Check Point Software Technologies has identified a rapidly expanding hacktivist collective known as Hezi Rash, a Kurdish nationalist group conducting ideological DDoS attacks across multiple regions. Founded in 2023, the group has significantly increased its operational activity and formed partnerships with other threat actors in the global hacktivist landscape.
Origins and Ideology
The name Hezi Rash translates to “Black Force” in Kurdish. The group portrays itself as a digital defender of Kurdish and Muslim communities, often reacting to symbolic provocations. One recent campaign followed a Japanese anime scene depicting a burning Kurdish flag, which led to a wave of DDoS attacks against anime-related websites in Japan.
Targets have included Japan, Türkiye, Israel, Iran, Iraq, and Germany, with no focus on specific sectors. Hezi Rash’s actions are motivated by ideology rather than profit, seeking to disrupt and draw attention rather than exfiltrate data.
Scale and Impact
Between August and October 2025, Check Point’s External Risk Management team attributed approximately 350 DDoS attacks to Hezi Rash. This represents a significant increase compared with similar hacktivist groups, suggesting a deliberate campaign to expand visibility and influence.
Most of the attacks caused temporary website outages and short-term service interruptions. While not technically sophisticated, their growing operational tempo and alliances indicate that the group is increasing in both coordination and capability.
“Hezi Rash illustrates how ideologically motivated groups can quickly evolve through shared infrastructure and open collaboration across hacktivist networks,” noted Check Point Research.
Tools and Collaborative Networks
Although Hezi Rash conceals much of its infrastructure, open-source intelligence suggests that it leverages tools and services from other established actors, including:
- EliteStress – a DDoS-as-a-Service platform linked to Keymous+, identified as an ally.
- Killnet – a pro-Russian collective known for providing botnet resources to partner campaigns.
- Project DDoSia and Abyssal DDoS v3 – associated with NoName057(16) and Mr. Hamza.
These collaborations appear pragmatic, with shared infrastructure and mutual convenience rather than unified ideology driving cooperation.
Digital Footprint and Attack Distribution
The group maintains an active digital presence on Telegram, TikTok, YouTube, and X (formerly Twitter), which are used to distribute propaganda, communicate operational updates, and recruit new participants. Attack telemetry indicates a particularly high number of incidents targeting Japan, underscoring the symbolic nature of its actions.
Defensive Recommendations
Check Point Research recommends the following measures to mitigate the risks posed by Hezi Rash and similar hacktivist collectives:
- Use DDoS mitigation services such as AWS Shield or Cloudflare Magic Transit.
- Limit HTTP requests to critical endpoints and apply WAF validation pages for automated traffic filtering.
- Reduce connection durations and enforce strict rate limits per IP.
- Block traffic originating from non-legitimate browsers or scripts.
- Apply geoblocking for regions unrelated to business operations.
- Monitor spikes in traffic from residential IPs, often linked to volunteer-driven DDoS activity.
Hezi Rash represents the modern evolution of hacktivism — ideologically motivated, decentralised, and increasingly capable through global cooperation. While its campaigns remain relatively unsophisticated, the group’s rapid development and alliances highlight the need for continued monitoring by enterprises and national cyber defence centres.