Quick Summary
Executive Summary
KliknKlik, a consumer services company based in Indonesia, has been listed as a victim on the APT73 threat group’s dark web portal, published on June 23, 2026. The listing was identified through SOCRadar’s Dark Web Monitoring service. The company operates in the consumer services space, a model that typically involves large volumes of customer-facing accounts and online transactions. Its appearance adds a Southeast Asian consumer-facing brand to the group’s recent listing population.
Technical Analysis
Initial-access correlation against SOCRadar’s stealer-log telemetry surfaced a notable exposure for the kliknklik.com domain. The sample contained one corporate credential on a target-owned system and three more @kliknklik.com credentials captured on third-party services, alongside a large volume — around twenty-one records — of consumer or generic accounts on the company’s own domain, consistent with its consumer-facing model. Notably, a hosting or admin control-panel endpoint appeared among the captured credentials, and an identity/SSO aggregator login was tied to a corporate user. The dominant profile was mixed, and all log dates fell within a tight window in mid-to-late June 2026, indicating recent, active harvesting rather than long-tail persistence. The control-panel exposure is the highest-priority item, as such access can carry infrastructure-level consequences. For threat groups such as APT73, infostealer-harvested credentials are a well-documented initial access vector: operators or initial access brokers source fresh logs from underground marketplaces, validate corporate credentials, and use them to log into administrative panels, SSO, or remote-access portals before further intrusion activity. While the stealer-log evidence here does not confirm that these specific credentials were used by APT73, the recent and concentrated harvesting of corporate and control-panel credentials is consistent with the kill chain typically observed for this class of incident. CTI teams should prioritize resetting the corporate and hosting credentials, enforce MFA, and audit control-panel access logs for unauthorized changes.