Threat Intelligence Tarot
Vol. II · 143
Hacktivist + Criminal (mixed)
risk 3/5
The Painted Wall
KillSec
KillSec3 · Kill Security
Indian government portalsTelecommunicationsSmall businessesPublic services
Active since ~2023 · Notoriety, Anti-India and anti-government messaging, Financial gain via RaaS pivot
The Painted Wall starts as graffiti and ends as a ransom note. Ideology is the entry pose; recurring revenue is the strategy. The slogans on the leak site stay the same; the prices update weekly.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1190
Exploit Public-Facing Application
Initial Access
T1486
Data Encrypted for Impact
Impact
T1567.002
Exfiltration to Cloud Storage
Exfiltration
T1491
Defacement
Impact
T1078
Valid Accounts
Persistence
T1490
Inhibit System Recovery
Impact
Notable Operations
  • Indian government portal defacement campaigns
  • Telecom intrusion claims against South Asian operators
  • Transition to ransomware-as-a-service operations (late 2024)
  • KillSec affiliate program advertising on dark-web forums
Defenses
  • Government portal CDN protection and rate limiting
    OWASP ASVS
  • Continuous CVE patching for public-facing applications
    CISA KEV Catalog
  • RaaS affiliate program monitoring on dark-web forums
    NIST CSF: ID.RA
  • Immutable backups tested against ransomware playbooks
    CIS Control 11
Reversed: Their Weakness
Hacktivist-to-RaaS conversions are detectable in messaging tone shifts and infrastructure overlap with established criminal hosters. Threat intelligence teams that track tone, not just IOCs, often see the pivot first.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Pride Banner
Related Adversaries
The Watching Child
Handala
5 shared TTPs
The Incorporated Hunger
INC Ransom
5 shared TTPs
The Loud Shame
8Base
5 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.