A newly emerged hacktivist collective calling itself Hezi Rash (‘Black Force’) has sharply increased DDoS activity across multiple countries. Between August and October 2025, researchers observed around 350 attacks — a remarkable volume for a group that had only surfaced recently.
Unlike more traditional hacktivist campaigns, Hezi Rash does not limit its focus to one region or sector. Targets have included government services, news outlets, financial portals and entertainment platforms. The operations are ideologically motivated and often triggered by perceived cultural or political provocations. One recent trigger was the online spread of content showing Kurdish symbols being defaced, which prompted a series of retaliatory attacks.
Japan, Turkey, Israel, Germany and Iran were among the most frequently hit countries, with Japan alone recording more than 60 incidents in just a few months. Rather than building custom attack tools, the group has taken advantage of rental infrastructure and shared botnets, allowing fast scaling and instant visibility without requiring significant technical expertise.
Researchers say this pace of activity is unusual for an ideologically driven actor. The volume of attacks in such a short period indicates coordinated logistics and access to powerful infrastructure. The group’s targeting also breaks expected patterns: symbolic triggers and media flashpoints are increasingly driving operations against non-regional targets, which makes defensive prioritisation more complex for organisations that might not consider themselves likely victims.
Attribution is another challenge. Because the attacks rely on publicly accessible DDoS-as-a-Service platforms such as EliteStress and Abyssal DDoS v3, the same infrastructure can be reused by other actors. This overlap makes it difficult to distinguish between different hacktivist operations and limits the effectiveness of simple IP-based filtering. The attacks are not always exceptionally large in terms of bandwidth, but their frequency and unpredictability place a continuous burden on network defenders.
Hezi Rash emerged in 2023, framing itself as a digital defender of Kurdish communities and blending nationalist and religious messaging. Its online presence spans Telegram, TikTok, YouTube and X, where the group shares announcements and screenshots of claimed downtime. Public evidence indicates links to other well-known collectives including NoName057(16), Killnet and Keymous+, which provide access to wider attack infrastructure.
Most of the observed attacks run for minutes or hours before moving on to new targets. Traffic patterns suggest semi-automated workflows rather than manual control, and the group frequently combines HTTP floods with TCP SYN floods or other vectors to maximise disruption of availability.
Although motivation may be political, the reliance on rental DDoS tooling highlights a broader shift in hacktivism. Organised alliances and readily available attack services enable rapid mobilisation and make it far easier to launch global campaigns with minimal effort. Security teams are encouraged to maintain layered DDoS defences and actively watch for unusual residential or proxy traffic patterns, which often signal the use of DDoS-as-a-Service platforms.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com