Read Time 2 mins | 23 May 2025
A newly identified and still largely unknown threat actor, operating under the name JANDAMUDA, has recently surfaced on the Australian cyber threat landscape. Within the past 48 hours, two educational institutions appear to have been compromised, signalling a potentially dangerous trend targeting a very specific sector in Australia. Both victims are private religious schools in Victoria and New South Wales showing a potential pattern and targeted attack on this industry..
Glenroy Private, a religious private school in Victoria.
Salamah, a religious private school in New South Wales.
From the text left on the compromised sites, we currently assume Jandamuda is an Indonesian threat actor. The text roughly translates to:
"Once we heard the melody that you dedicated to him/her
But it all felt like it collapsed, burning all our memories
Truly, my life means nothing without you
So become my saviour, fulfil my longing."
There is currently no indication that the text has any specific meaning or message.
The exact motive behind these attacks remains unclear. What makes this campaign particularly concerning is that the affected websites remain fully operational, likely leaving many of their users unaware of the breach. Instead of defacing the main site, the attackers have quietly injected a new HTML file under a hidden path within the domain, allowing their presence to go undetected.
Although information is currently limited, early indicators suggest Jandamuda may be a ransomware or infostealer group. To learn more about what ransomware is click here. Given the nature of the breach, it’s highly plausible that sensitive student data has been accessed or exfiltrated.
This stealthy approach, avoiding visible defacements in favour of obscured file placement, suggests a deliberate effort to evade detection and prolong the breach.
Disclaimer: This is all the information available at this time. We will continue to monitor the situation and update this article as further details emerge. Subscribe to the newsletter below to receive further updates an this threat actor.
If you are one of the affected institutions, feel free to reach out for comment at contact@rivanorth.com