Security researchers have identified a Kurdish nationalist hacktivist collective named Hezi Rash, said to have emerged in 2023 and to be mounting distributed denial-of-service (DDoS) campaigns against countries it perceives as hostile to Kurdish or Muslim communities. Check Point’s External Risk Management team attributed roughly 350 DDoS incidents to the group between August and October 2025.
Hezi Rash, which is described in open reporting as meaning “Black Force” in Kurdish, mixes nationalist and religious messaging and appears to react to symbolic provocations. One cited example is a Japanese anime scene showing a burning Kurdish flag that preceded a wave of attacks on anime-related platforms in Japan.
The group’s targets have included organisations in Japan, Turkey, Israel, Iran, Iraq and Germany. Observers say Hezi Rash shows no consistent industry focus; its campaigns are portrayed as ideologically driven and aimed at disruption rather than data theft or long-term intrusion.
Hezi Rash does not publicly disclose its attack infrastructure, but open-source reporting and observed affiliations suggest possible use of DDoS-as-a-service offerings and botnet toolkits. Named services and allies include EliteStress (a DaaS platform linked to Keymous+), Killnet, Project DDoSia and Abyssal DDoS v3, indicating operation within a wider hacktivist ecosystem.
The technical effects reported so far have typically been temporary website outages and service disruption. Recommended mitigations for organisations cited by analysts include using DDoS mitigation services (for example AWS Shield), rate-limiting, WAF challenge pages, short connection timeouts, limits on concurrent IP connections, blocking outdated or spoofed user agents, geo-blocking non-business regions and monitoring spikes from residential IP addresses.
Check Point’s external risk management capabilities are described as combining continuous attack-surface discovery with intelligence gathering, including from intelligence from across the open, deep and dark web; the vendor has also published a full report on the activity, available here. Analysts say the group’s rapid growth and alliances merit ongoing monitoring, even if its operations currently appear less sophisticated than major cybercrime syndicates.