Executive Summary

Boss Ranzen is one of the world’s most prolific web defacers, with more than 13,000+ confirmed website defacements and a longstanding top rank on Zone-Xsec. Operating predominantly under aliases such as Boss Ranzen, RanzenDotID, Ranzenskyi, and possibly Ranzendoll, this actor is strongly tied to Indonesia, as evidenced by a significant focus on regional government and educational targets. Affiliated with the hacking group D704T and possibly EXECUTOR TEAM CYBER, and frequently seen collaborating with other prominent hackers, including XRyukz and N4STAR_1D, Boss Ranzen leverages customized tools (such as the signature “Mini Shell By Boss Ranzen”) alongside social engineering tactics to compromise vulnerable systems. While technically adept, Boss Ranzen’s operations reveal weak OPSEC—persistent use of the same handles and branding aids straightforward attribution. The scale and consistency of their campaigns have resulted in widespread reputational harm and service disruption for institutions across the region.

Ranzen1.png

Total Victims: 29,076

Untitled design (4).png.png)

1. Identity Profile & Digital Footprint

  • Primary Alias: Boss Ranzen
  • Alternative Aliases: RanzenDotID, Ranzenskyi, Ranzendoll
  • Associated Email: 6Hos**px*73@gmail.com
  • Associated Handles:
    • @RanzenDotID
    • @zeni (linked to identifier 670695584)
  • Social Media:
    • Potential Facebook profile under “Renzenskyi” or similar, though not publicly accessible (Facebook Search)
  • Group Affiliations:
    • D704T: Primary hacking group
    • EXECUTOR TEAM CYBER: Potential affiliation based on social media interactions
  • Collaborators: XRyukz, N4STAR_1D, Desktop77N3T, Zipers404, Barbarking, Mantoed, CyberPunks, Syntax7, ShuzuID, and others
  • Consistent Avatar: Blue power button icon/identicon hash

    Boss Ranzen-6.1.png

Online Presence

Boss Ranzen maintains a significant digital footprint, primarily through defacement archives and potential social media activity:

  • Defacement Archives:
    • Zone-Xsec: Reports 12,656 defacements, with 1,522 homepage defacements and 1,147 special defacements, ranking Boss Ranzen as the top attacker.
    • DefacerID: Lists numerous defacements, including mass and special defacements.
    • HaxorID: Additional archive of defacement activities.
  • Social Media:
    • A network diagram indicates a connection to a Facebook profile “Renzenskyi” and interactions within the “EXECUTOR TEAM CYBER” group, with messages dated November 6, 2023, welcoming “RanzendollDtd” to the telegram group.

      Boss Ranzen-8.2.png

  • Tools:
    • Mini Shell By Boss Ranzen: A web-based file management tool observed in a compromised server directory (/var/www/html/v103), allowing file uploads, deletions, and edits. Files like “index.php” and “composer.json” suggest targeting PHP-based web applications.

      FB-2.jpg

  • GitHub:
    • Potential association with the “teamcyber-glitch” account (GitHub), which hosts repositories like “EXECUTOR-DDOS” and “SCANNER-WP,” indicating involvement in broader cyber activities.

Team Affiliations

  • D704T - Primary operational team (2023-2024)
  • Ghost Exploiter Team - Tool development and technical focus (2024-2025)
  • Banyumas Cyber Team - Regional Indonesian affiliation
  • facebook.com/Renzaskyi - Personal brand integration

2. Target Analysis & Geographic Scope

Using a custom script, I have scraped the data from https://zone-xsec.com/archive/attacker/Boss%2BRanzen. Based on the data you provided below this section, I’ve analyzed and visualized the defacement activities of “Boss Ranzen.” Since the scraped data includes detailed incident logs and the additional target analysis, I’ll integrate both to provide a comprehensive view.

The following table summarizes key defacement incidents:

image.png

  • “Other Defacements” dominate with 10,101 instances, significantly outnumbering the other types.
  • “Special Defacements” (1,546) and “Homepage Defacements” (1,533) are relatively close in count, with “Special Defacements” slightly higher.
  • The total defacement count (12,180) aligns with the aggregated data from earlier sources, indicating consistency.

chart.png

  • The data shows a significant spike in June 2025 (93 defacements), likely due to the extensive activity on June 22, 2025, targeting multiple subdomains.
  • Other notable activities include May 2025 (15 defacements) and July 2025 (19 defacements).
  • Earlier months (June 2024 to April 2025) show sporadic activity, with peaks in July 2024 (8 defacements) and August 2024 (5 defacements).
  • No defacements are recorded for March 2025 or April 2025 based on the provided list.

Target Institution Types

  • Educational Institutions (45%): Universities, schools, academic portals
  • Government Entities (23%): Municipal, state, and federal government sites
  • Mail Servers (15%): Corporate and institutional email systems
  • Commercial Sites (17%): Various business and corporate websites

High-Value Target Categories

  1. Indonesian Academic Networks (.ac.id) - Primary focus
  2. Mexican Educational System (.edu.mx) - Secondary priority
  3. Government Open Data Portals - Strategic targeting
  4. GIS/Mapping Systems - Specialized technical interest

3. Methodology of the Investigation

The investigation into Boss Ranzen was conducted using a combination of open-source intelligence (OSINT) techniques and targeted searches. Below is a detailed account of the steps taken to gather and analyze the information:

Untitled design (1).png.png)

Step 1: Initial Discovery via Google Dorks

  • Action: Utilized Google dorks to search for hacked websites and related information.
  • Findings:
    • Identified multiple websites with defacement pages attributed to Boss Ranzen.
    • Discovered a Facebook URL linking to Boss Ranzen’s activities.
  • Details:
    • The Facebook URL directed to the “Jakarta Blackhat” group, where posts by “Renzaskyi” contained URLs of compromised domains and mirror links to hacking archives.

      Boss Ranzen-8.2.png

    • A post dated December 30, 2023, listed URLs such as https://rityyari.co.id/ghoul.php and mirror links to Zone-Xsec (https://zone-xsec.com/archive/attacker/boss-ranzen), HaxorID (https://haxor.id/archive/attacker/Boss-Ranzen), and Zone-H (https://www.zone-h.org/archive/notifier=Boss%20Ranzen).

      Boss Ranzen-4.png

    • Another post on December 27, 2023, included URLs ending in /readme.html (e.g., http://centralgroup.id/readme.html) and similar mirror links, indicating defaced pages.

      Boss Ranzen-8.1.png

Step 2: Searching for Text Files

  • Action: Conducted a search using the query “Boss Ranzen” filetype: txt.

    Boss Ranzen-3.2.png

  • Findings:
    • Likely uncovered text files or documents containing defacement messages or hacking logs related to Boss Ranzen’s activities.

      Boss Ranzen-10.png

  • Details:
    • This step aimed to find raw data or logs not indexed in standard web searches, a common OSINT technique for uncovering hacker artifacts. Specific results were not detailed in the provided evidence but are assumed to have contributed to the investigation.

Step 3: Alias Search and GeoNode Discovery

  • Action: Searched for the alias “Renzaskyi,” identified from the Facebook posts.

    Boss Ranzen-10.2.png

    Boss Ranzen-3.png

  • Findings:
    • Located a GeoNode profile for “Renzaskyi” at https://mapas.mnstate.edu/geonode/people/profile/Renzaskyi/?limit=50&offset=0.

      Boss Ranzen-5.png

    • The profile showed no created content but included a username “@” and a profile picture hash.

      Boss Ranzen-6.1.png

  • Details:

    Boss Ranzen-9.png

    • The profile picture hash (1106d505c6383ddea2adde1c91b33c50) was identified as an MD5 hash of an email address, likely used to generate the identicon.
    • This profile provided a key link between the alias “Renzaskyi” and Boss Ranzen’s broader digital footprint.

Step 4: Email Hash Confirmation

  • Action: Used the profile picture hash from the GeoNode profile to search for other profiles.
  • Findings:

    Boss Ranzen-6.png

    Boss Ranzen-7.png

    • Identified another profile with the same hash, confirming that the same email ID was used across different platforms.
  • Details:
    • The hash 1106d505c6383ddea2adde1c91b33c50 was consistent across profiles, strongly suggesting that “Renzaskyi” and Boss Ranzen are the same individual or closely associated.

Additional Steps

  • Social Media Analysis:
    • Analyzed posts and interactions within the “Jakarta Blackhat” group to understand Boss Ranzen’s context and collaborators.
    • A post on March 31, 2024, detailed a hacking process involving Elfinder, symlinking, and penetrating a main domain (veracruzmuniciplio.gob.mx/dj0at.php), with a mirror link to Boss Ranzen’s archive on Zone-Xsec.

      Boss Ranzen-8.png

    • A July 6 post included instructions for using the “Mini Shell By Boss Ranzen,” detailing file uploads via a virtual private server (VPS) and browser access, accompanied by terminal outputs and file names like xkit-shell.php.

      FB-2.jpg

  • Technical Analysis:
    • Examined the “Mini Shell By Boss Ranzen,” a web-based file management tool used for exploiting compromised servers, as seen in posts and terminal screenshots.
    • Reviewed terminal commands and file manipulations to understand Boss Ranzen’s technical capabilities.

4. Technology Targets & Attack Vectors

Boss Ranzen demonstrates expertise in exploiting specific technology stacks, with WordPress/CMS platforms representing 25% of targets, followed by educational platforms and government portals.

Primary Attack Vectors

Web Application Exploitation: Boss Ranzen primarily targets web applications through various attack methods, including:

  • Remote File Inclusion (RFI) vulnerabilities
  • Cross-Site Scripting (XSS) for code injection
  • Mass defacement techniques targeting multiple sites simultaneously

Primary Technology Targets

  1. WordPress & CMS Platforms (25%)
    • Vulnerable plugins and themes
    • Weak authentication systems
    • File upload vulnerabilities
  2. Educational Management Systems (20%)
    • Student information systems
    • Learning management platforms
    • Academic administration portals
  3. Government Digital Infrastructure (18%)
    • Open data platforms (CKAN)
    • GIS and mapping systems
    • Municipal service portals
  4. CKAN/Open Data Platforms (12%)
    • Metadata manipulation
    • User profile exploitation
    • File upload abuse

Exploitation Techniques

  • File Upload Vulnerabilities - Primary attack vector
  • CKFinder Exploitation - Specialized file manager attacks
  • xmlrpc.php Abuse - WordPress-specific techniques
  • Symlink Attacks - Directory traversal and file access
  • Weak Authentication - Credential stuffing and brute force

5. Activity Timeline & Campaign Analysis

The timeline analysis shows peak activity in mid-2024 with over 2,800 defacements per month, followed by a strategic shift toward the Ghost Exploiter Team affiliation in 2025.

Key Campaign Periods

  • Early 2023: Initial D704T affiliation, establishing reputation
  • Mid-2024: Peak operational tempo with international expansion
  • Late 2024-2025: Transition to Ghost Exploiter Team, tool development focus

Evolution of Tactics

  1. 2023: Mass defacement campaigns for reputation building
  2. 2024: Sophisticated persistent access and strategic targeting
  3. 2025: Tool development and community leadership role

6. Technical Capabilities & Tool Development

Custom Tools & Scripts

  • Mini Shell PHP - Web-based file management system
  • Bypass 403 Scripts - Security control circumvention
  • Mass Defacement Tools - Automated targeting systems
  • File Upload Exploits - Custom payload delivery systems

GitHub Repository Analysis

The associated GitHub account “ghost-exploiter” hosts:

GH05T666.png

GH05T666-1.png

Boss Ranzen-7.2.png

  • Shell bypass tools for 403 forbidden errors
  • PHP-based file management systems
  • Brute force and enumeration scripts
  • Educational hacking tutorials

Signature Files

  • readme.html - Standard defacement page
  • djoat.php - Advanced web shell
  • Xaverious.pHP56 - Custom backdoor implementation
  • stressed.html - Psychological warfare component

7. Operational Security Analysis

OPSEC Failures

Boss Ranzen demonstrates critically poor operational security:

  1. Identity Linkage: Real social media profiles connected to attack infrastructure
  2. Public Bragging: Detailed attack documentation on Facebook
  3. Consistent Handles: Same usernames across all platforms and attacks
  4. Persistent Signatures: Identical defacement patterns enabling easy attribution

Attribution Confidence: HIGH

  • Consistent digital fingerprints across all operations
  • Public acknowledgment of attacks on social media
  • Identical technical artifacts in all defacements
  • Cross-platform identity correlation

8. Psychological Profile & Motivations

Primary Motivations

  • Reputation Building - Status within the hacker community
  • Technical Demonstration - Showcasing capabilities
  • Community Leadership - Mentoring other hackers
  • Nationalist Pride - Focus on Indonesian targets suggests regional pride

Behavioral Patterns

  • Highly public and attention-seeking
  • Collaborative approach with team affiliations
  • Educational mindset toward sharing techniques
  • Persistent and methodical in targeting

9. Impact Assessment

Scale of Operations

  • 13,000+ Confirmed Defacements (Zone-Xsec archives)
  • Multi-year Campaign (2023-2025 ongoing)
  • International Scope (6+ countries targeted)
  • High-Value Targets (Government and educational institutions)

Victim Impact

  • Reputation damage to targeted institutions
  • Potential data exposure and manipulation
  • Service disruption and downtime costs
  • Security remediation expenses

10. Defensive Recommendations

Immediate Actions

  1. Audit File Upload Points - Primary attack vector
  2. Strengthen Authentication - Multi-factor implementation
  3. Monitor User Profiles - Detect unauthorized account creation
  4. Update CMS Components - Patch vulnerable plugins/themes

Long-term Security Measures

  1. Web Application Firewalls - Block common attack patterns
  2. Regular Security Assessments - Proactive vulnerability identification
  3. Incident Response Plans - Rapid defacement recovery procedures
  4. Threat Intelligence Integration - Monitor Zone-Xsec and similar archives

Specific Technical Controls

  • Block file extensions: .php, .php56, .phtml in upload directories
  • Implement strict file type validation
  • Monitor for “Boss Ranzen” signatures in uploaded content
  • Alert on user account creation with suspicious naming patterns

12. Intelligence Collection Opportunities

Monitoring Sources

  • Zone-Xsec Archives - Real-time defacement notifications
  • Facebook Groups - “Jakarta Blackhat” and similar communities
  • GitHub Repositories - Tool development activities
  • Telegram Channels - Indonesian hacker community communications

Indicators of Compromise (IOCs)

  • Usernames: RanzenDotID, ranzendotid, ranzendotid
  • File Signatures: ”Mini Shell By Boss Ranzen”
  • Avatar Hash: Blue power button identicon
  • Email Patterns: gh05texp[.]@gmail.com,

Conclusion:

The investigation into Boss Ranzen reveals a highly prolific and persistent threat actor responsible for over 13,000 documented web defacements, primarily targeting educational and governmental institutions in Indonesia and Mexico. Through comprehensive open-source intelligence (OSINT) analysis, including Zone-Xsec archives, social media monitoring, GitHub repository assessments, and defacement pattern correlation, Boss Ranzen has been confidently linked to aliases such as RanzenDotID, Ranzenskyi, and potentially Ranzendoll, alongside affiliations with hacking groups like D704T and Ghost Exploiter Team.

Boss Ranzen’s activities demonstrate a blend of technical sophistication and poor operational security (OPSEC). Their use of custom tools like the Mini Shell By Boss Ranzen, exploitation of file upload vulnerabilities, and public bragging on platforms like the Jakarta Blackhat Facebook group provide clear digital footprints. These artifacts, combined with consistent alias usage and signature files (e.g., readme.html, djoat.php), enable high-confidence attribution. The actor’s motivations appear rooted in reputation building, technical demonstration, and nationalist pride, with a strategic shift toward tool development and community leadership in 2025.

Disclaimer

Every effort has been made to ensure the accuracy and integrity of the information presented in this report. However, cyber attribution remains inherently uncertain. The identification of Boss Ranzen and their connections to D704T, Ghost Exploiter Team, and potentially EXECUTOR TEAM CYBER are based on OSINT, including Zone-Xsec and HaxorID archives, social media analysis, and GitHub repository correlations.

These connections are assessed as highly probable but not definitive. Attribution relies on observable patterns such as alias reuse, consistent defacement signatures, and infrastructure overlaps across platforms like Facebook, Telegram, and GitHub. Definitive confirmation would require closed-source intelligence or legal investigative access, which is beyond the scope of this analysis.

The primary purpose of this report is to demonstrate how OSINT tools and techniques can empower cybersecurity researchers to uncover threat actor infrastructure, map digital footprints, and inform defensive strategies. By leveraging resources like Zone-Xsec, social media monitoring, and GitHub analysis, this report provides actionable insights for tracking Boss Ranzen’s activities, mitigating their impact, and supporting further investigation by cybersecurity professionals or law enforcement agencies.