What Happened
On May 2, 2026, the Facebook account using the name Nullsec Philippines publicly posted addressing a state university in the MIMAROPA region. The post named the institution and reported a defacement of multiple of its internal management information system (MIS) subdomains, covering its assets, records, and library functions. Each named subdomain was claimed to serve a `nullsec.html` marker page.
Below those institutional URLs, a separator line and roughly twenty additional URLs were listed, all pointing to `nullsec.html` marker pages on unrelated third-party infrastructure — a Philippine business platform stack (AMS, audit-portal, CMS, CRMS, DMS, ERP, files, LMS, PLP, POS, QR-code, server, SIS subdomains) and one separate marketing-and-mail domain. The post closed with "mirror? done~" and was signed "Yasuo | Nullsec Philippines".
The literal institutional subdomain prefixes and hostnames are not reproduced here: each prefix on its own is distinctive enough to reverse-identify the institution via DNS or search, which would defeat the anonymization applied to the rest of this entry.
Attached Evidence: Screenshots Suggest More Than Defacement
The post included multiple attached images. Reviewed at the institutional level (specific identities, tables, and dashboard contents are not reproduced here), the attachments include:
- The defacement page itself, showing the Nullsec Philippines branding placed on at least one of the named MIS subdomains
- What appears to be an administrative view of an internal MIS, including list-of-records dashboards and configuration screens consistent with logged-in staff access rather than a public student-facing portal
- An apparent employee identity record (an ID-card style image of one individual)
- What appear to be data tables consistent with rows of MIS records, partially obscured
If the screenshots are authentic and depict the institution's own systems, the appropriate read is that the actor obtained more than the file-system access required to upload a marker page — they obtained at least browse-level visibility into the MIS itself, and very likely the credentials or session needed to reach that view. This is materially more serious than the marker-page defacement implied by the URL list alone, and is the basis for marking this entry severity: high rather than the low/medium typical of a pure defacement.
The individual identity visible in the ID-card screenshot is not reproduced or named anywhere on this site. Per our methodology, no employee personal details are published except for publicly identified spokespersons acting in their official capacity.
What Makes This Disclosure Different: Bundled Mass-Mirror
Most Nullsec Philippines defacement claims tracked on this site target a single institution at a time — see the Assumption College of Davao defacement (April 2), the Cebu City private university subdomain defacement (April 1), and the La Union colleges defacement (March 29). This post is structurally different: the university's three MIS subdomains appear at the top of a single mass-mirror dump that also touches an unrelated business platform stack.
Two readings are possible from the post structure alone:
- 1.Shared hosting or shared deployment infrastructure — the bundling implies the actor pivoted across multiple targets from a single foothold, similar to the shared hosting compromise that took down two La Union colleges in March
- 2.Independent compromises mirrored together for visibility — the actor may have separately defaced each target and grouped them in one post for reach
Neither reading has been independently confirmed. The implication for the university is the same either way: each named subdomain should be treated as having received attacker-controlled content until proven otherwise.
What Is and Isn't Confirmed
Confirmed from the post and its attached screenshots:
- The threat actor publicly named the institution and listed three of its MIS subdomains as affected
- The actor claims to have placed `nullsec.html` marker pages, consistent with prior Nullsec Philippines defacement methodology
- The post is part of a larger mirror dump that the actor ties to the same campaign
- The post includes screenshots that, taken at face value, depict an administrative view of an internal MIS — including dashboard interfaces and at least one apparent employee identity record. If authentic, this evidences access well beyond file-upload of a marker page
Not confirmed:
- Whether the named subdomains currently serve attacker content or have been restored
- The vulnerability class used (file upload bug, default credentials, exposed CMS endpoint, shared infrastructure compromise, etc.) — the actor did not describe the technical mechanism
- Whether write access to the web layer extended to the underlying student, records, or library databases — admin-tier visibility implied by the screenshots does not by itself prove bulk exfiltration, but it is consistent with the level of access required to read or modify records in the MIS
- Whether the screenshots are authentic captures from the institution's own systems rather than fabricated or sourced from a different deployment of the same software
- Whether the university has been notified, has notified the National Privacy Commission (NPC), or has begun remediation
This entry is sourced solely from the threat actor's social-media post and is therefore tracked as investigating pending independent verification. The institution name has been withheld in public display.
Attacker
The post was signed Yasuo with a co-attribution line of Nullsec Philippines. The same handle and broader Nullsec collective have been tied to the Assumption College of Davao defacement (April 2), the La Union colleges shared-hosting compromise (March 29), and the broader Nullsec / Fawkes Pilipinas / Crypt0nymz campaign documented elsewhere in this dataset, including the San Juan, Batangas Catholic K-12 claim (May 1), the Rosario, Batangas private school claim (April 28), and the Cebu City private university subdomain defacement (April 1).
Recommended Actions for the Institution
- 1.Take the affected MIS subdomains offline immediately — replacing them with a maintenance page is preferable to leaving subdomains capable of serving attacker-uploaded content reachable while the access vector is being scoped
- 2.Preserve web, application, file-system, and authentication logs for the three named subdomains and for any shared web server or CMS that hosts them — at minimum the past 30 days, before logs age out
- 3.Treat backend databases as in-scope until proven otherwise — the access required to upload a defacement page to an MIS subdomain often extends to the database that subdomain reads from. Audit the records, library, and assets databases for unauthorized reads, writes, or new accounts
- 4.Force credential and session resets on every administrative account that touches the affected subdomains, and rotate any shared service credentials they use
- 5.Assess whether other MIS subdomains share the same access vector — if all three named subdomains were reached via a single file-upload bug, default credential, or shared CMS instance, the rest of the institution's web estate likely has the same exposure
- 6.Notify the National Privacy Commission (NPC) within 72 hours under RA 10173 — defacement of subdomains explicitly named "records," "library," and "assets" creates reasonable suspicion that personal data was placed at risk. The notification threshold is risk to personal data, not the institution's certainty that exfiltration occurred
- 7.Issue a public statement acknowledging the incident and describing remediation — silence in the face of a public defacement claim creates space for misinformation and erodes community trust