A new ideologically-motivated threat actor has emerged and growing technical capabilities: Hezi Rash. This Kurdish nationalist hacktivist group, founded in 2023, has rapidly escalated its presence through a series of distributed denial-of-service (DDoS) attacks targeting countries perceived as hostile to Kurdish or Muslim communities.

Who Is Hezi Rash?

Figure 1: Hezi Rash logo

Hezi Rash, meaning “Black Force” in Kurdish, describes itself as a digital collective defending Kurdish society against cyber threats. Their messaging blends nationalism, religion, and activism, often reacting to symbolic provocations. For instance, a Japanese anime scene depicting a burning Kurdish flag triggered a wave of retaliatory DDoS attacks on anime-related platforms in Japan.

Figure 2: Burning of Kurdish flag

Their targets span Japan, Turkey, Israel, Iran, Iraq, and Germany, with no specific industry focus. Instead, their campaigns are ideologically driven, responding to perceived offenses against Kurdish identity or Muslim dignity.

Scale and Impact of Attacks

Between August and October 2025, Check Point’s External Risk Management team attributed approximately 350 DDoS attacks to Hezi Rash. This surge is significant compared to similarly sized hacktivist groups and suggests a strategic push for visibility and influence.

While the technical impact of these attacks, such as temporary website outages is evident, the broader business consequences remain unclear. The attacks appear to be of the “usual variety,” focusing on disruption rather than sophisticated exploitation.

Tools and Alliances

Hezi Rash does not publicly disclose its attack infrastructure. However, open-source intelligence and observed affiliations suggest they may be leveraging tools and services from more established threat actors:

  • EliteStress: A DDoS-as-a-service (DaaS) platform linked to Keymous+, a known ally.

Figure 3: Elitestress promotion through Keymous+ Twitter account

  • Killnet: A pro-Russian collective offering botnet infrastructure.
  • Project DDoSia and Abyssal DDoS v3: Toolkits associated with NoName057(16) and Mr. Hamza, respectively.

These alliances indicate that Hezi Rash operates within a broader ecosystem of hacktivist collaboration, often driven by mutual benefit rather than shared ideology.

Indicators of Compromise (IOCs)

Hezi Rash maintains a visible online presence across platforms like Telegram, TikTok, YouTube, and X (formerly Twitter). Their main website and social media accounts serve as hubs for propaganda and coordination.

Geographic Distribution of Attacks

A breakdown of attack data reveals the following top targets:

Figure 4: Distribution of DDoS attacks by country

The prominence of Japan as a target is particularly notable, given the lack of clear geopolitical tension with Kurdish communities. This anomaly underscores the symbolic nature of Hezi Rash’s campaigns.

Recommendations

To mitigate threats from Hezi Rash and similar actors, organizations should:

  • Use DDoS mitigation services (e.g. AWS Shield).
  • Rate-limit HTTP requests to sensitive endpoints.
  • Deploy WAF challenge pages to filter bot traffic.
  • Set short connection timeouts and limit concurrent IP connections.
  • Block outdated or spoofed user agents.
  • Geo-block traffic from non-business regions.
  • Monitor for spikes from residential IPs, which may indicate volunteer-based attacks.

Hezi Rash exemplifies the modern hacktivist threat: ideologically motivated, technically capable, and increasingly networked. While their attacks may not yet rival those of major cyber crime syndicates, their rapid growth and strategic alliances warrant close monitoring. Organizations must stay vigilant and proactive in defending against this rising force in the DDoS landscape.

About Check Point External Risk Management

Check Point External Risk Management reduces risk by helping organizations detect and mitigate external cyber threats before they have an adverse impact. The Check Point External Risk Management solution provides superior visibility through continuous discovery of the evolving attack surface, combined with the automated collection and analysis of vast quantities of intelligence from across the open, deep and dark web.

A team of global cyber security experts work alongside customers to rapidly detect, investigate, and disrupt relevant threats – before they have the chance to develop into major incidents. Global customers, including Fortune 500 leaders across all major market verticals, rely on Check Point External Risk Management to protect themselves from an array of external risks, including vulnerabilities, misconfigurations, phishing, impersonation attacks, malware infections, exposed credentials, data leaks, fraud, and 3rd party risks.

Together with Check Point’s prevention and detection technologies, External Risk Management gives organizations a clearer, more proactive stance against modern ransomware campaigns — helping them spot threats early, manage exposure, and respond before damage escalates.

For a deep dive into this research, read the full report here.

You may also like