Author: DarkOwl Content Team

November 13, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees. 

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, doxing, and data harvesting, indicators of compromise. In this edition, we dive into indicators of attack.

Indicators of Attack (IoAs) 101 

An Indicator of Attack (IoA) is a behavioral pattern or activity that reveals a cyberattack is in progress or about to occur. IoAs focus on detecting an attacker’s intent and methods in real time, enabling organizations to identify and stop malicious actions before they cause major harm.

Rather than relying on evidence of past breaches, IoAs highlight the attacker’s tactics, techniques, and procedures (TTPs) as they unfold, providing early warning of active or emerging threats.

IoA vs IoC

It’s important to distinguish IoAs from indicators of compromise (IoCs). IoAs focus on the behaviors and tactics that suggest an attack is currently in progress or about to occur, while indicators of compromise tell you that a compromise has already happened. Both are crucial for a comprehensive cybersecurity strategy.

DarkOwl and IoAs

Examples of IoAs in the Darknet that DarkOwl Monitors

• Malware and exploit kits: Advertisements for or discussion of high-quality malware designed to evade detection or exploits that can be used in an attack.
• Tools for malicious activity: Evidence of groups using specific tools to disable security software, like an EDR (endpoint detection and response) killer, to facilitate an attack.
• TTPs: Discussion and sharing of attack techniques on darknet forums, which indicates active development and use of new methods. 

How DarkOwl Helps Identify IoAs

• Entity API: This tool helps identify and contextualize entities like IP addresses and domains within the collected darknet data, which is crucial for correlating indicators and assessing threats in real-time. With Entity API, users can quickly and efficiently identify, monitor, and target particular threats in the darknet that are relevant to their particular needs and use-cases.
• Vision platform: This platform collects and indexes vast amounts of darknet data, allowing for the identification of potential attacks in progress by searching for relevant keywords and patterns. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search darknet data.
• Threat intelligence: By monitoring forums, marketplaces, and other sources, DarkOwl can identify the latest threats and attack methods being discussed and sold on the darknet. With 227,500 pages of darknet content scraped and indexed every hour, DarkOwl’s collection database is continuously expanding.

DarkOwl helps detect both through its darknet intelligence by identifying attacker tactics, techniques, and procedures (TTPs). Examples include advertisements for malware or exploit kits, discussions of attacks on darknet forums, or the use of tools, all of which indicate a potential or ongoing attack.

Product Highlight: Actor Explore

In today’s digitally driven world, the landscape of cyber threats is ever-evolving and increasingly sophisticated. As businesses and individuals become more dependent on technology, the need to protect sensitive data and critical infrastructure from cyber attacks has never been more critical.  

One effective approach to enhancing cybersecurity is to track and monitor cyber threat actors. The actors that are responsible for conducting attacks; individuals or groups with malicious intent, often targeting organizations, governments, or individuals. Understanding why they are operating, what they hope to achieve and what methodologies they are using can assist analysts in protecting infrastructure and predicting future activities. Identifying and monitoring the tactics, techniques, and procedures (TTPs) of cyber threat actors, is also an important step to gain insights into actor’s strategies. This information can be invaluable in understanding how attacks are executed and identifying potential vulnerabilities in an organization’s defense.  

With DarkOwl’s Actor Explore users can review analyst curated insights into active threat actor groups on the darknet and wider. We explore the motivations behind the groups, the tools they have used and searchable attributes to pivot on within DarkOwl Vision. Tracking available information about threat actors such as their motivations, TTPs, victims and activities can provide valuable intelligence which allows analysts to predict behavior and take proactive steps to protect their organizations.  

Product Highlight: DarkSonar API

With cyberattacks increasingly on the rise, organizations need better intelligence to safeguard themselves, employees and customers from incidents such as data breaches and ransomware attacks. This rise in illicit cyber activity only increases the need to protect against and determine the likelihood of these attacks. The darknet contains data critical to understanding criminal behavior and security risk, and companies need an understanding of their exposure on the darknet to determine risk and take mitigating actions.

DarkSonar, a relative risk rating based on darknet intelligence, measures an organization’s credential exposure on the darknet. DarkSonar enables companies to model risk, understand their weaknesses and anticipate potential cyber incidents. In turn, organizations are able to take mitigating actions to protect themselves from loss of data, profits, and brand reputation.

DarkSonar in the Wild

General Motors

In April 2022, General Motors disclosed that it suffered a credential stuffing attack. ​The attackers accessed customers’ personally identifiable information (PII)and redeemed reward points for gift cards.

Takeaway: DarkSonar’s email exposure signal detected an abnormal increase in plaintext and hashed credentials in the months leading up to the attack.

Colonial Pipeline

In late April 2021, hackers gained entry into the networks of Colonial Pipeline Co. The hack took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack.​ The virtual private network account was no longer in use at the time of the attack but could still be used to access Colonial’s network, he said.​

Takeaway: DarkSonar detects plain text credentials available on the darknet.

FujiFilm

In early June 2021, Fujifilm’s company servers were infected by Ransomware. While they have never released the specific details, it is believed to be the Qbot Ransomware.​ Qbot is typically initiated by phishing.​

Takeaway: DarkSonar detected an increase in email exposure which can be used as part of a phishing attack.​

---

Contact us to learn more.

November 11, 2025

With recent global events, you’ve likely come across articles, conversations, or opinion pieces about Discord. As of 2024, the instant messaging platform boasts over 150 million monthly users. Once known primarily as a communication tool for gamers, Discord has evolved into a hub for a wide range of communities—from book clubs and fandoms to casual chat groups with friends and family. 

What sets Discord apart from traditional social media is its unique structure: no public feeds, no traditional advertising, and a focus on private, curated spaces. 

As more attention turns to corners of the internet that might be unfamiliar to the mainstream, this blog aims to shed light on Discord’s ecosystem and answer some of the questions you may be asking yourself. 

What Is Discord?

Discord was established in 2015 as a social platform for people with similar interests to share voice notes, videos, and texts with one another. The app originally targeted gamers, offering superior voice chats and customizable server options. Individuals were able to live chat with other Discord users while playing their favorite games and build communities solely focused on their hobbies. 

The app received an influx of users not connected to the gaming community in the late 2010’s and during COVID-19. The pandemic led many people to Discord, where they built virtual communities for a myriad of topics ranging from musician fan groups to book clubs. The features that originally appealed to the gaming community were also applicable for establishing virtual classrooms and information sharing among groups.  

Discord offers both private and public servers. Public servers work similarly to other social platforms; it allows users to chat with any public server that they would like. Most public servers are monitored by moderators who have the power to remove or edit information shared in the server. Private servers offer users more secrecy, are typically invite only, and offer users an exclusive forum for group chats. Whoever sets up the server has admin rights, which allows them to add/remove members, ban content/words, and add additional admin members.  

Is Discord Dangerous? 

Discord can be used safely but as with any social media app, there are bad actors and users can be susceptible to harmful behavior.  

Cybercriminals employ a range of tactics to deceive Discord users into installing malware—often referred to as a Discord virus—which can have serious consequences for their devices and data. Beyond technical threats, users may also encounter harmful behavior such as the sharing of explicit content or experiences of bullying and harassment within the platform. The platform has also been used in the past to share classified information as well as manifestos related to violent extremism.  

The major concerns with Discord are: 

• Discord Scams & Viruses– A majority of Discord scams involve deceiving users into “clicking links, scanning QR codes, or logging in to off-site locations” so bad actors can spread malicious software. Research states that the most common type of malware in Discord is Remote Access Trojan (RAT), which hackers distribute using malicious links. Discord’s security team does have tools to filter malicious files but can sometimes miss ones when they initially hit the platform. 

• Risk to Children/Teens– To protect children, the app has an age requirement of 13 though people believe it is easy to bypass their verification process. The risk of exposure to NSFW (not suitable for work) content is hard to mitigate when children have their own accounts. Users may post sexually explicit imagery or videos in public servers without warning.  

• Cyberbullying/Harassment – Because many individuals using Discord to connect with communities, there are frequent conversations that occur between strangers. Cyberbullying includes sending, posting, or sharing negative, harmful, false, or mean content about someone else. In a 2024 transparency report released by Discord, they claim to have taken some form of action against 92K accounts, which included disabling over 19k for some form of harassment and bullying.   

How to Protect Yourself 

Some risks on Discord are similar to those found across the open web. However, both cybersecurity experts and Discord itself offer practical steps that users can take to stay safe and protect their accounts from malicious activity. 

Key safety tips: 

• Always enable two-factor authentication (2FA) to add an extra layer of security to your account. 

• Block and report suspicious users to help keep the community safe. 

• Stay alert for scams: Discord recommends avoiding links from unknown senders and never downloading code or files you don’t recognize. 

• Control who can message you: Adjust your privacy settings to limit direct messages to friends or members of shared servers. You can also enable filters to reduce spam and unwanted messages. 

Conclusion

While Discord offers a fun and dynamic way to connect with friends, communities, and shared interests, it’s important to stay mindful of your safety online. By taking a few simple precautions like managing your privacy settings and being cautious with unknown links or users, you can enjoy everything the platform has to offer without putting yourself at risk. Staying aware of potential threats ensures you can make the most of your experience without compromising your safety. 

---

Check out our field-tested guide to cyber hygiene here.

November 03, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M – HackRead

On September 26, Medusa’s dark web site claimed to have exfiltrated 834.4 gigabytes of data and are demanding $1.2 million for interested buyers to download it. To support their claims, the group uploaded 20 screenshots showing alleged internal data. In one exposed directory, the information appeared to be connected to HR folders that contained personnel records. Medusa ransomware is a known aggressive group that has compromised over 300 organizations between 2021 and 2024. The group typically gains access through social engineering such as phishing emails, exploiting vulnerabilities, or purchasing stolen credentials. Once the group acquires data, they use a double extortion method to gain ransom. Read full article.

2. US seizes $15 billion in crypto from ‘pig butchering’ kingpin – Bleeping Computer

The Department of Justice (DOJ) has seized $15 billion worth of Bitcoin from the Cambodian Prince Group, a criminal organization known for orchestrating large-scale cryptocurrency scams, primarily involving romance baiting and ‘pig butchering’ schemes. Unsealed court documents revealed the group operates over 100 shell and holding companies across 30 countries, which have been extorting countless victims since 2015. Additionally, the group runs automated call centers that were run by employees who were allegedly forced to work due to the threat of violence. The DOJ called the centers, “violent forced labor camps”. Article here.

3. New Rust-Based Malware “ChaosBot” Uses Discord Channels to Control Victims’ PCs – Bleeping Computer

Discord user, chaos_00019, has implemented the malware ChaosBot to gain access to other user’s systems and networks. According to researchers, “ChatBot is noteworthy for its abuse of Discord for command-and-control (C2)”. The malware was observed using phishing messages that contained a malicious Windows shortcut file, after opening the file, a PowerShell command is executed to download and execute ChaosBot. A decoy PDF concealed as legitimate correspondence from the State Bank of Vietnam is displayed as a distraction mechanism. Read more here.

4. ShinyHunters launches Salesforce data leak site to extort 39 victims – Bleeping Computer

“Scattered Lapsus$ Hunters” has launched a new data leak site extorting 39 companies that were impacted by the Salesforce breaches. The companies extorted in the link include Disney/Hulu, FedEx, Google, McDonald’s and more. A separate entry on the site requested that Salesforce pay a ransom to prevent impacted customers (approximately 1 billion records containing personal information) from being released. Salesforce has released a statement claiming, “Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.” Read here.

6. Have I Been Pwned: Prosper data breach impacts 17.6 million accounts – Bleeping Computer

In September, Prosper, a peer-to-peer lending marketplace, announced a breach had been detected with hackers gaining access to customer accounts and funds. Have I Been Pwned announced that 17.6 million unique email addresses had been affected by the incident. The companies statement claimed that “confidential, proprietary, and personal information, including Social Security Numbers, was obtained”. The company is also going to offer free credit monitoring while they determine what data was affected. Information on how the data was obtained and ways the company is combatting future leaks have not been discussed. Read full article.

7. Researchers Identify PassiveNeuron APT Using Neursite and NeuralExecutor Malware – The Hacker News

The malware campaign dubbed, PassiveNeuron, was first flagged using different methods in November 2024 for targeting government, financial, and industrial organizations located in Asia, Africa, and Latin America. One incident showed that the threat actors were able to gain initial access through remote command on a compromised machine running Windows Servers through Microsoft SQL. The exact method is unknown, but it is possible the attackers are either brute-forcing the administration account password or leveraging an SQL injection flaw in an application running on the server. Read full article.

8. BatShadow Group Uses New Go-Based ‘Vampire Bot’ Malware to Hunt Job Seekers – The Hacker News

BatShadow, a Vietnamese threat actor, has leveraged a new social engineering tactic that delivers a malware called, Vampire Bot, to job seekers and digital marketing professionals. Posed as recruiters, the attackers distribute malicious files disguised as job descriptions and corporate documents. Victims who click the link in the lure PDF to “preview” the job description are taken to a landing page that displays a fake error saying the browser is unsupported, through multiple attempts the error message eventually triggering an automatic ZIP download containing the supposed job description and a malicious executable named Marriott_Marketing_Job_Description.pdf.exe (the file mimics a PDF by inserting extra spaces between “.pdf” and “.exe”). Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

October 31, 2025

This Halloween, the scariest thing might be what’s tucked inside the candy bar, a lure that looks harmless but hands an attacker the keys to your digital life.  

Phishing and social-engineering attacks are the “tricks” that become catastrophic when the dark web supplies ready-made toolkits and AI-generated messages to amplify them. The result: low-effort, high-impact scams that can ruin reputations and drain bank accounts. 

This Halloween we explore the “scary tricks” cyber criminals are using to successfully trick you into clicking on phishing emails and other attack types, and what you can do to avoid this activity.  

Phishing & Social Engineering: Why They’re Halloween-Worthy 

Phishing and the wider family of social-engineering attacks (spear-phishing, smishing, vishing, “quishing” via QR codes, and voicemail impersonation) remain one of the simplest ways to get real access to real systems. For that reason, they remain one of the top cyber-attack vectors in 2025. Phishing and social engineering attacks have been responsible for some of the largest breaches so far this year, such as Salesforce and Allianz.  

Researchers have highlighted that the large majority of successful cyber-attacks usually include a human element and are not purely technological vulnerabilities.

But two trends are supercharging phishing today: 

• Automation and commoditization — phishing kits and “phishing-as-a-service” lower the technical bar for attackers. These are readily available software people can purchase to conduct attacks meaning they do not need to have the technical skills to conduct the attack. 
• AI-augmented social engineering — generative models craft extremely convincing lures at scale. That combination turns the old “spray-and-pray” email into a professional, targeted, and scalable crime machine. Not to mention the creation of believable videos, images and voices which can be used to conduct vishing and other attacks.

The Dark Web Connection: Toolkits and Kits for Sale 

The dark web and underground communities are where the tools, templates and services live, both marketplaces and forums offer software for sale as well as how to tutorials on how to conduct these attacks. Telegram also shared this information via marketplace channels. Below are some of the things being sold.  

Security researchers have indicated that the availability of ready-to-use phishing kits on the dark web rose by ~50% from 2021 to 2025, highlighting that this is a trend that is only increasing.  

Phishing Kits  

Pre-built fake pages, sending scripts and hosting/configuration guides. Research and reporting show fully fledged kits are routinely sold for pocket change, some reports find kits advertised for as little as ~$25 while others are open source, making it trivial for novices to impersonate banks, delivery services, or SaaS providers. The below image from a dark web forum shows users sharing a list of openly available phishing kits claiming they are the best kits to use in 2025.  

Phishing-as-a-Service & Automation Platforms  

Another offering which is provided on dark web sites, is providing the service on the behalf of an actor. This means the actor doesn’t not need to take any action but can pay someone else to conduct the attack. The below image from Telegram shows a threat actor offering hacking services including phishing kits.  

More advanced offerings include campaign dashboards, SMTP pools, deliverability testing and analytics (some newer tools even pair generative AI with mailing infrastructure). The below images show an advertisement for a phishing related AI model as well as the site to purchase the software. The “SpamGPT” toolkit—AI-powered spam-as-a-service sold on underground forums for around US $5,000.

Stolen Contact Lists & Harvested Credentials  

While we have previously shared the sale of human organs, this Halloween the harvesting of credentials can be even more scary with wide ranging ramifications. Harvested credentials and victim lists, often sold in bulk, let attackers skip reconnaissance and target previously compromised users.

These data leaks, with credentials and sometimes a lot more information can be really useful to threat actors when conducting social engineering attacks. This can make phishing attacks seem much more believable as they have accurate and real information in them.  

These tools lower the barrier to entry, enabling less-skilled attackers to launch large campaigns. They are readily available on the dark web and adjacent sites like Telegram. This means that the number of attacks being conducted can and will increase as individuals need less skills to conduct them. But it is likely that AI develops that the attacks themselves will become more sophisticated and complex. A scary thought! 

How Phishing Campaigns Actually Play Out (The Attack Chain) 

Figure 5: Phishing Campaign Cycle 

Attackers will start with the reconnaissance phase, conducting research usually through open channels or stolen data to find information about the intended targets. Then they create the bait – using a phishing kit or AI they will create a message that they think will hook the target and bypass spam filters. They use the information they found during the reconnaissance phase to make it as believable as possible.  

Next comes the delivery phase. Depending on what they are trying to achieve there are multiple delivery methods that can be used such as email, SMS, QR codes and even phone calls. In some cases, actors will use multiple channels as part of their attacks to increase the success rate.  

The Exploit phase requires input from the victim to be successful. A victim will click on a link or provide credentials to a phishing site or inadvertently install malware on their computer. These credentials are then used by the attackers to conduct further attacks. But the information can be monetized further by selling the stolen information or access to other actors on the dark web – continuing the cycle of phishing attacks.  

New Scary Technologies: AI + Phishing = Mass-Targeting on Steroids 

Generative AI has already begun to improve the quality, personalization, and scale of phishing. Platforms and toolkits that combine text generation with campaign automation create highly convincing lures that are difficult for users (and sometimes filters) to distinguish from real messages.  

A new class of underground offerings — some reported under names like “SpamGPT” — pair natural language generation with mailing infrastructure and analytics, effectively giving attackers a polished marketing stack for phishing.  

The net effect: phishing no longer requires good writing skills or deep technical know-how. It requires money (often small) and an account on an underground marketplace. That democratization of attack capabilities is why credential theft and phishing success rates have jumped in recent reporting.  

How to Stop Being Tricked 

For Organizations  

• Multi-factor authentication (MFA) everywhere — reduces the value of stolen passwords even if credentials leak. (Use phishing-resistant MFA like hardware keys where possible.)  
• Email protections + DMARC/DKIM/SPF + advanced detection — deploy and tune anti-phishing gateways, URL detonation, and link rewriting. Train filters to use behavior signals (login geography, device fingerprinting).  
• Phishing simulations + continuous user training — recurring, contextual training that adapts to current phishing themes reduces click rates. Combine simulated attacks with coaching, not just shame.  
• Dark-web monitoring & rapid credential-remediation — monitor for leaked credentials or company data; have a playbook to force resets and contain exposed accounts.  
• Least privilege + segmentation + strong logging — limit how far a single compromised account can go; log and monitor anomalous account activity for fast detection.  

For Individuals (Easy Wins) 

• Use a password manager and unique passwords for every site. 
• Turn on MFA (preferably an authenticator app or hardware key). 
• Hover before you click — inspect links, check sender addresses for subtle typos, and don’t enter credentials after arriving at a link from an email. 
• Treat SMS and phone callbacks as suspicious for requests about credentials or money; verify independently. 
• If you click or think you’re compromised — change passwords from a known-good device, enable MFA, run a full malware scan, and notify your employer or bank. 

Conclusion 

Phishing and social engineering are the silent spooks in the house: they don’t break doors in—they get invited. And when the dark-web toolkit makes it easy, the threats multiply. This Halloween, treat your security like locking the door and checking the candy. 

Phishing is deceptively simple, but the underground economy and fast-moving AI technology have turned it into an industrialized threat. The good news: many countermeasures are straightforward and inexpensive (MFA, password hygiene, basic email controls). Don’t take a bite of the candy unless you’re sure it’s your friend handing it. Treat yourself to security hygiene; don’t let the attacker trick you with something sweet. 

---

Keep up with us! Follow us on LinkedIn!

October 28, 2025

In an increasingly hostile cyber landscape, organizations need visibility into the tactics and techniques used by threat actors. The MITRE ATT&CK Framework has become the gold standard for understanding adversary behavior, providing a structured taxonomy of real-world attack patterns.  

As showcased by Crowdstrike’s Threat Hunting report 2025, attackers are logging in rather than hacking.  

While no single platform can address every category within this comprehensive framework, DarkOwl delivers exceptional coverage of critical, high-impact darknet sources, empowering organizations worldwide to anticipate, prevent, and respond to cyber attacks with greater confidence. 

Understanding the MITRE ATT&CK Coverage Gap 

The MITRE ATT&CK Framework encompasses hundreds of techniques across dozens of categories. The Darknet is establishing itself as a critical early-warning system for reconnaissance, credential compromise, and data exfiltration threats. By providing transparent and flexible navigation of darknet data, DarkOwl maximizes detection capabilities across its core categories, offering organizations unprecedented insight into emerging threats before they impact their systems. 

DarkOwl’s MITRE ATT&CK Coverage: Breakdown Per Technique 

Gather Victim Host Information 

DarkOwl continuously scans stealerlogs, breaches, and darknet channels and fora to identify corporate IPs, credentials, and sensitive host exposures targeting your organization or those in your supply chain. This reconnaissance capability allows you to understand what information about your infrastructure is circulating in criminal marketplaces. Early visibility into compromised host data enables rapid remediation before attackers launch exploitation attempts. 

Gather Victim Network Information 

Threat actors extensively target networks before striking. DarkOwl monitors high-fidelity darknet sources for corporate network exposures, including IP leaks, asset names, trade secrets, tools, and databases. By surfacing these exposures early, your organization gains the critical advantage of knowing what network vulnerabilities and assets have been discovered by adversaries. 

Gather Victim Identity Information 

Personal and corporate identity information is among the most valuable commodities in underground marketplaces. DarkOwl detects when your employees’ and contractors’ emails, passwords, sessions, and devices appear in stealerlogs and breach databases. Reset credentials and block fraudulent access before it materializes. 

Search Closed Sources 

DarkOwl maintains a proprietary database of historic darknet content spanning years of darknet fourm posts, marketplace listings and ransomware site chatter. This institutional knowledge allows your organization to understand not just current threats, but historical patterns that may indicate ongoing targeting. Access to this closed-source intelligence significantly accelerates threat investigation and attribution. 

Search Open Websites and Domains 

Criminal and terrorist activity thrives across Telegram, Discord, and dark web list sites where threat actors openly advertise services and share stolen data. DarkOwl scans high-fidelity OSINT sources to identify when your organization is being discussed, targeted, or compromised. This open-source monitoring complements traditional security tools by capturing threats in spaces where defenders traditionally have limited visibility. 

Compromise Accounts 

Credential theft is the foundation of modern cyber attacks, and DarkOwl detects compromised social media, email, cloud, and personal accounts from your staff and supply chain partners.  

Compromise Infrastructure 

Infrastructure compromise—including domains, servers, and networks—represents a severe threat to organizational continuity. DarkOwl detects when your infrastructure appears in leaked files and darknet chatter, while also maintaining actor profiles highlighting the hardware, software, and CVEs commonly exploited by specific threat groups. This combination of compromise detection and threat actor intelligence enables targeted defensive hardening. 

Supply Chain Compromise 

Third-party relationships create indirect attack surfaces that many organizations overlook. DarkOwl identifies when contractors, suppliers, and vendors have compromised accounts and infrastructure, providing visibility into supply chain vulnerabilities that could be leveraged to reach your organization. Understanding these indirect exposures allows you to assess risk and implement compensating controls across your extended ecosystem. 

Account Manipulation 

Account takeover (ATO) represents a critical threat vector that DarkOwl actively monitors across all cloud and system accounts, including those from former contractors or suppliers. By collecting stealer logs and highlighting device and OS exposures, DarkOwl alerts your team to anomalous account activity before it escalates into a full-scale compromise. Rapid detection of account manipulation enables swift incident response and evidence preservation. 

Modify Authentication Process 

Multi-factor authentication is a cornerstone of modern security, yet DarkOwl discovers MFA redirect URLs in stealerlogs exposing authentication mechanisms. By publishing comprehensive stealer data organized by device, DarkOwl provides your security team with concrete evidence of authentication modifications and potential bypass techniques used by attackers.  

Persistent Account Manipulation 

Sophisticated attackers maintain long-term persistence through continuous account manipulation, particularly targeting supply chain vendors. DarkOwl monitors stealerlogs to identify ongoing account misuse within your supply chain, alerting to persistent threats that might otherwise remain hidden. Early detection of persistent manipulation prevents attackers from establishing a sustainable foothold within your ecosystem. 

Access Token Manipulation: Token Impersonation and Theft 

Modern applications rely on tokens for authentication, making token theft an attractive target for adversaries. DarkOwl monitors darknet Initial Access Broker advertisements and sales activity to detect when tokens from your organization enter criminal circulation. This intelligence on token compromise allows your team to invalidate affected tokens and audit token-based access before unauthorized actions occur. 

Brute Force: Password Guessing 

While brute force attacks are blunt instruments, they remain effective when attackers possess compromised password lists. DarkOwl detects compromised passwords of staff and supply chain partners circulating on darknet breach sites, indicating that your organization faces elevated risk of password-guessing attacks. Proactive password resets based on DarkOwl’s compromise intelligence significantly reduces the success rate of these attacks. 

Reversible Encryption 

Weak password hashing algorithms create reversible encryption risks, allowing attackers to crack stored passwords at scale. DarkOwl automatically surfaces hashed passwords from corporate domain exposures in historic breach files, highlighting those with weak algorithms subject to reversal by threat actors. This capability allows your team to identify and remediate weak hashing implementations before attackers exploit them. 

Unsecured Credentials 

Credentials often leak beyond your network perimeter, appearing in messenger apps and across distributed networks like TOR, I2P, and Zeronet. DarkOwl collects these widely-scattered credential exposures to demonstrate the full scope of your credential compromise landscape. Understanding where your credentials have been exposed enables comprehensive remediation across all affected platforms and services. 

Internal Spear phishing 

Executive and supplier credentials are prized targets for internal phishing campaigns. DarkOwl continuously monitors darknet sources to detect when your executives’ and partners’ credentials are newly shared by threat actors.  

Browser Session Hijacking 

Stealer logs inherently capture browser sessions, creating direct risks of session hijacking attacks. DarkOwl actively monitors and collects stealer log data containing compromised corporate and personal browser sessions, providing visibility into hijacking risks before attackers exploit them. This intelligence enables your team to invalidate compromised sessions and investigate the scope of browser-based compromise. 

Exfiltration Over Web Service 

Data exfiltration frequently occurs across web services where attackers blend malicious activity with legitimate traffic. DarkOwl detects when your corporate data appears on darknet services including Telegram, TOR sites, ransomware platforms, and underground forums. Rapid detection of exfiltration allows your incident response team to contain the breach, quantify the exposure, and implement targeted notifications. 

External Defacement 

Attackers often publicize breaches through external defacement to maximize damage and reputation impact. DarkOwl monitors for keyword/signpost mentions of your company and alleged stolen data across TOR, I2P, file repositories, and paste sites throughout the darknet. This continuous monitoring ensures your security team detects external defacement threats before they escalate into widespread public disclosure or regulatory complications. 

Financial Theft 

Cryptocurrency plays an increasingly central role in attacks, making financial theft tracking essential for investigation and attribution. DarkOwl allows your organization to validate illicit activity by linking it to specific crypto wallet IDs involved in attacks. This capability supports forensic analysis, law enforcement cooperation, and the tracking and tracing of cryptocurrency flows used to fund future attacks. 

The DarkOwl Advantage: Deep Darknet Intelligence for Modern Threats 

DarkOwl doesn’t attempt to be a universal MITRE ATT&CK solution. Instead, it excels at what matters most: providing transparent, flexible navigation of darknet data to deliver unprecedented visibility into how adversaries gather intelligence, compromise credentials, and exfiltrate data. By mastering these critical categories, DarkOwl gives organizations the early warning and actionable intelligence needed to transform defense from reactive to proactive. 

In today’s threat landscape, organizations need platforms that go deep rather than wide. DarkOwl’s specialized focus on darknet reconnaissance and threat actor activity provides exactly this—strategic depth where it matters most. For security teams committed to staying ahead of emerging threats, DarkOwl represents the specialized intelligence layer that bridges the gap between your internal detection systems and the criminal activity planning your compromise. 

Prepare for attacks before they begin. Detect compromise before it escalates. Respond with confidence backed by darknet intelligence. That’s the DarkOwl advantage in the MITRE ATT&CK era.  

---

For specific details on how DarkOwl meets MITRE ATT&CK framework, contact us.

October 21, 2025

What is a Command-and-Control Framework (C2)? 

Command-and-control (C2) frameworks are used by both red teams and cybercriminals. They provide a wide range of functionality and capabilities that make post-exploitation tactics easier and more effective. In simple terms, a C2 acts as a central server that connects to, communicates with, and manages compromised systems. It establishes persistence and allows the operator to control dozens of infected machines from one central environment. 

There are many reasons why C2 frameworks are popular among attackers and red teams. Most frameworks offer operators powerful capabilities such as privilege escalation, network pivoting, scanning, and data exfiltration. They are so useful, in fact, that cybersecurity companies have developed their own commercial C2 products for ethical red-team engagements. Cobalt Strike is often regarded as the industry leader for production-grade post-exploitation operations due to its broad set of easy-to-use features, making engagements accessible even to less technically skilled operators. Open-source options are also widely available, with frameworks like Covenant, Sliver, Metasploit, and many others freely downloadable from GitHub. 

Regardless of the framework, stealth is the most critical factor for both ethical red teams and cybercriminals. Security Operations Centers (SOCs) constantly monitor traffic and look for suspicious packets moving through the network. No matter how polished a C2 product may appear, it is useless if detected and blocked. In addition to internal monitoring, dedicated threat-hunting teams at Microsoft, Google, Meta, Cisco, CrowdStrike, IBM, and others search for malicious infrastructure outside their own networks as well. 

Security Through Obscurity 

Offensive security operators understand the importance of obfuscating traffic and minimizing detection. Great effort is made to ensure payloads are covertly delivered, network traffic is routed inconspicuously, and C2 frameworks are hidden behind innocent-looking websites. This constant need for concealment has led to several tactics, techniques, and procedures (TTPs) that blue teams, SOCs, and organizational leaders should be aware of. 

“Small Sieve,” for example, uses the Telegram bot API to communicate over HTTPS and relay commands to and from malicious C2 servers. To defenders, this HTTPS-encrypted traffic moving through the organization’s network may appear normal. Since Telegram is not considered a malicious service, such traffic could easily be overlooked by blue teams and SOC analysts. 

Throughout 2021, a suspected Iranian-backed threat group known as “Oil Rig” conducted an operation called “Outer Space” targeting Israeli organizations. To conceal their malicious traffic, they compromised an Israeli human resources server and repurposed it as a dedicated C2. Subsequent operations appeared to originate from this trusted source. 

This technique is not limited to concealing C2 servers. When a stage-one payload needs to download additional malware, threat actors often host stage-two payloads on trusted platforms that are less likely to raise alarms. Saint Bear, a Russian threat actor active against Ukraine and Georgia as early as 2021, frequently used Discord’s content delivery network for hosting malicious files. To defenders, this traffic appeared to come from Discord, making it harder for intrusion detection systems to flag as suspicious. 

DarkOwl Vision: Threat Intelligence on C2 

The popularity and awareness of these C2 techniques have expanded beyond nation-state actors and advanced attackers. Using the DarkOwl Vision platform, we can observe multiple discussions emphasizing the importance of stealth in C2 operations. 

Source: DarkOwl Vision

One user highlights the software’s ability to “function covertly, employing stealthy techniques to avoid detection… and [avoid detection from] network security monitoring tools”. 

The following example describes another piece of malware that uses Telegram as its command-and-control platform for communication with infected machines. Again, the author boasts of the software’s “low detection rates due to its advanced obfuscation techniques”. 

Source: DarkOwl Vision

Conclusion: Cyber Cat and Mouse 

For cyber defenders and blue teams, it is critical to understand these TTPs. In some cases, an SOC analyst may identify something suspicious within an otherwise benign Telegram packet. In others, endpoint detection and response platforms can be tuned to better recognize this malicious traffic. More importantly, the cybersecurity community must accept that these TTPs will continue to evolve into more sophisticated methods. Just as blue teams grow comfortable detecting one technique, red teams adopt the next lesser-known approach that has yet to be widely publicized. 

Resources such as attack.mitre.org are invaluable for fingerprinting and understanding the TTPs that a company, organization, or industry might face during an incident. After an attack, investigators and cyber experts often publish their findings, which can help future targets prepare to identify and thwart similar threats. 

In this blog, we explained how powerful C2 frameworks can be in maintaining stealthy operations for both red teams and cybercriminals. We highlighted examples where advanced persistent threats (APTs) leverage trusted applications and networks to conceal post-exploitation activity. The dark web remains a rich source of intelligence, where forums and discussion boards provide valuable insight into evolving trends and shared techniques. Ultimately, staying ahead in this cyber cat-and-mouse game requires defenders to remain adaptive, vigilant, and continuously informed.

---

Curious how DarkOwl can help you? Contact us.

October 16, 2025

Practical Habits That Protect Your People, Your Data, and Your Peace of Mind

Since the Covid Pandemic in 2020, it’s been proven time and again that the boundary between work and home is thin. Your “office” might be a kitchen table. Your “help desk” might be your teenager asking for the Wi-Fi password. And while we like to think that security is something handled by IT or left to our antivirus, the truth is simpler. It’s your daily habits: at work and at home. They can decide whether attackers get a foothold. 

Below is a field-tested guide to cyber hygiene that treats all aspects of your life with the reality that they are all connected. Use it to harden the places you click, type, scan, and share, no matter where you are. 

Step 1: Start with the “Big Four” (everywhere you log in) 

Multi-Factor Authentication (MFA) 

Turn on MFA for every important account. It adds a second proof (app prompt, code, or security key) so a stolen password alone won’t grant access. 

Strong, Unique Passwords (via a Password Manager) 

Use a password manager to generate and store long, unique passwords for each site. This prevents one breach from unlocking multiple accounts. 

Relentless Updates (OS, Apps, Browsers, Firmware)

Keep everything current—laptops, phones, browsers, and even routers/IoT. Updates patch known flaws attackers actively exploit. 

Phishing Awareness & Reporting 

Slow down on links and attachments. Verify unusual requests on a separate channel and report suspicious emails/messages to IT. 

Go one level deeper: choose phishing-resistant MFA

Not all MFA is equal. SMS codes and push prompts can be bypassed (push fatigue, SIM swaps). Where available, use FIDO2/WebAuthn security keys or passkeys for phishing-resistant authentication (CISA). 

Passkeys = fewer headaches, more security

Passkeys use public-key cryptography, so there’s nothing reusable for criminals to steal or phish—and they’re now supported across major platforms. If a site offers passkeys, turn them on (FIDO Alliance). 

Step 2: Treat your home like a branch office 

Attackers don’t care if they land on a CFO’s laptop or a teenager’s tablet, both act as launchpads to your data. 

Segment your Wi-Fi

Create separate networks for primary devices, guests, and IoT (cameras, TVs, smart speakers). This limits blast radius if one thing gets infected. At minimum: Primary, Guest, and IoT SSIDs (U.S. Department of War). 

Harden the router

Change default passwords, disable WPS, enable WPA3/WPA2, update firmware, and hide/rename default SSIDs that leak your router model (CISA). 

Update edge devices

Firewalls, routers, VPN gateways, and internet-facing boxes need regular patching—treat them like crown jewels, not appliances (CISA). 

Family reality check

Kids and elders are prime targets because they’re helpful and curious. Set up non-admin accounts, turn on automatic updates, and require approval for new installs. Teach a simple rule: no scanning random QR codes. EVER! QR-based phishing (“quishing”) is rising—from stickers on parking meters to QR codes sent in the mail. 

Step 3: Close the “human gaps” at work 

Technology can’t save us from workflows that reward speed over safety. 

Slow down where it counts

Clicking a link, approving an MFA prompt, or running an attachment is a risk decision. If something feels rushed or emotional, pause and verify on a separate channel. 

Defend against MFA fatigue

Never approve a push you didn’t initiate; report repeated prompts to IT. Ask your org to move critical apps to phishing-resistant MFA (CISA). 

Kill shadow IT kindly

People use unsanctioned tools to get work done. Offer safe, approved alternatives—and make them easier than the workaround. 

Separate identities and browsers

Use different browser profiles (or separate browsers) for corporate vs. personal accounts to avoid cross-contamination of cookies, extensions, and autofill. 

Step 4: Five Pillars of Cyber Hygiene (with “Work” and “Home” plays) 

Think of these as your daily vitamins—boring, effective, non-negotiable. 

1. Identity 

• Work: Require MFA everywhere; prefer FIDO2 keys or platform passkeys for high-risk roles. Review admin privileges quarterly (CISA). 

• Home: Use a password manager for everyone in the house. Turn on passkeys where offered. Store account recovery codes securely (not in your email) (CISA). 

2. Devices 

• Work: Enforce OS/browser/driver updates. Block unsigned macros; restrict USB media. 

• Home: Auto-update everything. On kids’ devices, require approval for new apps and in-app installs. Back up photos/docs to a service or external drive (3-2-1 rule). 

3. Network 

• Work: Patch edge devices; audit remote access and VPN portals; disable unused services (CISA). 

• Home: Separate SSIDs: Primary | Guest | IoT. Change router defaults; update firmware; prefer WPA3 (U.S. Department of War). 

4. Applications 

• Work: Maintain an allow-list of approved software and browser extensions. Monitor OAuth app grants to corporate accounts. 

• Home: Delete apps you don’t use. In browsers, keep extensions minimal and reputable; disable third-party cookies; use separate profiles for kids. 

5. People 

• Work: Run short, contextual training (60–90 seconds) tied to real incidents: “Why this phish worked,” “How that MFA prompt slipped through,” etc. 

• Home: Have a five-minute family drill: “If a pop-up says we’re infected, what do we do?” (Answer: close the browser, don’t call numbers, tell an adult.) 

Step 5: A 15-Minute Monthly Tune-Up 

Set a recurring reminder synced to all your devices will help and knock these out 

1. Update all devices (phones, laptops, tablets, routers, smart TVs). 

2. Review your password manager for weak/reused passwords; rotate any shared family passwords. (CISA) 

3. Check bank and email alerts (sign-ins, transfers, forwarding rules). 

4. Audit browser extensions and remove anything you don’t use. 

5. Test backups by restoring a file (don’t wait for an emergency). 

Step 6: If you slip (because we all do) 

• At work: Unplug from the network if malware is suspected; call IT; do not try to “clean it” yourself; preserve evidence (timestamps, screenshots). 

• At home: Power down the affected device; change important account passwords from a different device; call your bank if credentials were exposed; reset router and update firmware; reinstall OS if necessary. 

• If you scanned a suspicious QR code or clicked a fake login: reset any password, you entered and revoke OAuth sessions for the affected app. Watch for new MFA prompts you didn’t initiate. 

The Takeaway 

Cyber hygiene isn’t a fancy toolkit; it’s a set of small, repeatable habits your whole circle can manage. Enable MFA that resists phishing. Use passkeys when available. Update relentlessly. Segment the home network. Slow down on links, attachments, QR codes, and MFA prompts. These are the same moves that security teams recommend, because they meaningfully cut risk at work and at home (IT Services). 

Do this now, and when Clean Out Your Computer Day rolls around next February, you’ll be cruising through a short, satisfying tune-up instead of tackling a backlog. 

Finally, the next time a child asks for your phone at dinner or a relative forwards a “too-good-to-be-true” link, remember: YOU may be the gateway (for better or worse).  

Make the safer choice first. 

---

Keep up with all tips shared by DarkOwl. Subscribe to email.

October 09, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees. 

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, doxing, data harvesting, IoCs, and credential stuffing. In this edition, we dive into DDoS attacks.

DDoS Attacks 101 

DDoS is an acronym for Distributed Denial of Service Attack – a malicious attack on a network that is executed by flooding a server with useless network traffic, which exploits the limits of TCP/IP protocols and renders the network inaccessible. This excessive traffic prevents legitimate users from accessing the service, effectively causing a “denial of service.”

The frequency of DDoS attacks are constantly on the rise. Some reports estimate that there were approximately 2,200 DDoS attacks every hour in the first three quarters of 2024 – a staggering 49% QoQ increase in DDoS attacks and a 55% increase YoY. The United States ingested more than 40% of DDoS attacks, followed by Germany, then Brazil, Singapore, Russia, South Korea, Hong Kong, United Kingdom, Netherlands, and Japan.

While the average length of a DDoS attack is under 10 minutes, the financial damage that it can cause to the attacked can be very damaging – the average cost per minute of downtime is $22,000. On the flip side, attackers can rent tools online to launch an attack for as little as $5 an hour.

How Does a DDoS Attack Work?

A DDoS attack leverages a large network of botnets. Botnet can be defined as an army of compromised computers or internet of things (IoT) devices that collectively utilized for a malicious purpose. This flood of traffic leaves the device unable to be used by legitimate users. Motivations for committing a DDoS attack range:

• Extortion: Attackers demand a ransom from the target to stop the attack.
• Hacktivism: Attackers use hacking techniques to achieve a political or social agenda, such as protesting against organizations, governments, or ideologies they disagree with, raising awareness on a political agenda, or exposing corruption.
• Business Competition: A business might launch an attack on a competitor to disrupt their services and gain a competitive edge.
• Cyber Warfare: Nation-states damage another nation’s digital infrastructure, information systems, or critical services for military or political objectives.
• Distraction: A DDoS attack can be a smokescreen to distract security teams while attackers conduct a more sophisticated breach, such as stealing data.

DDoS Attacks in the Wild

Esports and Gaming

Esports platforms, streamers, and tournaments have become prime targets for cyberattacks. The reasons are simple: high visibility, massive online audiences, and often, poorly secured infrastructure. 

A report from Control Risks explains that “the sheer popularity of esports, combined with lax security protocols in some areas, makes them an ideal target for DDoS attacks, credential theft, and extortion.” In fact, the report states that over 37% of all DDoS attacks are directed at online gaming and esports platforms. This makes gaming and gambling the industry most targeted by DDoS attacks.

These aren’t hypothetical threats. In recent years, major tournaments have been halted mid-stream due to attacks, players have been forced offline during crucial matches, and attackers have used ransomware to hold tournament servers hostage.

UK Councils

One group of organizations which has been increasingly targeted by ransomware groups and other threat actors is UK councils which are the local level of government in the UK.  Recently hacktivist groups which are associated with countries involved in conflict such as Russia, Ukraine, Palestine, Iran and Israel have been known to conduct DDoS attacks targeting council websites. The image to the left shows proof of DDOS against London Borough of Harrow from Palestinian affiliated hacktivist group which caused temporary website outages and service disruptions across multiple local councils including Blackburn with Darwen, Exeter, and Arun District Council. These attacks were politically motivated in response to the UK’s support for Ukraine and carried out by hacktivist group NoName057(16). 

Hacktivist Group: Dark Storm

Earlier this year, X suffered multiple worldwide outages. The hacktivist group Dark Storm has claimed responsibility for the DDoS attacks which caused the outages. Specifically, the group made posts on their Telegram channel the same day the attacks took place and shared screenshots from check-host.net as proof of the attack. Tens of thousands of users were impacted by the outages. 

A month after Dark Storm caused the outages of X, the notorious hacking forum BreachForums went offline, this time possibly as a result of a Distributed Denial-of-Service (DDoS) attack. Dark Storm, once again, claimed that it was behind a DDoS attack against BreachForums. The group shared a Check-Host.net link in its Telegram channel which showed that the hacking forum was down in over two dozen countries.

Protection and Mitigation

As always, DarkOwl recommends practicing good cyber hygiene in order to prevent an attack before it happens if at all possible. While attackers are constantly changing their TTPs (tactics, techniques, and procedures), there is no single foolproof way to prevent a DDoS attack, a multi-layered approach to protection is recommended. Every organization should have a DDoS Response Plan and keep it up to date (who to contact, what systems to check, etc), know the normalities of your network so you can know when patterns or activities look off, maintain good cyber hygiene by keeping all systems, software, and applications updated with the latest security patches, and increase your system bandwidth so if an attack does happen, you have more capacity to handle the flood of traffic and stay online.

---

Keep up with DarkOwl. Follow us on LinkedIn.

October 01, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Hackers breach fintech firm in attempted $130M bank heist – Bleeping Computer

Sinqia, Evertec’s Brazilian subsidiary, disclosed to the U.S. Securities and Exchange Commission (SEC) that its systems were breached by hackers on August 29, with the intent to conduct unauthorized transactions. The hackers specifically targeted their Brazilian Central Bank real-time payment system, Pix. Access to Pix was gained by the use of stolen credentials belonging to an IT vendor. Evertec has reported that an undisclosed portion of the $130 million has been recovered. No specific hacker group has been linked to the attack. Read full article.

2. Iranian Hackers Exploit 100+ Embassy Email Accounts in Global Phishing Targeting Diplomats – The Hacker News

Dream, the Israeli cybersecurity company, claims an Iranian-nexus group targeted embassies and consulates in Europe via a spear phishing campaign. The emails contained information regarding geopolitical tensions between Iran and Israel, and prompted individuals to open a Word document that “urges recipients to “Enable Content” in order to execute an embedded Visual Basic for Applications (VBA) macro, which is responsible for deploying the malware payload. The hackers sent emails to organizations located in the Middle East, Africa, Europe, Asia, and the Americas casting a wide net in an attempt to successfully gain access and harvest information. Article here.

3. Kosovo hacker pleads guilty to running BlackDB cybercrime marketplace – Bleeping Computer

Following extradition from Kosovo in May, Liridon Masurica has pled guilty in a Florida Federal Court. Masurica was the lead administrator of the online criminal marketplace BlackDB.cc from 2018 to 2025. Records show he pled guilty to leading the organization and has also been charged with five counts of fraudulent use of unauthorized access devices and one count of conspiracy to commit access device fraud. Read more here.

4. FBI Issues Flash Alert for UNC6040 and UNC6395 – FBI Flash

On September 12, the FBI “releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395”. The alert follows the tracking of UNC6395, which targeted company’s support case information in Salesforce” that occurred from August 8th – 18th. The exfiltrated data was analyzed to extract secrets, credentials, and authentication tokens share din support cases. After discovery, Salesforce was able to revoke all Drift tokens and required customers to reauthenticate the platform. Mandiant disclosed information regarding UNC6040 in June, warning social engineering and vishing attacks connected to Salesforce accounts. Read here.

6. AI-powered malware hit 2,180 GitHub accounts in “s1ngularity” attack – Bleeping Computer

On August 26, threat actors exploited a flaw GitHub Actions workflow in the Nx repository resulting in the exposure of 2,180 accounts. The telemetry.js malware is a credential stealer that targets Linux and macOS systems. The malware attempted to steal “GitHub tokens, npm tokens, SSH keys, .env files, crypto wallets”. Three separate phases were completed during the attack which led to 7,200 repositories being exposed. Read full article.

7. Massive anti-cybercrime operation leads to over 1,200 arrests in Africa – Bleeping Computer

In an August 22 press release, INTERPOL announced the arrest of 1,209 cybercriminals who targeted nearly 88,000 victims as part of an INTERPOL-coordinated operation dubbed “Operation Serengeti 2.0.” As noted in the statement, the operation took place between June and August 2025 and involved investigators from 18 countries across Africa as well as from the U.K. Nine private sector partners also assisted with the investigation. The operation resulted in the recovery of $97.4 million and the dismantling of 11,432 malicious infrastructures. Read full article.

8. Google nukes 224 Android malware apps behind massive ad fraud campaign – Bleeping Computer

Android ad fraud operation, “SlopAds”, was disrupted following 224 malicious applications on Google Play that generated 2.3 billion ad requests per day. The operation was discovered by HUMAN’s Satori Threat Intelligence team. The applications were downloaded over 30 million times and used obfuscation and steganography to avoid detection. Once detection was avoided “FatModule” malware would be activated. One evasion tactic used by the app was in the way it was downloaded. If installed through the Play Store it acted as a normal app, if installed by clicking through an ad “it downloads four PNG images that utilize steganography to conceal pieces of a malicious APK.” Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.