What Happened
On May 2, 2026, the Facebook account using the name Nullsec Philippines publicly posted a one-line claim addressed to a technical institute in Laguna. The post text read:
"another one [school name] NWYAHAHHAA"
The post linked to two URLs:
- A single HTML file hosted on a third-party Philippine content platform (the host's identity and the file's path are withheld here because the URL itself names the school)
- A public archive snapshot of that HTML file (URL withheld for the same reason)
The post was signed "- Nostra", a handle that recurs across Nullsec Philippines attribution lines.
What Makes This Disclosure Different: Off-Domain Defacement
Most Nullsec Philippines defacements tracked on this site place the marker page on the target's own infrastructure — see the Assumption College of Davao defacement (April 2), where the school's homepage itself was overwritten, or the MIMAROPA state university MIS defacement (May 2), where three of the school's MIS subdomains were named. This post is structurally different in three ways:
- 1.The defacement page is hosted on a third-party platform that the school may or may not have any relationship with, not on a domain controlled by or affiliated with the school
- 2.No school subdomain or URL is named as defaced — the actor did not point at any `*.[school].edu.ph` resource
- 3.No specific access vector, sample data, or technical detail is provided — the post is a one-line caption plus two links
Three readings are possible from the post structure alone:
- The school uses the third-party platform as part of its web presence (a community portal, an LMS-adjacent page, or a hosted content area) and the file was uploaded via that platform's file-upload functionality
- The defacement targets a page maintained by or about the school on a community platform the school does not directly control
- The link is not a "site defacement" against the school in any meaningful sense — rather, the actor uploaded a marker page to a vulnerable third-party host and named the school in the page contents
The third reading is materially different in impact from the first two: it would mean the institution has no security incident to remediate, and the appropriate response is to ask the third-party host to remove the page and to monitor for further misuse of the institution's name.
What Is and Isn't Confirmed
Confirmed from the post itself:
- The threat actor publicly named the institution
- A single HTML file on a third-party Philippine content platform was created and references the institution
- A public archive snapshot of that file exists
Not confirmed:
- Whether the institution operates, owns, contracts with, or is otherwise affiliated with the third-party platform in any capacity
- Whether the defacement page is reachable from any official institutional channel (school homepage, social account, email, document)
- Whether the actor accessed any institutional system at all — the public footprint of the claim is consistent with an unauthenticated file upload to the third-party host alone, with no involvement of the school's own systems
- Whether the school has been notified, is aware, or considers the post to constitute an incident affecting its systems
This entry is sourced solely from the threat actor's social-media post and is therefore tracked as investigating pending independent verification of the relationship between the institution and the third-party host. The institution name, the third-party platform's identity, and the URLs of both the defacement page and its archive snapshot have been withheld in public display.
Attacker
The post was signed Nostra under the Nullsec Philippines banner. The same handle and broader Nullsec collective have been tied to the Assumption College of Davao defacement (April 2), the La Union colleges shared-hosting compromise (March 29), and the broader Nullsec / Fawkes Pilipinas / Crypt0nymz campaign documented elsewhere in this dataset, including the MIMAROPA state university MIS defacement (May 2), the San Juan, Batangas Catholic K-12 claim (May 1), the Rosario, Batangas private school claim (April 28), and the Cebu City private university subdomain defacement (April 1).
Recommended Actions for the Institution
- 1.Determine whether the institution has any relationship with the third-party platform — review vendor records, IT inventories, and faculty / student-org accounts to establish whether the platform is officially or unofficially used in connection with the institution. (The platform's identity is recorded internally and can be shared with the institution on request.)
- 2.Request takedown from the third-party host — the platform should be asked to remove the uploaded file and to confirm whether the upload was made via an authenticated account (and if so, whose) or via an unauthenticated file-upload bug
- 3.Preserve evidence — save the public archive snapshot and the original defacement URL (and any audit logs the platform can provide) before they are deleted
- 4.Issue a short factual statement if asked by the community — even if the institution had no involvement, a public defacement page bearing the school's name materially affects reputation; a one-paragraph clarification is preferable to silence
- 5.Audit official institutional URLs — confirm that no `*.[school].edu.ph` page or institutional Facebook / LMS account is currently serving attacker content, even though the actor did not name any
- 6.Monitor for follow-up posts — Nullsec Philippines has historically returned to a target with additional disclosure or data sample posts when a first claim was thin; absence of follow-up after several days is a signal that the original post may have been opportunistic rather than evidence of deeper access