Executive Summary
The 2025 Cambodia–Thailand border conflict represents a significant escalation in hybrid warfare, combining traditional military operations with sophisticated cyber campaigns. The physical conflict, which began with a fatal skirmish on 28 May 2025 and escalated to full military engagement on 24 July 2025, was accompanied by an unprecedented surge in cyberattacks targeting government infrastructure and critical systems. This investigation reveals systematic cyber operations involving multiple threat actors, significant data breaches, and allegations of foreign state involvement, establishing a concerning precedent for cyber-physical hybrid conflicts in regional disputes.
Key Findings:
- Physical Conflict: At least 38 confirmed fatalities and over 300,000 displaced civilians
- Cyber Operations: 438 Thai systems compromised by 59 hacker groups; over 500 Cambodian systems breached by 20 groups
- Data Exfiltration: 800GB of government data stolen from 47 Cambodian agencies
- Continued Operations: Cyber attacks persisted despite the ceasefire agreement on 28 July 2025
Background and Physical Conflict Timeline
Historical Context
The conflict stems from century-old territorial disputes rooted in the Franco-Siamese Treaty of 1904 and subsequent 1907 modifications, which established ambiguous border demarcations between Thailand and French Indochina (including Cambodia). The International Court of Justice (ICJ) ruling in 1962 awarded the Preah Vihear Temple to Cambodia but left the surrounding territorial sovereignty unresolved. (https://www.britannica.com/event/Thailand-Cambodia-Conflict)

Immediate Triggers and Escalation
Evidence Source: Wikipedia article “2025 Cambodia–Thailand border conflict”
28 May 2025: Initial skirmish in the Emerald Triangle area resulted in the death of Cambodian Second Lieutenant Suon Roun. Both sides claimed the other fired first.
Key Escalatory Events:
- 17 June 2025: Cambodia banned imports of Thai fruits and soap operas
- 21-23 June 2025: Systematic border checkpoint closures by both countries
- 23 July 2025: Thai soldier injured by landmine in Ubon Ratchathani; diplomatic relations downgraded
24 July 2025: Full military confrontation commenced at Ta Muen Thom Temple with both sides claiming self-defense.
Military Operations Scale
Evidence Source: Britannica Encyclopedia entry
- F-16 airstrikes by the Thai Air Force targeting Cambodian positions
- BM-21 Grad rocket attacks by Cambodian forces hit civilian targets, including gas stations and hospitals
- Thailand’s Second Army Region launched Operation Yuttha Bodin
Confirmed Casualties (as of 28 July 2025):
- Thailand: 6 soldiers killed, 13 civilians killed (including an 8-year-old boy), 14 soldiers injured, 32 civilians injured
- Cambodia: 5 soldiers killed, 8 civilians killed, 21 soldiers wounded, 50+ civilians injured
- Displaced Civilians: Over 300,000 total (138,000 in Thailand, 134,707 in Cambodia)
Cyber Operations in Conflict
In mid-2025, Cambodia-based hacktivist groups executed a highly coordinated campaign of cyberattacks against key Thai government institutions and critical infrastructure. Evidence from Telegram channel data, cyber intelligence, and independent articles shows actors such as BL4CK CYB3R, ANONSEC-KH, H3C4KEDZ, NXBBSEC, KolzSec, and NullSec Philippines (and alliances with others) were responsible for substantial service disruptions, data exfiltration, and strategic data destruction. These attacks were portrayed as digital retaliation following a border incident and political disputes.

Major Cyber Incidents and Attacks
Key Threat Actors and Attack Methods from Cambodia
| Date | Attack Type | Target | Actor(s) | Impact | Source Channel | Attacker Country | Victim Country |
|---|---|---|---|---|---|---|---|
| 2025-06-22 14:06:29 | DDoS | Office of the Education Council, Thailand | BL4CK CYB3R | Service Disruption | BL4CK CYB3R Telegram Channel | Cambodia | Thailand |
| 2025-06-22–27 | DDoS | Consumer Protection Board, King Power, AUCT | BL4CK CYB3R | Disruption to operations | BL4CK CYB3R Telegram Channel | Cambodia | Thailand |
| 2025-06-23 | DDoS | Mahidol University, Siam Kosit Bank, etc. | BL4CK CYB3R | Service Disruption | BL4CK CYB3R Telegram Channel | Cambodia | Thailand |
| 2025-06-26 | Website Breach/Breach | Royal Thai Police (police.go.th) | BL4CK CYB3R | System Compromise, Data Leak | BL4CK CYB3R Telegram Channel | Cambodia | Thailand |
| 2025-06-26 | Data Breach | Rayong City CCTVs | BL4CK CYB3R | 300+ Cameras Leaked Access | BL4CK CYB3R Telegram Channel | Cambodia | Thailand |
| 2025-06-26 | Credential Leak | Department of Land Development, Police Road Safety | BL4CK CYB3R | Account Passwords Public | BL4CK CYB3R Telegram Channel | Cambodia | Thailand |
| 2025-06-26 | DDoS & Defacement | Chulalongkorn University, PTT, Quality Express | BL4CK CYB3R | Sites Offline | BL4CK CYB3R Telegram Channel | Cambodia | Thailand |
| 2025-06-27 | DDoS, Data Deletion | Royal Thai Embassy Phnom Penh, Budget Site | NXBBSEC, BL4CK CYB3R | Data Loss, Service Disruption | BL4CK CYB3R Telegram Channel, nxbbsec | Cambodia | Thailand |
| 2025-07-05–07 | Data Breach | Mahidol University, Mahidol Student Records | H3C4KEDZ | 1.5 TB Data Exfiltrated | H3c4kedz Telegram Channel | Cambodia | Thailand |
| 2025-07-11 | System Breach, Deletion | Customs, Senate, Mahidol, DITP, ONWR sites | H3C4KEDZ | TBs Data Deleted/Leaked | H3c4kedz Telegram Channel | Cambodia | Thailand |
| 2025-07-21 | Defacement | Multiple .go.th Sites | H3C4KEDZ, NXBBSEC, KolzSec | Psychological Operations | H3c4kedz Telegram Channel, nxbbsec, KolzStoree | Cambodia | Thailand |
| 2025-07-24 | Data Breach/Deletion | Office of Prime Minister (opm.go.th) | H3C4KEDZ | 5.9 TB Data Deleted | H3c4kedz Telegram Channel | Cambodia | Thailand |
| 2025-07-26–08-03 | Credential Theft | Various Thai government portals | KolzSec, NXBBSEC | Credentials and Admin Logins | KolzStoree, nxbbsec | Cambodia | Thailand |
| 2025-08-01–08-07 | DDoS/Depletion | Ministry of Defense, Navy, Parliament | NullSecPH, K0lzSec | Sites Down, Data Lost | KolzStoree | Cambodia/Philippines | Thailand |
Key Indicators and Trends
1. Types of Attacks
- DDoS: Sustained disruptive attacks to take down government portals, embassies, universities, and critical infrastructure like police, customs, health ministry ([BL4CK CYB3R Telegram Channel][nxbbsec Telegram Channel][H3c4kedz Telegram Channel]).
- Data Breaches & Theft: Massive exfiltration and deletion of terabytes of government, military, health, education, and police data ([H3c4kedz Telegram Channel][KolzStoree]).
- Website Defacement: Psychological warfare via prominent defacement of dozens to over 100 official .go.th and .ac.th websites ([KolzStoree][H3c4kedz Telegram Channel][nxbbsec]).
- Credential Theft/Leak: Administrative credentials for police, government, university systems, and webmail publicly disclosed ([BL4CK CYB3R Telegram Channel][KolzStoree][nxbbsec]).
- CCTV Breach & Surveillance: Citywide CCTVs and police camera logins leaked, highlighting operational compromise ([BL4CK CYB3R Telegram Channel][nxbbsec][KolzStoree]).
2. Targets
- Government Ministries: Defense, Interior, Education, Health, Customs, Police, Finance, Agriculture, Culture, Environment, and others.
- Military & Police: Royal Thai Army, Navy, Police checkpoint system, military regional commands, and intelligence agency.
- Critical Infrastructure: Airports (AOT), expressways, hospitals, universities (Mahidol), customs, archives.
- Provincial & Local Sites: Downings and defacement of local authority portals, provincial admin, and city data centers.
3. Cambodian Threat Actors (Groups)
H3C4KEDZ:
OSINT Report: Threat Actor Profile - H3C4KEDZ
OSINT Report: Threat Actor Profile - H3C4KEDZ
OSINT Report: Threat Actor Profile - KOLzSec Cyber Activities
OSINT Report: Threat Actor Profile - AnonSecKh / BL4CK CYB3R
H3C4KEDZ, also referenced as “H3c4kedz Telegram Channel” in Telegram data, is a Cambodian hacktivist group with a strong presence in the cyber conflict against Thailand. The group’s activities are centered around retaliatory operations tied to the Cambodia-Thailand border dispute, with a focus on high-impact breaches and data exfiltration. Stealth mole tool graphs highlight connections to Thai police URLs (e.g., s*******ing.bop.police.go.th), GitHub repositories (github.com/H3*****), and the Thailand flag (TH), indicating targeted attacks. The Telegram channel “H3c4kedz Telegram Channel” (sender_id: -1002888167044) serves as a primary communication hub, with posts dating from July 5, 2025, to August 13, 2025.

Methodology
- Data Sources: Network graphs from the stealth mole tool, Telegram channel data from “H3c4kedz Telegram Channel,” and additional evidence provided on August 13, 2025. Analysis includes user IDs, message IDs, media paths, URLs, and geopolitical tags.
- Timeframe: Data is current as of 09:31 PM IST, August 13, 2025.
- Tools: Stealth mole tool for entity mapping; manual review of Telegram metadata and text content.
- Limitations: Media files (e.g., photos) are inaccessible; reliance on metadata and text for analysis.
Social Media and Online Presence
- X Accounts:
@H3*****Z(ID: 1901499198333390848), bio: “we are anonymous Cambodia ~ ./H3C4KEDZ,” with 2 followers.

@h3*****zsec(1 follower).

@h******d(bio: “WE ARE H3C4KEDZ,” 7 followers).

- These accounts reinforce the group’s Anonymous Cambodia affiliation and focus on Thai targets.
- Telegram: The “H3c4kedz” channel shows a history of bans, with a new channel established after the old one was banned on July 5, 2025 (message_id: 3). Recent posts include operational updates and a mention of a TikTok ban on August 13, 2025 (message_id: 673).


-
GitHub:
github.com/H3*****hosts repositories with DDoS tools (Ddos, DDOSV1, GhostDDOSV2), dirsearch (directory enumeration), and SQL-INJECTION scripts, indicating technical capabilities.

Activities and Operations
H3C4KEDZ employs a range of cyber tactics, as evidenced by both stealth mole tool data and Telegram posts:
- Major Breach - Mahidol University:

- Date: July 7, 2025 (message_id: 40).
- Details: The group breached Mahidol University, a prestigious Thai institution, exfiltrating over 1.5 TB of critical data. This included student records, internal emails, research documents, financial data, and server configurations. The Telegram post described the university as a “leading institution in research, medicine, and education,” highlighting the breach’s significance. Evidence was shared via a Photos.zip file.
- Impact: Exposure of sensitive academic and administrative data, potentially affecting thousands of students and staff.
- Ongoing Operations:
- Date: August 12, 2025 (message_id: 670-672).
- Details: Multiple photo posts (e.g., photo_2025-08-12_23-55-54.jpg) suggest continued activity, possibly documenting new attacks or proofs. A post on August 12, 2025 (message_id: 670) states “Start…!”, indicating an ongoing or planned operation.
- Additional Evidence: The stealth mole tool links H3C4KEDZ to awgateasean.doae.go.th (July 11, 2025), a Thai agricultural site, suggesting additional targeting of governmental systems.

- Platform Bans:
- Date: August 13, 2025 (message_id: 673).
- Details: A post notes “My TikTok Banned 🚫,” replying to message_id 666 (not fully visible), indicating potential account takedowns due to their activities.
- Historical Context:
- Stealth mole data connects H3C4KEDZ to prior attacks on Thai police sites (e.g., wp-login.php exploits) and leaks (e.g., bd.0510), with media timestamps (e.g., 2025-01-17 20:54.35) showing long-term engagement.


Tools and Techniques
- DDoS Tools: GitHub repositories (DDoS, DDOSV1, GhostDDOSV2) suggest the use of distributed denial-of-service attacks to overwhelm Thai targets.
- Exploitation Scripts: SQL-INJECTION and dirsearch indicate capabilities for database probing and directory enumeration, used in breaches like Mahidol.
- Data Exfiltration: Photos.zip and similar media files imply structured leak campaigns, with 1.5 TB exfiltrated from Mahidol.
Motivation
H3C4KEDZ’s actions are driven by the Cambodia-Thailand border conflict, with a clear intent to humiliate and destabilize Thai institutions. The group’s Anonymous Cambodia branding and use of #OpThailand align with a broader nationalist and retaliatory agenda, persisting despite the July 28, 2025, ceasefire.
Indicators of Compromise (IOCs)
- URLs:
github.com/H3*****,s*******ing.bop.police.go.th,~~awgateasean.doae.go.th~~,~~h3c***dz.com~~. - Emails:
~~non****family@gmail.com~~(from stealth mole data). - Hashtags:
#OpThailand#Op_thailand2025etc - User IDs: -1002888167044 (Telegram channel).
Connections and Affiliations
- AnonSec-KH: The group’s bio and Telegram posts link it to Anonymous Cambodia, sharing tactics and goals with groups like NXBBSEC and BL4CK CYB3R.
- Collaborative Networks: Stealth mole graphs show overlaps with other Cambodian actors via shared media hashes and user IDs, suggesting a coordinated effort.
- External Ties: The TikTok ban hint may indicate international platform monitoring, though no direct foreign collaboration is confirmed yet.
Impact Assessment
- Targeted Sectors: Education (Mahidol University), government (police, agriculture), and potentially social media platforms.
- Data Exposure: 1.5 TB of sensitive data at risk, including personal and research information.
- Operational Resilience: Continued activity post-ban suggests adaptability and a robust support network.
Conclusion and Recommendations
H3C4KEDZ represents a sophisticated threat within the Cambodian hacktivist ecosystem, leveraging breaches and DDoS to target Thai institutions amid geopolitical tensions. The Mahidol University attack underscores their capability to inflict significant damage. Recommendations include:
Attack Methods & Techniques
Primary Attack Vectors
- DDoS Attacks (31 incidents) - Most frequent attack method
- Data Breaches (30 incidents) - High-value target exploitation
- Data Deletion (13 incidents) - Destructive capabilities
- Website Defacements (11 incidents) - Psychological warfare
Technical Capabilities
- Admin Panel Exploitation - Systematic targeting of weak authentication
- Advanced DDoS Tools - “FoxC2-network” with claimed 30,000 RPS capability
- Data Exfiltration - Terabyte-scale data theft operations
- Credential Harvesting - Multiple compromised admin accounts
- System Wiping - “No backup, no recovery” destruction tactics
Target Analysis
High-Value Targets Compromised
| Sector | Count | Notable Targets |
|---|---|---|
| Government | 15 | Office of Prime Minister (5.9TB claimed), Ministry of Public Health (1.2TB), National Cyber Security Committee (397.8GB) |
| Military/Security | 5 | Royal Thai Army 2nd Region (5.1TB claimed), Police systems, Defense networks |
| Educational | 4 | Mahidol University (1.5TB claimed), Various .ac.th domains |
| Infrastructure | 4 | Airports Authority, Banking systems (K-Bank), Transportation networks |
Data Volume Claims
Total claimed data exfiltration: 20.8 TB across major breaches, indicating either:
- Significant technical capabilities, or
- Substantial exaggeration for psychological impact
BL4CK CYB3R:
AnonSecKH, operating under aliases such as ANON-KH and Bl4ckCyb3r, is a politically motivated Cambodian hacktivist group. The group has intensified its activities following a border incident between Thailand and Cambodia in 2025, targeting Thai governmental, military, financial, and other sectors. They communicate and claim responsibility for attacks via Telegram channels under the Bl4ckCyb3r moniker, reflecting a coordinated effort driven by regional political disputes.
Types of Attacks
- Distributed Denial of Service (DDoS) Attacks:
- AnonSecKH has conducted DDoS attacks to disrupt the services of Thai entities, including the Office of the Education Council, Consumer Protection Board, King Power International Group, AUCT Corporation, and various ministries (e.g., Health, Interior, Agriculture, Higher Education, Tourism, and Sports). Links to check-host.net downtime reports (e.g.,
https://check-host.net/check-report/2ba*******670Confirm service unavailability.

- AnonSecKH has conducted DDoS attacks to disrupt the services of Thai entities, including the Office of the Education Council, Consumer Protection Board, King Power International Group, AUCT Corporation, and various ministries (e.g., Health, Interior, Agriculture, Higher Education, Tourism, and Sports). Links to check-host.net downtime reports (e.g.,
- Data Leaks and Exposure:
- The group has leaked sensitive data, such as lists of eligible countries/territories for Thailand’s Annual International Training Course (AITC) 2023–2025 and military-related documents (e.g., Thai army ranks in vocab_soldier.pdf). This includes PDFs and CSV files (e.g., db6d6cc2-6a34-4aa5-b0e4-c7f7afe54f7b.csv), indicating access to administrative and military databases.

- Defacement and Propaganda:
- Website defacements and propaganda dissemination are key tactics, with messages urging supporters to share attack claims (e.g.,
https://t.me/addlist/ig*********jk9). Hashtags like#OpThailand2025highlight their political motivation.
- Website defacements and propaganda dissemination are key tactics, with messages urging supporters to share attack claims (e.g.,
Compromised Systems and Data


- Thai Government and Military Targets:
- Attacks focus on Thai ministries and military infrastructure, with leaked data suggesting breaches into official systems managing training programs and ranks.
- Financial and Corporate Entities:
- Targets like King Power International Group and AUCT Corporation indicate an expansion beyond government to financial and commercial sectors.
- Email and Contact Lists:
- The
658a**************************************4dbabf76c71656.txtfile contains a large dataset of email addresses and IPs, likely harvested through phishing or system compromises, supporting their reconnaissance efforts.

- The
Methods of Intrusion
- DDoS and Service Disruption:
- Utilization of DDoS techniques to overwhelm Thai government and corporate websites, as evidenced by downtime reports.
- Data Exfiltration:
- Extraction of structured data of the 👿National Intelligence Agency (NIA) - Thailand.

- Social Media and Telegram Coordination:
- The group leverages Telegram and Twitter for real-time updates, alliance building, and propaganda, using handles like anon_kh89.

Network and Affiliations
- Alliances:
- AnonSecKH has formed a cyber alliance with groups like CyberWarriors Team and Anonymous Cyber Error System, as announced in the BLACK CYB3R channel, enhancing their operational capacity.
- Stealth Mole Analysis:
- Network maps show connections to Telegram messages, media, and external links (e.g.,
https://twitter.com/****2), indicating a decentralized yet interconnected structure.

- Network maps show connections to Telegram messages, media, and external links (e.g.,
Timeline of Activities
- 2025 Border Incident: Triggered heightened activity targeting Thailand.
- June 2025: Rebirth announcement and initial Thai entity attacks.
- August 2025: Escalation with data leaks (August 11–12) and ministry-targeted DDoS, aligning with
#OpThailand2025.
Motivation
- The group’s actions are politically driven, stemming from the 2025 Thailand-Cambodia border incident. Their attacks aim to disrupt Thai infrastructure and publicize their stance on regional disputes.
Conclusion
AnonSecKH (Bl4ckCyb3r) is a Cambodian hacktivist group executing politically motivated cyberattacks against Thailand, focusing on DDoS, data leaks, and defacement. Their sophisticated methods, alliance network, and use of Telegram for coordination suggest a well-organized entity with potential for further escalation. Continuous monitoring of their Telegram channel and affiliated sites (e.g., h3*****dz.com) is advised for threat mitigation.
NXBBSEC:
NXBBSEC appears to be a hacking group or collective with a significant presence on Telegram and X, focusing on cyber operations targeting various entities, primarily in Thailand and Cambodia. The group claims affiliations with entities like AnonSecKH and Black CYB3R, though they assert independence. Their activities include Distributed Denial of Service (DDoS) attacks, data leaks, and system exploitation, often publicized through social media and Telegram channels.
Types of Attacks
- DDoS Attacks:
- NXBBSEC has conducted massive DDoS attacks, targeting Thai infrastructure such as the Electronic Resources and E-Resource Centre at Chulalongkorn University, PTT Public Company, and Quality Express Company. These attacks aim to disrupt online services, as evidenced by links to check-host.net reports showing site downtimes.

- Example: Messages from June 26, 2025, detail DDoS operations under hashtags like
#OpGarudaAshesand#OpThailand.
- Data Leaks:
- The group has leaked sensitive data, including a ZIP file named
763caa550916cdce55c8dfd172c9791d67997b242039bb6f880cadb2fcacontaining compromised data, leaked on August 13, 2025.

- Another leak includes login credentials for the Police Road Safety - Thailand system, with a username (3501900481464) and password (1464) shared publicly.
- The group has leaked sensitive data, including a ZIP file named
- System Exploitation:
- NXBBSEC claims to have compromised various systems, with evidence of targeting Thai governmental and institutional entities. Specific instances include the leakage of login credentials for the Police Road Safety - Thailand system on June 26, 2025, suggesting unauthorized access. Additionally, a document leak from
k*s.p**g-obec.go.thon August 6, 2025, indicates potential exploitation of educational or governmental systems in Thailand.

- NXBBSEC claims to have compromised various systems, with evidence of targeting Thai governmental and institutional entities. Specific instances include the leakage of login credentials for the Police Road Safety - Thailand system on June 26, 2025, suggesting unauthorized access. Additionally, a document leak from
- The group also mentions ongoing operations against Cambodian systems, as seen in a Khmer-language message on August 13, 2025, (“❗️ចោសៀមពទ្ធ័លួស ដាក់កង់ឡានយកផ្ទះ ពលរដ្ឋខ្មែរ 13/8/2025”), which translates to “Siam police are putting car tires to take the house of Khmer citizens 13/8/2025,” hinting at cyber activities tied to border tensions.

- Methods likely involve credential harvesting and exploitation of system vulnerabilities, though specific success rates remain unverified in the provided data.
Compromised Systems and Data
- Thailand Targets:
- Chulalongkorn University: Electronic Resources and E-Resource Centre affected by DDoS.
- PTT Public Company: Targeted in DDoS operations.
- Quality Express Company: Subject to DDoS attacks.
- Police Road Safety System: Credentials leaked, indicating potential unauthorized access.
- Thailand Immigration System: Exploited, with data potentially compromised.
- krs.psdg-obec.go.th: A document leak with extensive content (truncated 652986 characters), suggesting a significant data breach.
- Cambodia Targets:
- Mentions of operations against Cambodian systems, including the Ministry, under
#OpThailandand#AnonSecKHhashtags.

- A message from August 13, 2025, describes a border incident involving Cambodian citizens, possibly linked to cyber activities.
- Mentions of operations against Cambodian systems, including the Ministry, under
- Data Types:
- Excel files, photos, and text documents are among the leaked media, with a total of 184 files and 5649 photos noted in the Telegram channel metadata.
- Specific leaks include system credentials and large datasets (e.g., the truncated krs.psdg-obec.go.th file).
Methods of Intrusion
- DDoS Campaigns: Utilized to overwhelm and take down target websites, as seen with the check-host.net downtime reports.
- Credential Sharing: Public dissemination of stolen login details (e.g., Police Road Safety) to enable further unauthorized access.
- Social Engineering: Messages suggest misinformation campaigns, with the group claiming to correct false narratives about their affiliations (e.g., with Black CYB3R).
- Exploitation Tools: References to exploitation systems and success rates (70% for Thailand) imply the use of sophisticated hacking tools or zero-day vulnerabilities.
- Media Propagation: Use of photos and documents on Telegram to showcase exploits, enhancing their visibility and impact.
Timeline of Activities
- June 12, 2025: Initial message in the dataset, marking the start of monitored activity.
- June 25, 2025: Announcement of “NXBBSEC BACK SOON!”.
- June 26, 2025: Multiple DDoS attacks and credential leaks targeting Thai entities.
- August 6, 2025: Claim of 70% exploitation of the Thailand system.
- August 12-13, 2025: Recent activities, including data leaks (ZIP file) and border-related messages, indicate ongoing operations.
Group Structure and Claims
-
Leadership: A member named SAZZ claims to be the true owner and operator, as per an announcement on August 13, 2025.

- Affiliations: Denies being part of Black CYB3R but acknowledges an alliance with AnonSecKH/NXBBSEC. The group operates independently but collaborates with allied teams.
- Membership: The Telegram channel has 790 members, with active engagement from users like “JACKTHERIPPER” and “Bak1s”.
- X Presence: Accounts like
@NXBBSECHACKERand@NXBBSECshow suspension or leadership claims, with posts detailing operations and announcements.


Observations
- The group uses a mix of offensive cyber tactics (DDoS, exploitation) and propaganda (misinformation correction, public shaming).

- Their operations are well-documented on Telegram and X, suggesting a strategy to gain notoriety.
- The focus on Thailand and Cambodia may be geopolitically motivated.
- Frequently overlaps in targeting, involved in both disruption and information extraction.
KolzSec:
KOLzSec, identified as a hacktivist group, appears to be actively engaged in cyber operations targeting governmental and institutional websites, primarily in Thailand. The group operates under the handle “@KOLzSec” and is associated with other hacking collectives such as #NXBBSEC, #AnonSecKH, #blackcyber, and #NullSec Philippines. The data suggests a coordinated effort to conduct defacements, Distributed Denial of Service (#DDoS) attacks, and possibly data breaches, with a focus on promoting justice-related narratives, particularly concerning Cambodia.

Key Findings
Types of Attacks

- Website Defacement (
Lei$): Multiple instances of website defacement are reported, where the group alters the content of targeted sites to display their messages or logos. Examples include the Chiang Mai Provincial Administrative Organization site and over 100 Thai government sites.

- DDoS Attacks: Evidence of DDoS attacks is present, notably the takedown of the National Broadcasting and Telecommunications Commission (NBTC) of Thailand has been down, with check-host.net reports confirming downtime.

- Potential Data Breaches: References to “proofs” and “check” links suggest that the group may have accessed and exfiltrated data, though specific details on breached data are not fully disclosed in the provided messages.
Compromised Systems
- Governmental Websites:
- https://gpa.obec.go.th/ (Targeted for 50 hours)
- https://krungthai.com/ (Top 2 Thailand bank)
- http://chiangmaipao.go.th/ (Chiang Mai Provincial Administrative Organization)
- https://www.mod.go.th/ (Ministry of Defense Thailand)
- https://www.navy.mi.th/ (Navy of Thailand)
- Over 100 Thai government sites (archived defacements)
- The group claims to have targeted these systems as part of operations like #OpThailand, indicating a strategic focus on Thai infrastructure.
Methods of Intrusion
- Exploitation and Defacement: The group likely exploits vulnerabilities in web applications or servers to gain unauthorized access, followed by defacing the sites with their branding (e.g., the KOLzSec logo featuring a suit and question mark).
- DDoS Campaigns: Utilization of botnets or coordinated traffic to overwhelm target servers, as seen with the Ministry of Defense and official Thailand site takedowns.
- Proof of Concept: Links to check-host.net reports (e.g., https://check-host.net/check-report/2b9e3f11k45b) are provided to verify downtime or defacement, suggesting a methodical approach to document their attacks.

- Collaboration: Mentions of #NullSec Philippines and #JusticeforCambodia indicate possible collaboration with other hacktivist groups, potentially sharing tools or resources.
Timeline of Activities
- 2023-10-30: Initial channel activity recorded.
- 2025-06-26: Active messaging begins with a challenge (“If u wanna fight let’s fight bro”) and initial target (
https://check-host.net/check-report/287*********d4).

- 2025-06-27 to 2025-06-28: Escalation with multiple targets, including banks and provincial organizations, accompanied by photo evidence.
- 2025-08-08 to 2025-08-12: Peak activity with claims of defacing 100+ sites, targeting high-profile entities like the Ministry of Defense, and DDoS attacks, with a member “Lei$” taking credit.
Motives and Narratives
- The group’s actions are framed around retaliatory or justice-driven motives, with hashtags like #JusticeforCambodia,
#ThailandStartedTheWar, and#OpThailandsuggesting a geopolitical conflict, possibly related to Cambodia-Thailand relations. - Poetic messages (e.g.,
"Tides of Justice") and calls for action indicate a propagandistic element to their operations.

Tools and Techniques
- Stealth Mole Tool: Snapshots show network mapping and link analysis, indicating the use of reconnaissance tools to identify and target systems.
- Check-Host.net: Used for real-time verification of site availability, aiding in attack validation.
- Media Evidence: Photos and documents shared via Telegram channels serve as proof of compromise, though specific exploitation methods are not detailed.
Affiliations and Membership
- Key Individuals: “Lei$” is highlighted as a prominent member, claiming responsibility for significant defacements.
- Affiliated Groups: Links to #AnonSecKH, #NXBBSEC, and #NullSec Philippines suggest a broader network of hacktivists.
-
Social Media Presence: Active on X under @KOLzSec

Recommendations
- Monitor KOLzSec’s Telegram and X activities for real-time threat intelligence.
- Enhance security measures for Thai governmental websites, focusing on web application firewalls and DDoS mitigation.
- Investigate potential data breaches via the provided check-host links for forensic analysis.
Conclusion
KOLzSec is a sophisticated hacktivist group with a clear focus on defacing and disrupting Thai governmental websites, likely as part of a broader geopolitical agenda. Their methods include defacement, DDoS attacks, and potential data breaches, supported by reconnaissance tools and collaborative efforts with other groups. The group’s activities have escalated significantly by August 2025, with claims of impacting over 100 sites, positioning them as a notable entity in the defacement community.
NRSTSEC:
Overview
- Group Name: NRSTSEC
- Associated Email: mneng676@gmail.com with password NRSTSEC1285
- Activity Period: Breaches and leaks span from 2023 to 2025, with recent activity noted in August 2025.
- Communication Channels: Primarily via Telegram (nrstsec_official), with additional context from leaked combo files linked to private cloud services.
Types of Attacks
- DDOS Attack:
- Downed https://www.tnnthailand.com/ on August 4, 2025, with a report at https://check-host.net/check-report/2b0f9647k12f.

- Zone-XSEC records 11 total defacements, including homepages.

- Data Breaches and Credential Leaks:
- The email mneng676@gmail.com appears across multiple compromised data sets (CDS, CB, UB), with passwords like NRSTSEC1285. This suggests a targeted or opportunistic harvesting of credentials.
- Leaked documents (redcloud.txt, MIXED.txt, 100K CELESTIAL PRIVATE UP FROM LOGS 1.txt, etc.) contain over 100,000 credential pairs, indicating a large-scale data breach operation, potentially involving NRSTSEC or affiliated groups.
- 93 compromised entries for mneng676@gmail.com, with passwords like nengzin1285, leaked since February 20, 2023.

- Social Engineering:
-
Targeted login pages (e.g., Google, GitHub) and Android URLs suggest phishing campaigns.


-
Compromised Systems
- Victims: TNN Thailand, personal accounts (Amazon, Roblox), IPs in Cambodia and Southeast Asia.
- Systems: Windows machines (e.g., Administrator, CH-202211021849).
Methods of Intrusion
- Weak Credentials: Exploits reused passwords via brute force or stuffing.
- Social Engineering: Channel invites as potential phishing vectors.
- Malware/Stealers: Use of “Stealc” infostealer for credential extraction.
- Defacement Tools: Likely SQL injection or file inclusion vulnerabilities.
Motivations and Affiliations
- Hacktivism: Hashtags (#Joaland, #OPTHAILAND) suggest Cambodia-Thailand conflict motives.
- Reputation: Rank 1366 on Zone-XSEC, public claims for notoriety.
- Financial Gain: Possible dark web sales or ransomware.
- Allies: Greetings to #NXBBSEC, #BL4ACKCYBER.
Timeline of Key Events
- 2023-02-20: Initial compromise of mneng676@gmail.com credentials.
- 2024-07-16 to 2025-08-05: Increased activity, peaking in August 2025.
- 2024-06-14 to 2025-02-20: Escalating credential leaks, with UB data showing recent activity.
- 2025-08-04: TNN Thailand defacement, a public milestone.
- 2025-08-14: Current date, with ongoing analysis of leaked data
Recommendations
- For Victims: Enforce strong passwords, enable 2FA, monitor IPs.
-
For Researchers: Map ANONSEC-CAMBODIA and allied groups.
4. Methods of Intrusion
- Exploitation of Vulnerabilities: Web applications and CMS, public portals, and weak authentication were observed.
- Credential Theft: Use of discovered admin logins, credential stuffing, and brute-forcing.
- Web Defacement: Uploading mirrors to defacer sites, mass shell drops on .go.th domains.
- DDoS: Heavy usage of botnets and script-based traffic floods, often coordinated for visibility.
- Surveillance System Breach: Use of default/admin credentials, direct access to CCTV endpoints.


Impact Assessment
- Data Loss: Cumulative data exfiltration and deletion regularly totaled multiple terabytes; The Office of the Prime Minister alone lost nearly 6TB, ONWR over 11TB, Mahidol 1.5TB, and the Health Ministry 6TB.

- Operational Disruption: Major ministries, police, embassies, and customs sites are offline for hours or days, disrupting routine government functions.
- Psychological & Strategic Effects: Defacement of national icons, police and military portals (“Rest in Hell Thai Police”), mass credential dumps, and direct messages challenging sovereignty.
- Erosion of Public Trust: Repeated claims and public messages undermine confidence in the Thai government’s cybersecurity.
- Geopolitical Escalation: Many attacks are directly referenced as retaliation for physical border tensions, explicitly leveraging cyber as a ‘second front’ in the broader conflict.
Broader Geopolitical & National Security Implications
- Escalation to Cyber Warfare: The scale, coordination, and messaging indicate a shift from isolated hacktivism to organized, strategic cyberwarfare, paralleling military hostilities.
- Regional Destabilization: Inclusion of threat actors from allied or sympathizing boundaries (Philippines, Vietnam) increases complexity.
- Sensitive Data Exposure: TBs of government, security, health, and intelligence files released or destroyed — long-term ramifications for law enforcement, diplomatic relations, and military readiness.
- Civic Impact: Police surveillance breach, public record leaks, and continuous disruption of critical public services risk internal security and population safety.
- International Attention: Public exposure of the scale and success of these operations via Telegram aims both to damage Thailand’s international reputation and rally sympathizers.
Conclusion and Attribution Confidence
The investigation into the cyber dimension of the 2025 Cambodia–Thailand border conflict reveals a sustained and coordinated campaign of politically motivated attacks, executed by multiple Cambodian hacktivist groups, notably H3C4KEDZ, BL4CK CYB3R / AnonSecKH, and NXBBSEC. These actors collectively conducted a diverse range of operations—including large-scale data breaches, disruptive DDoS attacks, defacements, and targeted credential theft—against Thai governmental, military, educational, and critical infrastructure systems.
Evidence collected from #StealthMole network mapping, Telegram channel monitoring, and breach dataset correlation shows recurring overlaps in infrastructure, media hashes, and operational timelines, strongly suggesting inter-group coordination despite public claims of independence. The volume and persistence of these attacks, including high-impact incidents such as the 1.5TB Mahidol University breach and the 5.9TB Prime Minister’s Office data deletion, underscore both the technical capability and the ideological drive behind the operations.
The observed activities align with nationalist and retaliatory narratives surrounding the border dispute, amplified through social media propaganda (#OpThailand2025, #Op_thailand) and Anonymous Cambodia branding. While the groups have shown tactical sophistication—leveraging custom DDoS tools, exploitation scripts, and structured leak campaigns—their operations also demonstrate clear intent to psychologically and politically pressure Thailand in parallel with physical hostilities.
Disclaimer
While every effort has been made to ensure the accuracy and integrity of the findings presented in this report, it is important to emphasize that cyber attribution remains inherently challenging. The identification of H3C4KEDZ, BL4CK CYB3R / AnonSecKH, and NXBBSEC as primary actors in the Cambodia–Thailand cyber conflict is based on open-source intelligence (OSINT), digital footprint analysis, and correlation via the StealthMole platform.
These attributions are assessed as probable, derived from observed alias reuse, operational patterns, infrastructure overlaps, and coordinated release of stolen data across Telegram, breach forums, and GitHub repositories. However, definitive attribution would require closed-source intelligence, legal investigative access, or cooperation from platform providers.
The purpose of this report is not solely to attribute with absolute certainty, but to highlight how StealthMole’s Dark Web Tracker, Telegram Tracker, ULP Binder, and Leaked Dataset Correlation can rapidly expose cross-platform linkages, threat actor ecosystems, and operational infrastructure—enabling defenders, policymakers, and law enforcement to take informed countermeasures.
The findings herein are intended to support ongoing defensive strategies, inform geopolitical risk assessments, and guide further targeted investigation into the evolving threat landscape of cyber-physical hybrid conflicts in Southeast Asia.