyber attacks against unspecified Asian entities. Additionally, MinionGhost and other hacktivist groups announced their intent to target Israeli websites and interests as part of the annual global hacktivist campaign, #OpIsrael. Optiv’s Global Threat Intelligence Center (gTIC) assesses with high confidence that MinionGhost and affiliated groups intend to carry out high-level attacks against various websites and entities, however the capabilities of these groups are limited to simple distributed-denial-of-service (DDoS), cross-site scripting (XSS), and SQL injection (SQLi) attempts. Organizations are recommended to implement security practices and countermeasures focused on limiting and mitigating slow-HTTP attacks, which include limiting connections from single sources, setting appropriate session timeouts, using strong passwords and login credentials for web-applications, and monitoring for/blocking any activity from known proxy (i.e. Tor, commercial VPN) IP ranges.

MinionGhost is a politically and religiously-motivated hacktivist group with a pattern of participating in campaigns against targets globally with the intent of leaking sensitive information (i.e. email credentials, PII), webpage defacement, and disrupting the availability of websites and services through DDoS attacks. In addition to personal and vigilante motives, MinionGhost is also observed to seek attention and validation from media outlets catering to hacker and security news by posting results and findings from attacks directly to these outlets.  

Key Judgments

  • gTIC assesses with high-confidence MinionGhost and affiliated actors will carry out DDoS, defacement, and data-leak attempts against a range of targets internationally, despite their threat against Asian entities
  • gTIC assesses with high-confidence a majority of attempts and claims of attacks will be either unsuccessful, unsubstantiated, or have limited impact, especially against large corporations and national government organizations
  • MinionGhost’s targeting of Asian entities overlaps with the ongoing #OpIsrael campaign (scheduled for 7 April, however attacks and effects ongoing as of March 2018), and attacks/attempts against organizations in Europe, Middle East and North America are deemed probable over the next 30 days

Technical Information

MinionGhost is an Indonesian hacktivist group responsible for participating in several hacktivist operations between 2016 and 2018, targeting multiple governments and top-level domains (TLDs) based off various political events, as well as participating in other ongoing hacktivist operations against the finance industry. MinionGhost is assessed to be a single threat actor with several key associates using multiple social media accounts and personas. MinionGhost is observed to communicate their activities over several outlets including Facebook, Twitter, GitHub, and Pastebin. In 2017, the original social media accounts for MinionGhost, @minionghost302 and @Scode404, were confirmed to be the same actor hiding behind another user handle, @AnonGhost7.

Tools and tactics attributed to the group include vulnerability scans, manual SQLi attacks, and DoS tools scripted in Python. Targets range from government websites to banking and financial entities as a part of larger global hacktivist operations.

MinionGhost is known to announce their intentions and campaigns over social media and recruit the support of other hacktivist groups with similar agendas. MinionGhost’s tools primarily consist of Python-scripted DoS tools. Tools used during #OpCatalunya in 2017 were identified to be the same as those identified to be used during #OpIcarus. Several of these are assessed to be derivatives of older DDoS tools including Slowloris, Low Orbit Ion Cannon (LOIC), and R-U-Dead-Yet.


Optiv’s gTIC assesses with high confidence that a majority of MinionGhost’s attacks will have minimal impact against large organizations with adequate security and defense postures. The most vulnerable targets are local government and small business entities with little or no security procedures.  

MinionGhost and affiliates will continue high-level global hacktivist campaigns, primarily focused on targeting government and financial services and US and Israeli interests. Annual campaigns like #OpIsrael and #OpIcarus will continue to garner large vigilante followings and organizations are encouraged to follow proper security and defense posture as mentioned below.

Remediation Recommendations

To mitigate threats from MinionGhost and other hacktivist operations, gTIC advises organizations to ensure web-applications are up-to-date and secured with strong passwords, limit connections from single sources, set appropriate session timeouts and incoming data rates, and identifying and blocking known VPN and proxy IP addresses, writing database queries using prepared statements. These counteractions can prevent basic and high-level XSS, SQLi, and DDoS attempts.

Related Blogs

February 07, 2018

Intelligence Bulletin – When Cryptomining Attacks

Optiv has seen a continuation of attacks based off the usage of CryptoNight miner, in this case likely mining Monero cryptocurrency for the attackers....

See Details

April 29, 2013

Intelligence Preparation of the Battlefield: What is Your Footprint?

Intelligence is defined as the gathering of information or raw data that has been analyzed for its validity and usefulness. One of the first exercises...

See Details

September 25, 2014

"Shellshock" Vulnerability in Bash Allows Unauthorized, Remote Code Execution

On September 24, a critical vulnerability - CVE-2014-6271 - was made public. This vulnerability, dubbed “Shellshock,” exposes a weakness in which cert...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

July 29, 2016

2016 Cyber Threat Intelligence

Learn how Optiv’s cyber threat intelligence solution helps clients improve their threat response approach.

See Details

April 19, 2018

Cyber Threat Intelligence as-a-Service

Learn how Optiv’s Cyber Threat Intelligence as-a-Service solution provides you with an advanced "beyond the perimeter" capability as a part of your cy...

See Details

July 29, 2016

Cyber Threat Intelligence Consulting Services

Remove the confusion surrounding the implementation of threat intel with a blueprint for logical progression in planning, building and running your cy...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.