Author: DarkOwl Content Team

February 19, 2026

In an era of data breaches and constant headlines focused on “security” topics, “security” has become a catch-all term. While the terms cyber security and information security are often used interchangeably, it is important to acknowledge that they focus on different areas – they are related, but their scope differs. In this blog, we will explore how they differ in scope, focus, and application.

Information Security Vs Cybersecurity

To start, information security (infosec) can be thought of as an umbrella term, while cybersecurity is a specialization underneath that umbrella. Using the terms interchangeably can lead to gaps in your defense strategy as cyber security focuses on the digital realm, while information security protects data in all forms.

Information Security

Information Security is the broad practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. This includes both data in the digital realm, as well as physical data (think of a file on your computer and a file in your filing cabinet). The goal of information security is to protect the CIA Triad (note that since cybersecurity is a subset of information security, these goals align to cybersecurity as well – the scope is just more specific). The CIA Triad stands for confidentiality, integrity, and availability:

• Confidentiality: is your sensitive information only accessible to those authorized to see it?
  • Common Threats: phishing, man in the middle attacks, human error
• Integrity: is your data authentic, accurate, and reliable?
  • Common Threats: man in the middle attacks, human error, malware, hardware/software glitches
• Availability: are the systems, networks, and data up and running whenever authorized users need them?
  • Common Threats: distributed denial of service attacks, hardware failure, ransomware, natural disaster

Examples of information security would be the practice of shredding sensitive paper documents, office keycard systems, and encryption policies. Threats against strong information security include theft, natural disasters, and physical breaches.

Cybersecurity

Cybersecurity is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious digital attacks. If it involves the internet or a digital network, it’s cybersecurity. In the example above, cybersecurity is the data in the digital realm – a file on your computer (and the systems, networks, and hardware that house it). The goal in cybersecurity is to protect against cyber attacks – hacking, malware, phishing – to name a few. Examples of cybersecurity would be firewalls, antivirus software, and securing “Internet of Things” (IoT) devices. Threats against secure cybersecurity include cyber warfare, hacking, and data breaches.

How They Work Together

Security is a holistic culture, not just a software update. Information security and cybersecurity work together in creating overlapping layers of defense. You cannot have a robust security policy without incorporating both: the physical and digital layers of defense and policies covering both.

For example, infosec would set the overall policy of protecting and encrypting data (business level decision based on risk), while the cybersecurity division would implement the tech to do so (firewalls, encryption, multi-factor authentication, etc). In a situation where a breach or attack does happen, the two have distinct roles but cannot be successful without the other:

• Information Security
  • Determines the data that was stolen
  • Manages the legal and regulatory fallout (GDPR/HIPAA notifications)
  • Initiates the Business Continuity Plan to ensure the company stays operational during the cleanup
• Cyber Security
  • Identifies the threat details
  • Isolates the issue and stops it from continuing
  • Patches the vulnerability that the hacker used

In short, cybersecurity handles the threats (hackers, viruses, bots) while information security handles the risks (legal compliance, physical safety, data integrity).

Best Practices

With so many of us working from home, it is important to practice good daily security hygiene to make sure that not only the digital data of your company is safe, but potential physical risks are minimized as well. Below is a checklist covering the digital and physical bases to ensure your data stays private and your hardware stays safe:

Digital Checklist (Cybersecurity):

Protect your devices and network from remote attacks.

• Secure the Router:
  • Change the default admin password
  • Enable WPA3 (or WPA2-AES) encryption
  • Turn off WPS (Wi-Fi Protected Setup
• Segment Your Wi-Fi:
  • Set up a “Guest Network” specifically for your work laptop
    • This keeps your work data separate from “unsecure” items like an Amazon Alexa or gaming console
• Enable MFA/2FA:
  • Use an authenticator app (like Google Authenticator or Authy) on every account
• Automate Updates:
  • Set your OS (Operating System) and browser to “Auto-Update” so you get security patches immediately
• VPN for Public Use:
  • Use a reputable VPN to create an encrypted “tunnel” for your data

InfoSec Checklist:

Protect the physical environment and the data itself.

• Full Disk Encryption:
  • Ensure BitLocker (Windows) or FileVault (Mac) is on
• The “Clear Desk” Policy:
  • Don’t leave passwords on sticky notes
  • Shred any documents containing client names, addresses, or account numbers before throwing them away
• Visual Privacy:
  • Use a privacy screen filter on your monitor
• Secure Backup (3-2-1 Rule):
  • Keep 3 copies of your data:
    • 2 different types of media (laptop and an external drive)
    • 1 copy stored off-site (encrypted cloud storage like Backblaze or iCloud)
• Webcam Cover:
  • Have a physical slide cover for your camera is the only 100% guarantee against “cam-fecting”
• Lock your computer when you step away

February 02, 2026

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. ‘Bad actor’ hijacks Apex Legends characters in live matches – BleepingComputer

Over the weekend of January 09, players in Apex Legends, a battle royale shooter game, reported game disruptions caused by threat actors hijacking characters, disconnecting users, and changing nicknames. Respawn, the publisher of the game, confirmed the security incident claiming “bad actor is able to control the inputs of another player remotely in Apex Legends”. The company does not believe threat actors were able to exploit or infect malware, nor execute code. Read full article.

2. 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials – The Hacker News

On December 23, 2025 the Socket Threat Research Team announced the discovery of a 5 month long spear-phishing operation that turned 27 npm packages “into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in”. The campaign targeted 25 organizations across the U.S. and Allied nations focusing on manufacturing, industrial automation, plastics, and healthcare. Specializing in focusing on sales and commercial personnel, the operation repurposed npm and package CDN’s “into durable hosting infrastructure, delivering client-side HTML and JavaScript lures that the threat actor embeds directly in phishing pages.” Following initial interaction, the script redirects the browser to threat-actor controlled infrastructure. Article here.

3. Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading – The Hacker News

ReliaQuest’s Threat Research team has discovered a new phishing campaign using private messages to deliver malicious payloads with the intent to deploy remote access trojan (RAT). The attack began with a message sent via LinkedIn that contained a “malicious WinRAR self-extracting archive”. Once opened, the archive extracts four components, mainly a PDF disguised with names that align with the victim’s industry. The final payload attempts to communicate with an external server that can grant persistent remote access. Read more here.

4. Silver Fox Targets Indian Users With Tax-Themed Emails Delivering ValleyRAT Malware – The Hacker News

Recent activity shows Chinese threat actor, Silver Fox, has begun using income tax themed lures to distribute ValleyRAT. The group has focused on Indian entities, using phishing emails containing decoy PDFs claiming to be from India’s Income Tax Department. Opening the attachment leads victims to download files that injects ValleyRAT into the system and communicates with external servers. Read here.

6. North Korea-Linked Hackers Target Developers via Malicious VS Code Projects – The Hacker News

The Contagious Interview campaign, which has been linked to North Korean threat actors, has been observed leveraging a version of Microsoft Visual Studio Code (VS Code) to deploy a backdoor on compromised systems. First discovered in December 2025, the attack involves instructing targets to clone a repository “on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment.” The overall goal is for payload to run every time a file in the folder is opened, which eventually leads to deployment of malwares like, BeaverTail and InvisibleFerret. Read full article.

7. Hackers claim to hack Resecurity, firm says it was a honeypot – BleepingComputer

Scattered Lapsus$ Hunters (SLH) announced via Telegram that they had breached systems belonging to Resecurity and stole internal data. To prove their claims SLH posted screenshots of the data which revealed communications between employees and Pastebin personnel. Resecurity published a report in December 2025 disputing the claims and stated after identifying threat actor probing activity in November 2025, they deployed a “honeypot” account. The account was in an isolated environment that contained fake information and was being monitored. Read full article.

8. China-linked hackers exploited Sitecore zero-day for initial access – BleepingComputer

The China-linked threat actor UAT-8837 has been observed attempting to compromise North American infrastructure by exploiting both known and zero-day vulnerabilities. The attacks begin with leveraging compromised credentials or by exploiting server vulnerabilities. Recent attacks include zero-day flaw in Sitecore products, CVE-2025-53690. Researchers claim UAT-8837 uses “open-source and living-off-the-land utilities, continually cycling variants to evade detection.” Learn more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

January 13, 2026

Thanks to our analyst and content teams, DarkOwl published over 100 pieces of content last year. DarkOwl strives to provide value in every piece written, highlighting new darknet marketplaces and actors, trends observed across the darknet and adjacent platforms, exploring the role the darknet has in current events, and highlighting how DarkOwl’s product suite can benefit any security posture. Below you can find 10 of the top pieces published in 2025.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.

1. Telegram’s Crackdown: Why Accounts Are Getting Banned and What You Need to Know

The founder and CEO of Telegram, Pavel Durov, was arrested on August 24, 2024, at Paris-Le Bourget Airport. French authorities detained him as part of an investigation into Telegram’s alleged insufficient moderation of illegal activities on its platform, including child exploitation and drug trafficking. Following his arrest, Durov was indicted on multiple charges on August 28, 2024. He was placed under judicial supervision, prohibited from leaving France, and required to post bail of €5 million. As of February 2025, Durov remains under judicial supervision in France, awaiting further legal proceedings where he must appear at a police station twice a week. Should he be found guilty the most serious charge complicity in the administration of an online platform to enable organized crime and illicit transactions carries a maximum penalty of 10 years’ imprisonment, and a €500,000 ($521,000) fine.

In response to their CEO’s arrest Telegram announced plans to enhance its moderation policies and has expressed a willingness to cooperate more closely with law enforcement. They have been seeking to ensure that they are co-operating with authorities while claiming to continue to prioritize users’ privacy.

In this blog, we will explore what changes Telegram have said they have made, what effect DarkOwl analysts are seeing in response to these changes and what impact we expect to see in the future. Read blog here.

2. The State of Darknet Marketplaces in 2025: Trends, Metrics, and Insights

The darknet is a hidden part of the internet that operates beyond the reach of traditional search engines and mainstream platforms. Within this space, darknet marketplaces have emerged as virtual bazaars where anonymous buyers and sellers trade goods and services, often illicit, using privacy-focused technologies like Tor and cryptocurrencies such as Monero and Bitcoin. These markets are structured much like legitimate e-commerce sites, featuring product listings, vendor ratings, customer reviews, and even dispute resolution systems.

DarkOwl collects data from a wide range of marketplaces, capturing the breadth of listings, vendor activity, and community interactions. In this blog, we explore the state of darknet markets in 2025, highlighting which platforms lead in listings and vendor count, how products are distributed across categories, the flow of shipments around the world, and patterns of user engagement through reviews.

By examining these factors, we aim to provide a window into the scale, structure, and dynamics of this hidden economy, revealing both the major players and the underlying trends shaping the market landscape. Full blog here.

3. Extra! Extra! Read all about it! Archetyp Marketplace Takedown! 

In a major blow to the online drug trade, law enforcement agencies across Europe and the U.S. have taken down Archetyp Market, one of the most active and profitable dark web drug markets of the past five years. 

Launched in 2020, Archetyp wasn’t just another black market, it was the market. With over ~600,000 users and ~3,200 vendors, the platform facilitated transactions involving cocaine, meth, MDMA, and other narcotics. By its final days, it had moved an estimated $~250–290 million in illicit goods, making it a titan among darknet marketplaces. Read blog here.

4. BreachForums Disruption Sparks Copycat Domains and Darknet Chaos

BreachForums abruptly went offline, prompting a wave of opportunistic copycat domains and widespread confusion within the dark web community. The shutdown—now allegedly confirmed via a PGP-signed statement by former administrators—was attributed to a zero-day exploit targeting the MyBB forum software. This vulnerability was reportedly exploited either by law enforcement or rival threat actors. Read more.

5. Dark Web Pharmacy and Illegal PX Medication Sales 

Dark web “pharmacies” have become a global black market for prescription medications and counterfeit drugs. These underground vendors operate on hidden parts of the internet, accessible only with special software like Tor, and sell everything from opioid painkillers and anxiety meds to fake pills. Recent international crackdowns have led to hundreds of arrests across multiple continents, showing just how far-reaching and organized this trade has become. By using encryption and anonymous networks, dark web drug sellers connect with buyers around the world while evading traditional law enforcement. This blog looks at where these rogue pharmacies are found and the platforms they use to move drugs outside the law. Check it out.

6. Threat Actor Spotlight: The Terrorgram Network: Origins, Operations, and Downfall

In April 2024 the UK took the unprecedented step to sanction a group known as Terrorgram as a terrorist organization.  The UK was the first country to take this step, proscribing the group which consists of various Telegram channels which have been used to share and encourage extremist ideologies and methodologies. This marked the first time a group that is primarily organized on a messaging app has been declared a terrorist organization.  

In this blog we will explore the origins of the group, how they operated and the current status of the organization. Read more.

7. Whistleblower Sites 101

In this blog, DarkOwl analysts provide a summary of the digital whistleblower landscape, outlining the role of the dark web and examining some noteworthy whistleblower platforms. Read blog here.

8. What is Doxing?

This blog aims to provide a comprehensive overview of doxing, its implications, and strategies to safeguard against it. Learn more.

9. Major Threats and Trends to Look Out for in 2025

As we entered 2025, we predicted what would be the major trends of the year. The ever-shifting landscape of cybercrime continues to evolve, with the darknet remaining a significant hub for illicit activities. From emerging technologies to shifting criminal tactics, understanding these trends is critical for cybersecurity professionals, law enforcement agencies, and the general public alike. Drawing on industry expertise, this post identified seven major threats and trends expected to shape the darknet.
Full blog here.

10. Is Your City on the Dark Web? What Local Agencies Need to Know 

In 2023, investigators in a midsize U.S. city were tipped off to a darknet marketplace vendor offering “same-day delivery” of fentanyl-laced pills within specific zip codes. The listing named street corners and used coded references to local schools. It was not discovered by routine patrols or a community tip. It was found in an online space most local agencies never check: the dark web. 

The dark web is not just a place for global cybercriminal networks. It is a sprawling ecosystem where local-level threats are planned, traded, and discussed. Understanding what is being said about your city, and acting on it, can mean stopping crime before it happens. Read blog here.

2025, That’s a Wrap!

Thank you to everyone who reads, shares and interacts with our content! Anything you would like to see more of, let us know by writing us at [email protected]. Can’t wait to see what 2026 brings! Don’t forget to subscribe to our newsletter below to get the latest research delivered straight to your inbox every Thursday.

January 06, 2026

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Bloody Wolf Threat Actor Expands Activity Across Central Asia – InfoSecurity Magazine

The threat actor group, Bloody Wolf, has been observed using remote-access software to infiltrate government targets throughout Central Asia. Cybersecurity researchers claim the group has shifted from traditional malware to “a streamlined Java-based delivery method”. Reports claim the group has been operating a sustained campaign in Kyrgyzstan since June 2025 and recently began targeting Uzbekistan. By using counterfeit PDF documents, spoofed web domains, and fraudulent emails to pose as the country’s Ministry of Justice, the group has manufactured an air of legitimacy that has facilitated their access. Once a victim opens the downloaded JAR file, the loader retrieves additional components and installs NetSupport RAT for remote control. Read full article.

2. Poland arrests Ukrainians utilizing ‘advanced’ hacking equipment – Bleeping Computer

Three Ukrainians, claiming to be IT specialists, were arrested by Polish police while traveling through Europe. During a routine traffic stop, officers conducted a search of the threat actor’s vehicle, discovering suspicious items that could be “used to interfere with the country’s strategic IT systems, breaking into IT and telecommunications networks”. The seized equipment included “spy device detector, advanced FLIPPER hacking equipment, antennas, laptops, a large number of SIM cards, routers, portable hard drives, and cameras.” The data seized was encrypted but according to officers from Poland’s Central Bureau for Combating Cybercrime (CBZC) claim to have been able to collect evidence. Article here.

3. Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability – The Hacker News

Hours after CVE-2025-55182 was made public, Amazon Web Services (AWS) observed two different Chinese hacking groups, Earth Lamia and Jackpot Panda, beginning to weaponize the vulnerability. CVE-2025-55182, aka React2Shell, allows unauthenticated remote code execution in React Server Components (RSC). Using automated scanning tools, these threat actors have been observed exploiting additional vulnerabilities including CVE-2025-1338. AWS identified Earth Lamia due to the use of previously used infrastructure the group had demonstrated earlier in the year. This situation highlights threat actors systematic approach in abusing vulnerabilities quickly and learning to scan for common vulnerabilities. Read more here.

4. FCC Warns of Hackers Hijacking Radio Equipment For False Alerts – InfoSecurity Magazine

On November 26, the Federal Communications Commission (FCC) announced threat actors had been hijacking US radio transmission equipment and broadcasting fake emergency tones and offensive material. Several stations in Texas and Virginia were targeted, resulting in broadcasts being disrupted by emergency signals, alert tones, and obscene language. The threat actors targeted Barix network audio devices and reconfigured them to capture attacker-controlled streams. The FCC reports that the incidents stemmed from unsecured equipment, noting that some stations did not discover the compromise until after the attacks and were seemingly unaware as they unfolded. Read here.

5. CISA warns of Chinese “BrickStorm” malware attacks on VMware servers – Bleeping Computer

U.S. Cybersecurity and Infrastructure Security Agency (CISA) warn of Chinese hackers backdooring VMware vSphere servers with BrickStorm. Malware samples analyzed by the National Security Agency (NSA) and Canada’s Cyber Security Centre were found on victim networks in which the attackers had specifically targeted VMware vSphere environments. One of the incidents showed the threat actors compromising a web server in an organization’s demilitarized zone (DMZ) in April 2024, then moved laterally to an internal VMware vCenter server and deployed malware. Learn more.

6. Glassworm malware returns in third wave of malicious VS Code packages – Bleeping Computer

First emerging in October, the Glassworm campaign, has released 24 new packages distributing malware to OpenVSX and Microsoft Visual Studio. According to Koi Security, Glassworm malwares uses “invisible Unicode characters to hit its code”. Following previous detection, Glassworm evolved technically, using Rust-based implants packaged inside extensions as well as invisible Unicode. Once the malware is installed it attempts to steal GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from 49 extensions. Additionally, the malware deploys a SOCKS proxy to route malicious traffic and give operators stealthy remote access. Read full article.

7. React2Shell flaw exploited to breach 30 orgs, 77k IP addresses vulnerable – Bleeping Computer

On December 03, React disclosed the vulnerability, CVE-2025-55182 aka React2Shell, detailing “that unsafe deserialization of client-controlled data inside React Server Components enables attackers to trigger remote, unauthenticated execution of arbitrary commands.” React2Shell is a security flaw that allows attackers to run code on a server without logging in. It can be triggered with just one HTTP request and affects any framework that uses React Server Components, including Next.js. Over 77K internet exposed IP addresses are vulnerable to React2Shell and researchers believe 30 organizations are already compromised. Read full article.

8. RomCom Uses SocGholish Fake Update Attacks to Deliver Mythic Agent Malware – The Hacker News

The malware group RomCom has been observed using the JavaScript loader, SocGholish, to target U.S. based civil engineering company. By targeting poorly secured websites, the group injects fake Google Chrome or Mozilla Firefox update alerts into otherwise legitimate but compromised pages. These alerts trick users into downloading malicious JavaScript that installs a loader, which then retrieves additional malware. According to Arctic Wolf researchers, this allowed the threat actors to execute commands on the compromised host through a reverse shell connected to the command-and-control (C2) server, enabling activities such as system reconnaissance and deployment of a custom Python backdoor known as VIPERTUNNEL. Learn more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

December 30, 2025

As 2025 draws to a close, as we do every year, our content and marketing teams are taking a moment to reflect on the exciting events, trends, and changes the DarkOwl team experienced throughout the year. From major product advancements to strategic partnerships and thought leadership in the darknet intelligence space, this year has been marked by progress and momentum. We’re grateful to our customers, partners, and community for your continued engagement and support — and we look forward to building on these successes in 2026!

We hope you continue to find the topics we explore valuable, enlightening, and engaging. One final marketing reminder for the year: be sure to sign up for our weekly newsletter to stay updated on the latest insights from our research and content teams!

Around the World & Across the Industry

In 2025, DarkOwl continued its commitment to engaging with the global cybersecurity community. The team was active at leading industry events, including the RSA Conference in San Francisco, where we showcased our platform capabilities and met with peers and customers to discuss the evolving threat landscape. Check out where we will be in 2026 and request time to meet here.

Beyond trade shows, DarkOwl shared insights through webinars and blog posts on cutting-edge topics — from artificial intelligence’s role in threat intelligence to emerging darknet trends — providing thought leadership to practitioners and analysts worldwide.

And don’t worry! The team also made time for some fun. This summer, in our annual company get-together, we got to meet our adopted owl. 3 years ago, we adopted an owl! He jumped early from his Michigan nest in 2015 and fractured his right wing in two places and was on the ground for about a week next to a barn before he was picked up by the landowners and brought to a rehabilitation center. He was sent to the Raptor Education Foundation in Denver in August, 2016 where he now lives. You can learn more about him on his dedicated adoption page. 

RSA Conference in San Francisco, CA

The team at HQ in Denver, CO

ISS World Europe in Prague, Czech Republic

We love our #Pets!

Gotta show some pet love as well from our Pets Slack Channel (the best channel).😻

Yearly reminder: DarkOwl analysts and their pets recommend you never use your pet’s name in any password combination as it is a popular term for threat actors using brute force attacks.

Product Enhancements & Platform Innovations

Throughout 2025, our Product Team rolled out significant updates designed to empower analysts and security teams with deeper, more actionable darknet intelligence:

• Enhanced Case Management: Vision UI now supports improved team workflows and collaboration with enhanced Case Findings features that include inline annotation and visual summary dashboards.
• Leak Visualizations & Timeline Analytics: New visualizations help users grasp leak compositions and alert trends over time — enabling richer analysis and faster decision making.
• Marketplace Intelligence: A major expansion of darknet marketplace capabilities incorporates rich structured data across dozens of fields — from vendor info to pricing and shipping — directly in Vision UI and API.
• Universal Phone Query Builder & Export Flexibility: We introduced a Universal Phone Number Builder and expanded reporting formats — including Word export — to support a variety of operational needs.

These enhancements reflect our ongoing commitment to refining workflows, increasing visibility into complex data, and enabling faster, smarter insights for our users. These are just a few of the product updates made throughout the year! You can check out more in our quarterly blogs, starting here.

Community & Education: Sharing Knowledge

DarkOwl’s blog continued to be a hub for expert analysis on darknet intelligence, cyber threats, and cybersecurity trends. Notable posts from late 2025 included practical guides on cyber hygiene, explorations of how threat actors operate, and even insights into unique aspects of darknet ecosystems like vendor shipping choices.

In addition, DarkOwl was selected as the darknet technology of choice for Channel 4’s series Hunted, offering real-world demonstrations of how darknet intelligence supports investigative work.

Partnerships & Strategic Collaborations

2025 saw DarkOwl strengthen its global reach through a series of partnerships aimed at bringing darknet intelligence to more organizations:

• Strategic Alliance with Ticura: A collaboration to simplify dark web monitoring workflows and broaden operational accessibility for security teams and MSSPs alike.
• 8com GmbH & Co. KG Partnership: 8com integrated DarkOwl’s Vision UI and Search API into its SOC workflows to enhance early detection of compromised data and proactive defense measures.
• Global Reseller Partnerships: Authorized reseller agreements — including with Hottolink in Japan — expanded access to DarkOwl’s threat intelligence solutions across international markets.

These collaborations underline DarkOwl’s role as a trusted provider of darknet intelligence to enterprises, security practitioners, and service providers around the globe.

Looking Ahead to 2026

As we close out 2025, we are energized by the rapid evolution of both cybersecurity challenges and the tools needed to address them. DarkOwl is committed to pushing the frontier of darknet intelligence — delivering deeper insights, smarter workflows, and stronger partnerships that equip our customers to stay ahead of threats.

Thank you for being part of our 2025 journey. Stay connected by subscribing to our newsletter, engaging with our content, and joining us at events in the year ahead!

Don’t miss any updates from DarkOwl in 2026 and get weekly content delivered to your inbox every Thursday.

December 01, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. U.S. Prosecutors Indict Cybersecurity Insiders Accused of BlackCat Ransomware Attacks – The Hacker News

On November 03, three former employees of the cybersecurity companies DigitalMint and Sygnia were indicted in district court for “allegedly hacking the networks of five U.S. companies with BlackCat (aka ALPHV) ransomware between May and November 2023 and extorting them.” The individuals Kevin Tyler Martin of Roanoke, Texas, and Ryan Clifford Goldberg of Watkinsville, Georgia, and an unnamed accomplice are facing multiple charges including interference with interstate commerce by extortion, and intentional damage to protected computers. During the aforementioned time period, BlackCat gained access to victims networks, stole data, employed malware and demanded cryptocurrency in exchange for decryption keys and to not leak the stolen data. Read full article.

2. Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack – The Hacker News

On October 28, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed three new vulnerabilities that have impacted Dassault Systèmes DELMIA Apriso and XWiki. The vulnerabilities CVE-2025-6204, CVE-2025-6205, and CVE-2025-24893 allow threat actors to execute arbitrary code and gain access to applications. Both CVE-2025-6204 and CVE-2025-6205 affect versions of DELMIA Apriso dating back to 2020. Combining these vulnerabilities allow creation of accounts that obtain elevated privileges and deposit executable files into a web-served directory, resulting in complete compromise of the application. Starting in March, CVE-2025-24893 impacted XWiki by using a two-stage attack chain that delivers a cryptocurrency miner. Article here.

3. University of Pennsylvania confirms data stolen in cyberattack – Bleeping Computer

On October 31, the University of Pennsylvania announced their information systems for development and alumni activities had been compromised. Using an employee’s PennKey SSO account the threat actor was able to gain access to “the university’s Salesforce instance, Qlik analytics platform, SAP business intelligence system, and SharePoint files.” This access provided the threat actors with 1.71 GB of internal documents as well as 1.2 million records of donor information. The hackers claim the attack was not politically motivated but posted on hacking forums that they targeted the university due to its “alleged DEI practices, admissions policies, and love of nepobabies.” Read more here.

4. “Bitcoin Queen” gets 11 years in prison for $7.3 billion Bitcoin scam – Bleeping Computer

Following a seven-year investigation by the Met’s Economic Crime team, 47-year-old woman, Zhimin Qian (also known as Yadi Zhang), was found guilty of a large-scale fraud campaign that defrauded over 128,000 victims in China between 2014 and 2017. Qian earned the name “Bitcoin Queen” in China after promoting the currency as “digital gold”. After her scheme was uncovered in 2017, she converted the proceeds into Bitcoin and fled to the United Kingdom, where, with the help of an associate named Jian Wen, she attempted to launder the cryptocurrency through property purchases. Qian was arrested in 2024 where law enforcement seized assets worth $14.4 million, as well as cryptocurrency wallets, encrypted devices, cash, and gold. Read here.

6. APT37 hackers abuse Google Find Hub in Android data-wiping attacks – Bleeping Computer

North Korean hackers, APT37, have been discovered abusing Google’s Find Hub Tool to target South Koreans. Victims are approached through KakaoTalk messenger, a popular instant messaging app. Spear-phishing messages transmitted through KakaoTalk impersonate South Korea’s National Tax Service, the police, and other agencies to deceive recipients into interacting. If someone opens the attached MSI file (or a ZIP that contains it), the program runs two hidden scripts: one to install the malicious code and one that pops up a fake “language pack error” to fool the user. Meanwhile the malware grabs the victim’s Google and Naver login details, signs into their email accounts, changes security settings, and deletes traces of the break-in. Read full article.

7. Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks – The Hacker News

Iranian threat actors, known for espionage driven attacks, have been observed deploying backdoors TWOSTROKE and DEEPROOT against Middle East industries. Mandiant attributes the activity to UNC1549 (aka Numbus Manticore and Subtle Snail). According to Google, these infection chains blend phishing campaigns aimed at stealing credentials with malware delivery operations that exploit trusted relationships with third-party vendors. Although the primary targets maintain strong security defenses, some third-party partners remain vulnerable, creating a ‘weak link’ that groups like UNC1549 can exploit. Read full article.

8. Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters – Bleeping Computer

The threat actor group, Scattered Lapsus$ Hunters, has announced the development of a Ransomware-as-a-Service (RaaS) platform named, ShinySp1d3r. The group announced on their Telegram channel that the ransomware was in development and will be led by ShinyHunters but operated under the “Scattered Lapsus$ Hunters” brand. Samples of the ransomware have been uploaded to VirusTotal and show a mix of common features and new features developed by the group. The encrypted files will contain “information on what happened to a victim’s files, how to negotiate the ransom, and a TOX address for communications”. Learn more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

November 25, 2025

The eighth series of the popular, BAFTA-nominated TV show ‘Hunted’ came to a dramatic end this month.  

Hunted is a gripping reality series that pits volunteer civilian ‘fugitives’ against a professional team of ‘Hunters’ – comprising former intelligence officers, police detectives, and cyber analysts – who employ real-world investigative techniques to try track them down within 28 days. 

The TV show regularly attracts over 2 million viewers per episode. 

In this series, the Hunters were able to catch 13 out the 14 original fugitives within the time frame. This the most successful capture record in history of the show. 

Copyright Shine TV/ Channel 4 

In the programme, the ‘fugitives’ must try to evade simulated capture by Hunters who leverage an impressive arsenal of capabilities: CCTV networks, ANPR systems, mobile phone tracking, financial surveillance, OSINT and behavioural profiling.  

The Hunters establish pattern-of-life analysis, exploit OPSEC failures, conduct tactical ground operations, and demonstrate how modern surveillance infrastructure creates a near-inescapable digital dragnet.  

OSINT specialist and DarkOwl super-user Daisy Hickman appearing in Series 8 (copyright Shine TV/Channel 4) 

The show illustrates the investigative challenges of resource allocation, intelligence fusion, and the cat-and-mouse dynamics between human behaviour and technical collection, while exposing how difficult it truly is to disappear in a modern surveillance state. 

In this series, DarkOwl was selected as one of the handful of intelligence tools (and the sole Darknet technology) to assist the Hunters in their London HQ. 

Daisy Hickman – an OSINT specialist Hunter who holds a MSc in Forensic Investigation – commented on her experience with DarkOwl (in capacity as a DarkOwl super-user during the show): 

“DarkOwl proved critical to our time-sensitive fugitive operations, and the easy to use interface and comprehensive data was an invaluable part of our OSINT analysis.” 

By continuously indexing high-value darknet websites, fora, marketplaces, chans, leak databases, Telegram channels and beyond, DarkOwl reconciles underground activities and personas with real-world events and people for all levels of intelligence analyst. 

DarkOwl was pleased to support Hunted, not least as it provided a good opportunity to showcase the power of DARKINT techniques for fast paced criminal investigations. 

Watch the latest series of Shine TV/Channel 4’s Hunted, and find out more about DarkOwl Vision.

November 18, 2025

In anticipation of the year’s busiest shopping day, scammers employ a variety of deceptive tactics designed to exploit eager shoppers, continually adapting their schemes to stay ahead of detection. 

From fake online stores advertising bogus discounts to scammers sending fraudulent delivery notifications during the busy shopping season, consumers face plenty of risks to watch out for. The rise of deceptive scams during the holidays highlights the many tactics fraudsters use to exploit consumers and dampen the festive spirit. The following provides an overview of prevalent scams and guidance on how consumers can protect themselves during their shopping activities. 

Fake Online Stores 

One of the most common scams cybercriminals will establish are fake shopping sites that mimic real sites of well-known retailers. These deceptive websites often imitate legitimate domain names and lure unsuspecting shoppers with seemingly irresistible discounts. To enhance their credibility, they frequently run fake social media ads that direct victims to counterfeit pages, adding a false sense of legitimacy to the scam. 

Once shoppers enter their personal information and check out, scammers receive the personal data, which usually involves banking details. These scams can lead to financial loss and identity theft, which can affect people more severely during the holiday season.  

How to Protect Yourself: 

• Double check website URLS. 
• Visit retailers’ official websites, rather than clicking an unaffiliated link. 
• If possible, use secure payment methods that offer fraud protection.  

Phishing Emails and Texts Offering “Exclusive Deals” 

With the rise in online shopping, promotional emails are utilized by most stores to promote their Black Friday sales. Darktrace’s global analyst team revealed that Christmas-themed phishing attacks for Black Friday and Cyber Monday “deals” soar throughout the month of November (over 600%!).  

To capitalize on this, one method used by cybercriminals is sending phishing emails promoting “exclusive offers” or “limited-time flash sales”. The emails typically contain links to malicious sites that steal personal information and can infect your device with malware. These emails can also lead to fake stores, as mentioned above.  An additional example includes emails claiming a user’s account is “locked or disabled”. 

How To Protect Yourself: 

• Ensure the sender has a trusted email address, showing the correct domain. 
• Trust your instincts if the message seems “off” and possibly written by AI. 
• Do not give any personal information via email, the majority of retailers would not require this information via email correspondence.  

Online Order and Delivery Scams via Text Messaging 

In recent years scammers have begun sending fake text messages that claim to be from carriers like UPS, FedEx, and USPS stating there is an issue with deliveries. These messages include a fake tracking link that if clicked puts your data at risk. The links may prompt you to a site to enter your personal data or could install malware onto your phone or computer. 

With most holiday shopping being online, these types of scams may increase throughout the holiday season. According to the FCC “If you receive suspicious email, text or phone messages, go to the delivery carrier’s website directly or use the retailer’s tracking tools to verify”. Carriers also offer advice and protocols on their websites with things to look out for and ways they legitimately contact individuals.  

How To Protect Yourself: 

• If there is any doubt of validity contact the company directly.  
• Verify independently, this can be done by going to the carrier’s website. 
• Do not reply or click on any links. 

Fraudulent Charity Appeals 

Traditionally, the Tuesday following Black Friday is known as Giving Tuesday, when non-profits and charities intensify their outreach efforts to meet seasonal fundraising goals. When donating during the holiday season, it’s important to exercise caution before giving to any charity online. Just as scammers create fake online stores, they also design fraudulent charity websites that imitate legitimate organizations to steal money and collect personal information. 

Additionally, scammers may reach out through unsolicited phone calls, using high-pressure tactics to push victims into making quick donations. They often refuse to provide clear or detailed information and may insist on unconventional payment methods, such as gift cards or wire transfers. 

How To Protect Yourself: 

• Prior to donating, research the charity.  
• Donate directly through the charity or organizations website. 
• Don’t let scammers rush you in to donating. 

Conclusion

According to the Federal Trade Commission (FTC), shopping fraud ranked as the second most prevalent form of fraud in 2024, with consumers losing more than $12.5 billion. Within this category, online shopping issues represented the second most commonly reported type of fraud. The report from the FTC claims the overall number of scams has remained relatively stable, but more individuals are becoming victims. This indicates that scams are evolving and becoming increasingly difficult to recognize. 

If you fall victim to a scam, remember to protect your finances, contact your bank or credit company, and monitor financial accounts for further suspicious activity. The most important thing for victims to remember is that scams can happen to anyone — and there’s no shame in taking extra precautions. The best defense against Black Friday scams is to stay alert and verify retailers before interacting or making a purchase. By following these steps and keeping this advice in mind, you’ll set yourself up for a safe and successful Black Friday, ensuring your holiday gifts bring only joy this season. 

Curious to learn how DarkOwl can help? Contact us.

November 13, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees. 

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, doxing, and data harvesting, indicators of compromise. In this edition, we dive into indicators of attack.

Indicators of Attack (IoAs) 101 

An Indicator of Attack (IoA) is a behavioral pattern or activity that reveals a cyberattack is in progress or about to occur. IoAs focus on detecting an attacker’s intent and methods in real time, enabling organizations to identify and stop malicious actions before they cause major harm.

Rather than relying on evidence of past breaches, IoAs highlight the attacker’s tactics, techniques, and procedures (TTPs) as they unfold, providing early warning of active or emerging threats.

IoA vs IoC

It’s important to distinguish IoAs from indicators of compromise (IoCs). IoAs focus on the behaviors and tactics that suggest an attack is currently in progress or about to occur, while indicators of compromise tell you that a compromise has already happened. Both are crucial for a comprehensive cybersecurity strategy.

DarkOwl and IoAs

Examples of IoAs in the Darknet that DarkOwl Monitors

• Malware and exploit kits: Advertisements for or discussion of high-quality malware designed to evade detection or exploits that can be used in an attack.
• Tools for malicious activity: Evidence of groups using specific tools to disable security software, like an EDR (endpoint detection and response) killer, to facilitate an attack.
• TTPs: Discussion and sharing of attack techniques on darknet forums, which indicates active development and use of new methods. 

How DarkOwl Helps Identify IoAs

• Entity API: This tool helps identify and contextualize entities like IP addresses and domains within the collected darknet data, which is crucial for correlating indicators and assessing threats in real-time. With Entity API, users can quickly and efficiently identify, monitor, and target particular threats in the darknet that are relevant to their particular needs and use-cases.
• Vision platform: This platform collects and indexes vast amounts of darknet data, allowing for the identification of potential attacks in progress by searching for relevant keywords and patterns. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search darknet data.
• Threat intelligence: By monitoring forums, marketplaces, and other sources, DarkOwl can identify the latest threats and attack methods being discussed and sold on the darknet. With 227,500 pages of darknet content scraped and indexed every hour, DarkOwl’s collection database is continuously expanding.

DarkOwl helps detect both through its darknet intelligence by identifying attacker tactics, techniques, and procedures (TTPs). Examples include advertisements for malware or exploit kits, discussions of attacks on darknet forums, or the use of tools, all of which indicate a potential or ongoing attack.

Product Highlight: Actor Explore

In today’s digitally driven world, the landscape of cyber threats is ever-evolving and increasingly sophisticated. As businesses and individuals become more dependent on technology, the need to protect sensitive data and critical infrastructure from cyber attacks has never been more critical.  

One effective approach to enhancing cybersecurity is to track and monitor cyber threat actors. The actors that are responsible for conducting attacks; individuals or groups with malicious intent, often targeting organizations, governments, or individuals. Understanding why they are operating, what they hope to achieve and what methodologies they are using can assist analysts in protecting infrastructure and predicting future activities. Identifying and monitoring the tactics, techniques, and procedures (TTPs) of cyber threat actors, is also an important step to gain insights into actor’s strategies. This information can be invaluable in understanding how attacks are executed and identifying potential vulnerabilities in an organization’s defense.  

With DarkOwl’s Actor Explore users can review analyst curated insights into active threat actor groups on the darknet and wider. We explore the motivations behind the groups, the tools they have used and searchable attributes to pivot on within DarkOwl Vision. Tracking available information about threat actors such as their motivations, TTPs, victims and activities can provide valuable intelligence which allows analysts to predict behavior and take proactive steps to protect their organizations.  

Product Highlight: DarkSonar API

With cyberattacks increasingly on the rise, organizations need better intelligence to safeguard themselves, employees and customers from incidents such as data breaches and ransomware attacks. This rise in illicit cyber activity only increases the need to protect against and determine the likelihood of these attacks. The darknet contains data critical to understanding criminal behavior and security risk, and companies need an understanding of their exposure on the darknet to determine risk and take mitigating actions.

DarkSonar, a relative risk rating based on darknet intelligence, measures an organization’s credential exposure on the darknet. DarkSonar enables companies to model risk, understand their weaknesses and anticipate potential cyber incidents. In turn, organizations are able to take mitigating actions to protect themselves from loss of data, profits, and brand reputation.

DarkSonar in the Wild

General Motors

In April 2022, General Motors disclosed that it suffered a credential stuffing attack. ​The attackers accessed customers’ personally identifiable information (PII)and redeemed reward points for gift cards.

Takeaway: DarkSonar’s email exposure signal detected an abnormal increase in plaintext and hashed credentials in the months leading up to the attack.

Colonial Pipeline

In late April 2021, hackers gained entry into the networks of Colonial Pipeline Co. The hack took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack.​ The virtual private network account was no longer in use at the time of the attack but could still be used to access Colonial’s network, he said.​

Takeaway: DarkSonar detects plain text credentials available on the darknet.

FujiFilm

In early June 2021, Fujifilm’s company servers were infected by Ransomware. While they have never released the specific details, it is believed to be the Qbot Ransomware.​ Qbot is typically initiated by phishing.​

Takeaway: DarkSonar detected an increase in email exposure which can be used as part of a phishing attack.​

Contact us to learn more.