Author: DarkOwl Content Team

December 01, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. U.S. Prosecutors Indict Cybersecurity Insiders Accused of BlackCat Ransomware Attacks – The Hacker News

On November 03, three former employees of the cybersecurity companies DigitalMint and Sygnia were indicted in district court for “allegedly hacking the networks of five U.S. companies with BlackCat (aka ALPHV) ransomware between May and November 2023 and extorting them.” The individuals Kevin Tyler Martin of Roanoke, Texas, and Ryan Clifford Goldberg of Watkinsville, Georgia, and an unnamed accomplice are facing multiple charges including interference with interstate commerce by extortion, and intentional damage to protected computers. During the aforementioned time period, BlackCat gained access to victims networks, stole data, employed malware and demanded cryptocurrency in exchange for decryption keys and to not leak the stolen data. Read full article.

2. Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack – The Hacker News

On October 28, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed three new vulnerabilities that have impacted Dassault Systèmes DELMIA Apriso and XWiki. The vulnerabilities CVE-2025-6204, CVE-2025-6205, and CVE-2025-24893 allow threat actors to execute arbitrary code and gain access to applications. Both CVE-2025-6204 and CVE-2025-6205 affect versions of DELMIA Apriso dating back to 2020. Combining these vulnerabilities allow creation of accounts that obtain elevated privileges and deposit executable files into a web-served directory, resulting in complete compromise of the application. Starting in March, CVE-2025-24893 impacted XWiki by using a two-stage attack chain that delivers a cryptocurrency miner. Article here.

3. University of Pennsylvania confirms data stolen in cyberattack – Bleeping Computer

On October 31, the University of Pennsylvania announced their information systems for development and alumni activities had been compromised. Using an employee’s PennKey SSO account the threat actor was able to gain access to “the university’s Salesforce instance, Qlik analytics platform, SAP business intelligence system, and SharePoint files.” This access provided the threat actors with 1.71 GB of internal documents as well as 1.2 million records of donor information. The hackers claim the attack was not politically motivated but posted on hacking forums that they targeted the university due to its “alleged DEI practices, admissions policies, and love of nepobabies.” Read more here.

4. “Bitcoin Queen” gets 11 years in prison for $7.3 billion Bitcoin scam – Bleeping Computer

Following a seven-year investigation by the Met’s Economic Crime team, 47-year-old woman, Zhimin Qian (also known as Yadi Zhang), was found guilty of a large-scale fraud campaign that defrauded over 128,000 victims in China between 2014 and 2017. Qian earned the name “Bitcoin Queen” in China after promoting the currency as “digital gold”. After her scheme was uncovered in 2017, she converted the proceeds into Bitcoin and fled to the United Kingdom, where, with the help of an associate named Jian Wen, she attempted to launder the cryptocurrency through property purchases. Qian was arrested in 2024 where law enforcement seized assets worth $14.4 million, as well as cryptocurrency wallets, encrypted devices, cash, and gold. Read here.

6. APT37 hackers abuse Google Find Hub in Android data-wiping attacks – Bleeping Computer

North Korean hackers, APT37, have been discovered abusing Google’s Find Hub Tool to target South Koreans. Victims are approached through KakaoTalk messenger, a popular instant messaging app. Spear-phishing messages transmitted through KakaoTalk impersonate South Korea’s National Tax Service, the police, and other agencies to deceive recipients into interacting. If someone opens the attached MSI file (or a ZIP that contains it), the program runs two hidden scripts: one to install the malicious code and one that pops up a fake “language pack error” to fool the user. Meanwhile the malware grabs the victim’s Google and Naver login details, signs into their email accounts, changes security settings, and deletes traces of the break-in. Read full article.

7. Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks – The Hacker News

Iranian threat actors, known for espionage driven attacks, have been observed deploying backdoors TWOSTROKE and DEEPROOT against Middle East industries. Mandiant attributes the activity to UNC1549 (aka Numbus Manticore and Subtle Snail). According to Google, these infection chains blend phishing campaigns aimed at stealing credentials with malware delivery operations that exploit trusted relationships with third-party vendors. Although the primary targets maintain strong security defenses, some third-party partners remain vulnerable, creating a ‘weak link’ that groups like UNC1549 can exploit. Read full article.

8. Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters – Bleeping Computer

The threat actor group, Scattered Lapsus$ Hunters, has announced the development of a Ransomware-as-a-Service (RaaS) platform named, ShinySp1d3r. The group announced on their Telegram channel that the ransomware was in development and will be led by ShinyHunters but operated under the “Scattered Lapsus$ Hunters” brand. Samples of the ransomware have been uploaded to VirusTotal and show a mix of common features and new features developed by the group. The encrypted files will contain “information on what happened to a victim’s files, how to negotiate the ransom, and a TOX address for communications”. Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

November 25, 2025

The eighth series of the popular, BAFTA-nominated TV show ‘Hunted’ came to a dramatic end this month.  

Hunted is a gripping reality series that pits volunteer civilian ‘fugitives’ against a professional team of ‘Hunters’ – comprising former intelligence officers, police detectives, and cyber analysts – who employ real-world investigative techniques to try track them down within 28 days. 

The TV show regularly attracts over 2 million viewers per episode. 

In this series, the Hunters were able to catch 13 out the 14 original fugitives within the time frame. This the most successful capture record in history of the show. 

Copyright Shine TV/ Channel 4 

In the programme, the ‘fugitives’ must try to evade simulated capture by Hunters who leverage an impressive arsenal of capabilities: CCTV networks, ANPR systems, mobile phone tracking, financial surveillance, OSINT and behavioural profiling.  

The Hunters establish pattern-of-life analysis, exploit OPSEC failures, conduct tactical ground operations, and demonstrate how modern surveillance infrastructure creates a near-inescapable digital dragnet.  

OSINT specialist and DarkOwl super-user Daisy Hickman appearing in Series 8 (copyright Shine TV/Channel 4) 

The show illustrates the investigative challenges of resource allocation, intelligence fusion, and the cat-and-mouse dynamics between human behaviour and technical collection, while exposing how difficult it truly is to disappear in a modern surveillance state. 

In this series, DarkOwl was selected as one of the handful of intelligence tools (and the sole Darknet technology) to assist the Hunters in their London HQ. 

Daisy Hickman – an OSINT specialist Hunter who holds a MSc in Forensic Investigation – commented on her experience with DarkOwl (in capacity as a DarkOwl super-user during the show): 

“DarkOwl proved critical to our time-sensitive fugitive operations, and the easy to use interface and comprehensive data was an invaluable part of our OSINT analysis.” 

By continuously indexing high-value darknet websites, fora, marketplaces, chans, leak databases, Telegram channels and beyond, DarkOwl reconciles underground activities and personas with real-world events and people for all levels of intelligence analyst. 

DarkOwl was pleased to support Hunted, not least as it provided a good opportunity to showcase the power of DARKINT techniques for fast paced criminal investigations. 

---

Watch the latest series of Shine TV/Channel 4’s Hunted, and find out more about DarkOwl Vision.

November 18, 2025

In anticipation of the year’s busiest shopping day, scammers employ a variety of deceptive tactics designed to exploit eager shoppers, continually adapting their schemes to stay ahead of detection. 

From fake online stores advertising bogus discounts to scammers sending fraudulent delivery notifications during the busy shopping season, consumers face plenty of risks to watch out for. The rise of deceptive scams during the holidays highlights the many tactics fraudsters use to exploit consumers and dampen the festive spirit. The following provides an overview of prevalent scams and guidance on how consumers can protect themselves during their shopping activities. 

Fake Online Stores 

One of the most common scams cybercriminals will establish are fake shopping sites that mimic real sites of well-known retailers. These deceptive websites often imitate legitimate domain names and lure unsuspecting shoppers with seemingly irresistible discounts. To enhance their credibility, they frequently run fake social media ads that direct victims to counterfeit pages, adding a false sense of legitimacy to the scam. 

Once shoppers enter their personal information and check out, scammers receive the personal data, which usually involves banking details. These scams can lead to financial loss and identity theft, which can affect people more severely during the holiday season.  

How to Protect Yourself: 

• Double check website URLS. 
• Visit retailers’ official websites, rather than clicking an unaffiliated link. 
• If possible, use secure payment methods that offer fraud protection.  

Phishing Emails and Texts Offering “Exclusive Deals” 

With the rise in online shopping, promotional emails are utilized by most stores to promote their Black Friday sales. Darktrace’s global analyst team revealed that Christmas-themed phishing attacks for Black Friday and Cyber Monday “deals” soar throughout the month of November (over 600%!).  

To capitalize on this, one method used by cybercriminals is sending phishing emails promoting “exclusive offers” or “limited-time flash sales”. The emails typically contain links to malicious sites that steal personal information and can infect your device with malware. These emails can also lead to fake stores, as mentioned above.  An additional example includes emails claiming a user’s account is “locked or disabled”. 

How To Protect Yourself: 

• Ensure the sender has a trusted email address, showing the correct domain. 
• Trust your instincts if the message seems “off” and possibly written by AI. 
• Do not give any personal information via email, the majority of retailers would not require this information via email correspondence.  

Online Order and Delivery Scams via Text Messaging 

In recent years scammers have begun sending fake text messages that claim to be from carriers like UPS, FedEx, and USPS stating there is an issue with deliveries. These messages include a fake tracking link that if clicked puts your data at risk. The links may prompt you to a site to enter your personal data or could install malware onto your phone or computer. 

With most holiday shopping being online, these types of scams may increase throughout the holiday season. According to the FCC “If you receive suspicious email, text or phone messages, go to the delivery carrier’s website directly or use the retailer’s tracking tools to verify”. Carriers also offer advice and protocols on their websites with things to look out for and ways they legitimately contact individuals.  

How To Protect Yourself: 

• If there is any doubt of validity contact the company directly.  
• Verify independently, this can be done by going to the carrier’s website. 
• Do not reply or click on any links. 

Fraudulent Charity Appeals 

Traditionally, the Tuesday following Black Friday is known as Giving Tuesday, when non-profits and charities intensify their outreach efforts to meet seasonal fundraising goals. When donating during the holiday season, it’s important to exercise caution before giving to any charity online. Just as scammers create fake online stores, they also design fraudulent charity websites that imitate legitimate organizations to steal money and collect personal information. 

Additionally, scammers may reach out through unsolicited phone calls, using high-pressure tactics to push victims into making quick donations. They often refuse to provide clear or detailed information and may insist on unconventional payment methods, such as gift cards or wire transfers. 

How To Protect Yourself: 

• Prior to donating, research the charity.  
• Donate directly through the charity or organizations website. 
• Don’t let scammers rush you in to donating. 

Conclusion

According to the Federal Trade Commission (FTC), shopping fraud ranked as the second most prevalent form of fraud in 2024, with consumers losing more than $12.5 billion. Within this category, online shopping issues represented the second most commonly reported type of fraud. The report from the FTC claims the overall number of scams has remained relatively stable, but more individuals are becoming victims. This indicates that scams are evolving and becoming increasingly difficult to recognize. 

If you fall victim to a scam, remember to protect your finances, contact your bank or credit company, and monitor financial accounts for further suspicious activity. The most important thing for victims to remember is that scams can happen to anyone — and there’s no shame in taking extra precautions. The best defense against Black Friday scams is to stay alert and verify retailers before interacting or making a purchase. By following these steps and keeping this advice in mind, you’ll set yourself up for a safe and successful Black Friday, ensuring your holiday gifts bring only joy this season. 

---

Curious to learn how DarkOwl can help? Contact us.

November 13, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees. 

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, doxing, and data harvesting, indicators of compromise. In this edition, we dive into indicators of attack.

Indicators of Attack (IoAs) 101 

An Indicator of Attack (IoA) is a behavioral pattern or activity that reveals a cyberattack is in progress or about to occur. IoAs focus on detecting an attacker’s intent and methods in real time, enabling organizations to identify and stop malicious actions before they cause major harm.

Rather than relying on evidence of past breaches, IoAs highlight the attacker’s tactics, techniques, and procedures (TTPs) as they unfold, providing early warning of active or emerging threats.

IoA vs IoC

It’s important to distinguish IoAs from indicators of compromise (IoCs). IoAs focus on the behaviors and tactics that suggest an attack is currently in progress or about to occur, while indicators of compromise tell you that a compromise has already happened. Both are crucial for a comprehensive cybersecurity strategy.

DarkOwl and IoAs

Examples of IoAs in the Darknet that DarkOwl Monitors

• Malware and exploit kits: Advertisements for or discussion of high-quality malware designed to evade detection or exploits that can be used in an attack.
• Tools for malicious activity: Evidence of groups using specific tools to disable security software, like an EDR (endpoint detection and response) killer, to facilitate an attack.
• TTPs: Discussion and sharing of attack techniques on darknet forums, which indicates active development and use of new methods. 

How DarkOwl Helps Identify IoAs

• Entity API: This tool helps identify and contextualize entities like IP addresses and domains within the collected darknet data, which is crucial for correlating indicators and assessing threats in real-time. With Entity API, users can quickly and efficiently identify, monitor, and target particular threats in the darknet that are relevant to their particular needs and use-cases.
• Vision platform: This platform collects and indexes vast amounts of darknet data, allowing for the identification of potential attacks in progress by searching for relevant keywords and patterns. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search darknet data.
• Threat intelligence: By monitoring forums, marketplaces, and other sources, DarkOwl can identify the latest threats and attack methods being discussed and sold on the darknet. With 227,500 pages of darknet content scraped and indexed every hour, DarkOwl’s collection database is continuously expanding.

DarkOwl helps detect both through its darknet intelligence by identifying attacker tactics, techniques, and procedures (TTPs). Examples include advertisements for malware or exploit kits, discussions of attacks on darknet forums, or the use of tools, all of which indicate a potential or ongoing attack.

Product Highlight: Actor Explore

In today’s digitally driven world, the landscape of cyber threats is ever-evolving and increasingly sophisticated. As businesses and individuals become more dependent on technology, the need to protect sensitive data and critical infrastructure from cyber attacks has never been more critical.  

One effective approach to enhancing cybersecurity is to track and monitor cyber threat actors. The actors that are responsible for conducting attacks; individuals or groups with malicious intent, often targeting organizations, governments, or individuals. Understanding why they are operating, what they hope to achieve and what methodologies they are using can assist analysts in protecting infrastructure and predicting future activities. Identifying and monitoring the tactics, techniques, and procedures (TTPs) of cyber threat actors, is also an important step to gain insights into actor’s strategies. This information can be invaluable in understanding how attacks are executed and identifying potential vulnerabilities in an organization’s defense.  

With DarkOwl’s Actor Explore users can review analyst curated insights into active threat actor groups on the darknet and wider. We explore the motivations behind the groups, the tools they have used and searchable attributes to pivot on within DarkOwl Vision. Tracking available information about threat actors such as their motivations, TTPs, victims and activities can provide valuable intelligence which allows analysts to predict behavior and take proactive steps to protect their organizations.  

Product Highlight: DarkSonar API

With cyberattacks increasingly on the rise, organizations need better intelligence to safeguard themselves, employees and customers from incidents such as data breaches and ransomware attacks. This rise in illicit cyber activity only increases the need to protect against and determine the likelihood of these attacks. The darknet contains data critical to understanding criminal behavior and security risk, and companies need an understanding of their exposure on the darknet to determine risk and take mitigating actions.

DarkSonar, a relative risk rating based on darknet intelligence, measures an organization’s credential exposure on the darknet. DarkSonar enables companies to model risk, understand their weaknesses and anticipate potential cyber incidents. In turn, organizations are able to take mitigating actions to protect themselves from loss of data, profits, and brand reputation.

DarkSonar in the Wild

General Motors

In April 2022, General Motors disclosed that it suffered a credential stuffing attack. ​The attackers accessed customers’ personally identifiable information (PII)and redeemed reward points for gift cards.

Takeaway: DarkSonar’s email exposure signal detected an abnormal increase in plaintext and hashed credentials in the months leading up to the attack.

Colonial Pipeline

In late April 2021, hackers gained entry into the networks of Colonial Pipeline Co. The hack took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack.​ The virtual private network account was no longer in use at the time of the attack but could still be used to access Colonial’s network, he said.​

Takeaway: DarkSonar detects plain text credentials available on the darknet.

FujiFilm

In early June 2021, Fujifilm’s company servers were infected by Ransomware. While they have never released the specific details, it is believed to be the Qbot Ransomware.​ Qbot is typically initiated by phishing.​

Takeaway: DarkSonar detected an increase in email exposure which can be used as part of a phishing attack.​

---

Contact us to learn more.

November 11, 2025

With recent global events, you’ve likely come across articles, conversations, or opinion pieces about Discord. As of 2024, the instant messaging platform boasts over 150 million monthly users. Once known primarily as a communication tool for gamers, Discord has evolved into a hub for a wide range of communities—from book clubs and fandoms to casual chat groups with friends and family. 

What sets Discord apart from traditional social media is its unique structure: no public feeds, no traditional advertising, and a focus on private, curated spaces. 

As more attention turns to corners of the internet that might be unfamiliar to the mainstream, this blog aims to shed light on Discord’s ecosystem and answer some of the questions you may be asking yourself. 

What Is Discord?

Discord was established in 2015 as a social platform for people with similar interests to share voice notes, videos, and texts with one another. The app originally targeted gamers, offering superior voice chats and customizable server options. Individuals were able to live chat with other Discord users while playing their favorite games and build communities solely focused on their hobbies. 

The app received an influx of users not connected to the gaming community in the late 2010’s and during COVID-19. The pandemic led many people to Discord, where they built virtual communities for a myriad of topics ranging from musician fan groups to book clubs. The features that originally appealed to the gaming community were also applicable for establishing virtual classrooms and information sharing among groups.  

Discord offers both private and public servers. Public servers work similarly to other social platforms; it allows users to chat with any public server that they would like. Most public servers are monitored by moderators who have the power to remove or edit information shared in the server. Private servers offer users more secrecy, are typically invite only, and offer users an exclusive forum for group chats. Whoever sets up the server has admin rights, which allows them to add/remove members, ban content/words, and add additional admin members.  

Is Discord Dangerous? 

Discord can be used safely but as with any social media app, there are bad actors and users can be susceptible to harmful behavior.  

Cybercriminals employ a range of tactics to deceive Discord users into installing malware—often referred to as a Discord virus—which can have serious consequences for their devices and data. Beyond technical threats, users may also encounter harmful behavior such as the sharing of explicit content or experiences of bullying and harassment within the platform. The platform has also been used in the past to share classified information as well as manifestos related to violent extremism.  

The major concerns with Discord are: 

• Discord Scams & Viruses– A majority of Discord scams involve deceiving users into “clicking links, scanning QR codes, or logging in to off-site locations” so bad actors can spread malicious software. Research states that the most common type of malware in Discord is Remote Access Trojan (RAT), which hackers distribute using malicious links. Discord’s security team does have tools to filter malicious files but can sometimes miss ones when they initially hit the platform. 

• Risk to Children/Teens– To protect children, the app has an age requirement of 13 though people believe it is easy to bypass their verification process. The risk of exposure to NSFW (not suitable for work) content is hard to mitigate when children have their own accounts. Users may post sexually explicit imagery or videos in public servers without warning.  

• Cyberbullying/Harassment – Because many individuals using Discord to connect with communities, there are frequent conversations that occur between strangers. Cyberbullying includes sending, posting, or sharing negative, harmful, false, or mean content about someone else. In a 2024 transparency report released by Discord, they claim to have taken some form of action against 92K accounts, which included disabling over 19k for some form of harassment and bullying.   

How to Protect Yourself 

Some risks on Discord are similar to those found across the open web. However, both cybersecurity experts and Discord itself offer practical steps that users can take to stay safe and protect their accounts from malicious activity. 

Key safety tips: 

• Always enable two-factor authentication (2FA) to add an extra layer of security to your account. 

• Block and report suspicious users to help keep the community safe. 

• Stay alert for scams: Discord recommends avoiding links from unknown senders and never downloading code or files you don’t recognize. 

• Control who can message you: Adjust your privacy settings to limit direct messages to friends or members of shared servers. You can also enable filters to reduce spam and unwanted messages. 

Conclusion

While Discord offers a fun and dynamic way to connect with friends, communities, and shared interests, it’s important to stay mindful of your safety online. By taking a few simple precautions like managing your privacy settings and being cautious with unknown links or users, you can enjoy everything the platform has to offer without putting yourself at risk. Staying aware of potential threats ensures you can make the most of your experience without compromising your safety. 

---

Check out our field-tested guide to cyber hygiene here.

November 03, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M – HackRead

On September 26, Medusa’s dark web site claimed to have exfiltrated 834.4 gigabytes of data and are demanding $1.2 million for interested buyers to download it. To support their claims, the group uploaded 20 screenshots showing alleged internal data. In one exposed directory, the information appeared to be connected to HR folders that contained personnel records. Medusa ransomware is a known aggressive group that has compromised over 300 organizations between 2021 and 2024. The group typically gains access through social engineering such as phishing emails, exploiting vulnerabilities, or purchasing stolen credentials. Once the group acquires data, they use a double extortion method to gain ransom. Read full article.

2. US seizes $15 billion in crypto from ‘pig butchering’ kingpin – Bleeping Computer

The Department of Justice (DOJ) has seized $15 billion worth of Bitcoin from the Cambodian Prince Group, a criminal organization known for orchestrating large-scale cryptocurrency scams, primarily involving romance baiting and ‘pig butchering’ schemes. Unsealed court documents revealed the group operates over 100 shell and holding companies across 30 countries, which have been extorting countless victims since 2015. Additionally, the group runs automated call centers that were run by employees who were allegedly forced to work due to the threat of violence. The DOJ called the centers, “violent forced labor camps”. Article here.

3. New Rust-Based Malware “ChaosBot” Uses Discord Channels to Control Victims’ PCs – Bleeping Computer

Discord user, chaos_00019, has implemented the malware ChaosBot to gain access to other user’s systems and networks. According to researchers, “ChatBot is noteworthy for its abuse of Discord for command-and-control (C2)”. The malware was observed using phishing messages that contained a malicious Windows shortcut file, after opening the file, a PowerShell command is executed to download and execute ChaosBot. A decoy PDF concealed as legitimate correspondence from the State Bank of Vietnam is displayed as a distraction mechanism. Read more here.

4. ShinyHunters launches Salesforce data leak site to extort 39 victims – Bleeping Computer

“Scattered Lapsus$ Hunters” has launched a new data leak site extorting 39 companies that were impacted by the Salesforce breaches. The companies extorted in the link include Disney/Hulu, FedEx, Google, McDonald’s and more. A separate entry on the site requested that Salesforce pay a ransom to prevent impacted customers (approximately 1 billion records containing personal information) from being released. Salesforce has released a statement claiming, “Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.” Read here.

6. Have I Been Pwned: Prosper data breach impacts 17.6 million accounts – Bleeping Computer

In September, Prosper, a peer-to-peer lending marketplace, announced a breach had been detected with hackers gaining access to customer accounts and funds. Have I Been Pwned announced that 17.6 million unique email addresses had been affected by the incident. The companies statement claimed that “confidential, proprietary, and personal information, including Social Security Numbers, was obtained”. The company is also going to offer free credit monitoring while they determine what data was affected. Information on how the data was obtained and ways the company is combatting future leaks have not been discussed. Read full article.

7. Researchers Identify PassiveNeuron APT Using Neursite and NeuralExecutor Malware – The Hacker News

The malware campaign dubbed, PassiveNeuron, was first flagged using different methods in November 2024 for targeting government, financial, and industrial organizations located in Asia, Africa, and Latin America. One incident showed that the threat actors were able to gain initial access through remote command on a compromised machine running Windows Servers through Microsoft SQL. The exact method is unknown, but it is possible the attackers are either brute-forcing the administration account password or leveraging an SQL injection flaw in an application running on the server. Read full article.

8. BatShadow Group Uses New Go-Based ‘Vampire Bot’ Malware to Hunt Job Seekers – The Hacker News

BatShadow, a Vietnamese threat actor, has leveraged a new social engineering tactic that delivers a malware called, Vampire Bot, to job seekers and digital marketing professionals. Posed as recruiters, the attackers distribute malicious files disguised as job descriptions and corporate documents. Victims who click the link in the lure PDF to “preview” the job description are taken to a landing page that displays a fake error saying the browser is unsupported, through multiple attempts the error message eventually triggering an automatic ZIP download containing the supposed job description and a malicious executable named Marriott_Marketing_Job_Description.pdf.exe (the file mimics a PDF by inserting extra spaces between “.pdf” and “.exe”). Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

October 31, 2025

This Halloween, the scariest thing might be what’s tucked inside the candy bar, a lure that looks harmless but hands an attacker the keys to your digital life.  

Phishing and social-engineering attacks are the “tricks” that become catastrophic when the dark web supplies ready-made toolkits and AI-generated messages to amplify them. The result: low-effort, high-impact scams that can ruin reputations and drain bank accounts. 

This Halloween we explore the “scary tricks” cyber criminals are using to successfully trick you into clicking on phishing emails and other attack types, and what you can do to avoid this activity.  

Phishing & Social Engineering: Why They’re Halloween-Worthy 

Phishing and the wider family of social-engineering attacks (spear-phishing, smishing, vishing, “quishing” via QR codes, and voicemail impersonation) remain one of the simplest ways to get real access to real systems. For that reason, they remain one of the top cyber-attack vectors in 2025. Phishing and social engineering attacks have been responsible for some of the largest breaches so far this year, such as Salesforce and Allianz.  

Researchers have highlighted that the large majority of successful cyber-attacks usually include a human element and are not purely technological vulnerabilities.

But two trends are supercharging phishing today: 

• Automation and commoditization — phishing kits and “phishing-as-a-service” lower the technical bar for attackers. These are readily available software people can purchase to conduct attacks meaning they do not need to have the technical skills to conduct the attack. 
• AI-augmented social engineering — generative models craft extremely convincing lures at scale. That combination turns the old “spray-and-pray” email into a professional, targeted, and scalable crime machine. Not to mention the creation of believable videos, images and voices which can be used to conduct vishing and other attacks.

The Dark Web Connection: Toolkits and Kits for Sale 

The dark web and underground communities are where the tools, templates and services live, both marketplaces and forums offer software for sale as well as how to tutorials on how to conduct these attacks. Telegram also shared this information via marketplace channels. Below are some of the things being sold.  

Security researchers have indicated that the availability of ready-to-use phishing kits on the dark web rose by ~50% from 2021 to 2025, highlighting that this is a trend that is only increasing.  

Phishing Kits  

Pre-built fake pages, sending scripts and hosting/configuration guides. Research and reporting show fully fledged kits are routinely sold for pocket change, some reports find kits advertised for as little as ~$25 while others are open source, making it trivial for novices to impersonate banks, delivery services, or SaaS providers. The below image from a dark web forum shows users sharing a list of openly available phishing kits claiming they are the best kits to use in 2025.  

Phishing-as-a-Service & Automation Platforms  

Another offering which is provided on dark web sites, is providing the service on the behalf of an actor. This means the actor doesn’t not need to take any action but can pay someone else to conduct the attack. The below image from Telegram shows a threat actor offering hacking services including phishing kits.  

More advanced offerings include campaign dashboards, SMTP pools, deliverability testing and analytics (some newer tools even pair generative AI with mailing infrastructure). The below images show an advertisement for a phishing related AI model as well as the site to purchase the software. The “SpamGPT” toolkit—AI-powered spam-as-a-service sold on underground forums for around US $5,000.

Stolen Contact Lists & Harvested Credentials  

While we have previously shared the sale of human organs, this Halloween the harvesting of credentials can be even more scary with wide ranging ramifications. Harvested credentials and victim lists, often sold in bulk, let attackers skip reconnaissance and target previously compromised users.

These data leaks, with credentials and sometimes a lot more information can be really useful to threat actors when conducting social engineering attacks. This can make phishing attacks seem much more believable as they have accurate and real information in them.  

These tools lower the barrier to entry, enabling less-skilled attackers to launch large campaigns. They are readily available on the dark web and adjacent sites like Telegram. This means that the number of attacks being conducted can and will increase as individuals need less skills to conduct them. But it is likely that AI develops that the attacks themselves will become more sophisticated and complex. A scary thought! 

How Phishing Campaigns Actually Play Out (The Attack Chain) 

Figure 5: Phishing Campaign Cycle 

Attackers will start with the reconnaissance phase, conducting research usually through open channels or stolen data to find information about the intended targets. Then they create the bait – using a phishing kit or AI they will create a message that they think will hook the target and bypass spam filters. They use the information they found during the reconnaissance phase to make it as believable as possible.  

Next comes the delivery phase. Depending on what they are trying to achieve there are multiple delivery methods that can be used such as email, SMS, QR codes and even phone calls. In some cases, actors will use multiple channels as part of their attacks to increase the success rate.  

The Exploit phase requires input from the victim to be successful. A victim will click on a link or provide credentials to a phishing site or inadvertently install malware on their computer. These credentials are then used by the attackers to conduct further attacks. But the information can be monetized further by selling the stolen information or access to other actors on the dark web – continuing the cycle of phishing attacks.  

New Scary Technologies: AI + Phishing = Mass-Targeting on Steroids 

Generative AI has already begun to improve the quality, personalization, and scale of phishing. Platforms and toolkits that combine text generation with campaign automation create highly convincing lures that are difficult for users (and sometimes filters) to distinguish from real messages.  

A new class of underground offerings — some reported under names like “SpamGPT” — pair natural language generation with mailing infrastructure and analytics, effectively giving attackers a polished marketing stack for phishing.  

The net effect: phishing no longer requires good writing skills or deep technical know-how. It requires money (often small) and an account on an underground marketplace. That democratization of attack capabilities is why credential theft and phishing success rates have jumped in recent reporting.  

How to Stop Being Tricked 

For Organizations  

• Multi-factor authentication (MFA) everywhere — reduces the value of stolen passwords even if credentials leak. (Use phishing-resistant MFA like hardware keys where possible.)  
• Email protections + DMARC/DKIM/SPF + advanced detection — deploy and tune anti-phishing gateways, URL detonation, and link rewriting. Train filters to use behavior signals (login geography, device fingerprinting).  
• Phishing simulations + continuous user training — recurring, contextual training that adapts to current phishing themes reduces click rates. Combine simulated attacks with coaching, not just shame.  
• Dark-web monitoring & rapid credential-remediation — monitor for leaked credentials or company data; have a playbook to force resets and contain exposed accounts.  
• Least privilege + segmentation + strong logging — limit how far a single compromised account can go; log and monitor anomalous account activity for fast detection.  

For Individuals (Easy Wins) 

• Use a password manager and unique passwords for every site. 
• Turn on MFA (preferably an authenticator app or hardware key). 
• Hover before you click — inspect links, check sender addresses for subtle typos, and don’t enter credentials after arriving at a link from an email. 
• Treat SMS and phone callbacks as suspicious for requests about credentials or money; verify independently. 
• If you click or think you’re compromised — change passwords from a known-good device, enable MFA, run a full malware scan, and notify your employer or bank. 

Conclusion 

Phishing and social engineering are the silent spooks in the house: they don’t break doors in—they get invited. And when the dark-web toolkit makes it easy, the threats multiply. This Halloween, treat your security like locking the door and checking the candy. 

Phishing is deceptively simple, but the underground economy and fast-moving AI technology have turned it into an industrialized threat. The good news: many countermeasures are straightforward and inexpensive (MFA, password hygiene, basic email controls). Don’t take a bite of the candy unless you’re sure it’s your friend handing it. Treat yourself to security hygiene; don’t let the attacker trick you with something sweet. 

---

Keep up with us! Follow us on LinkedIn!

October 28, 2025

In an increasingly hostile cyber landscape, organizations need visibility into the tactics and techniques used by threat actors. The MITRE ATT&CK Framework has become the gold standard for understanding adversary behavior, providing a structured taxonomy of real-world attack patterns.  

As showcased by Crowdstrike’s Threat Hunting report 2025, attackers are logging in rather than hacking.  

While no single platform can address every category within this comprehensive framework, DarkOwl delivers exceptional coverage of critical, high-impact darknet sources, empowering organizations worldwide to anticipate, prevent, and respond to cyber attacks with greater confidence. 

Understanding the MITRE ATT&CK Coverage Gap 

The MITRE ATT&CK Framework encompasses hundreds of techniques across dozens of categories. The Darknet is establishing itself as a critical early-warning system for reconnaissance, credential compromise, and data exfiltration threats. By providing transparent and flexible navigation of darknet data, DarkOwl maximizes detection capabilities across its core categories, offering organizations unprecedented insight into emerging threats before they impact their systems. 

DarkOwl’s MITRE ATT&CK Coverage: Breakdown Per Technique 

Gather Victim Host Information 

DarkOwl continuously scans stealerlogs, breaches, and darknet channels and fora to identify corporate IPs, credentials, and sensitive host exposures targeting your organization or those in your supply chain. This reconnaissance capability allows you to understand what information about your infrastructure is circulating in criminal marketplaces. Early visibility into compromised host data enables rapid remediation before attackers launch exploitation attempts. 

Gather Victim Network Information 

Threat actors extensively target networks before striking. DarkOwl monitors high-fidelity darknet sources for corporate network exposures, including IP leaks, asset names, trade secrets, tools, and databases. By surfacing these exposures early, your organization gains the critical advantage of knowing what network vulnerabilities and assets have been discovered by adversaries. 

Gather Victim Identity Information 

Personal and corporate identity information is among the most valuable commodities in underground marketplaces. DarkOwl detects when your employees’ and contractors’ emails, passwords, sessions, and devices appear in stealerlogs and breach databases. Reset credentials and block fraudulent access before it materializes. 

Search Closed Sources 

DarkOwl maintains a proprietary database of historic darknet content spanning years of darknet fourm posts, marketplace listings and ransomware site chatter. This institutional knowledge allows your organization to understand not just current threats, but historical patterns that may indicate ongoing targeting. Access to this closed-source intelligence significantly accelerates threat investigation and attribution. 

Search Open Websites and Domains 

Criminal and terrorist activity thrives across Telegram, Discord, and dark web list sites where threat actors openly advertise services and share stolen data. DarkOwl scans high-fidelity OSINT sources to identify when your organization is being discussed, targeted, or compromised. This open-source monitoring complements traditional security tools by capturing threats in spaces where defenders traditionally have limited visibility. 

Compromise Accounts 

Credential theft is the foundation of modern cyber attacks, and DarkOwl detects compromised social media, email, cloud, and personal accounts from your staff and supply chain partners.  

Compromise Infrastructure 

Infrastructure compromise—including domains, servers, and networks—represents a severe threat to organizational continuity. DarkOwl detects when your infrastructure appears in leaked files and darknet chatter, while also maintaining actor profiles highlighting the hardware, software, and CVEs commonly exploited by specific threat groups. This combination of compromise detection and threat actor intelligence enables targeted defensive hardening. 

Supply Chain Compromise 

Third-party relationships create indirect attack surfaces that many organizations overlook. DarkOwl identifies when contractors, suppliers, and vendors have compromised accounts and infrastructure, providing visibility into supply chain vulnerabilities that could be leveraged to reach your organization. Understanding these indirect exposures allows you to assess risk and implement compensating controls across your extended ecosystem. 

Account Manipulation 

Account takeover (ATO) represents a critical threat vector that DarkOwl actively monitors across all cloud and system accounts, including those from former contractors or suppliers. By collecting stealer logs and highlighting device and OS exposures, DarkOwl alerts your team to anomalous account activity before it escalates into a full-scale compromise. Rapid detection of account manipulation enables swift incident response and evidence preservation. 

Modify Authentication Process 

Multi-factor authentication is a cornerstone of modern security, yet DarkOwl discovers MFA redirect URLs in stealerlogs exposing authentication mechanisms. By publishing comprehensive stealer data organized by device, DarkOwl provides your security team with concrete evidence of authentication modifications and potential bypass techniques used by attackers.  

Persistent Account Manipulation 

Sophisticated attackers maintain long-term persistence through continuous account manipulation, particularly targeting supply chain vendors. DarkOwl monitors stealerlogs to identify ongoing account misuse within your supply chain, alerting to persistent threats that might otherwise remain hidden. Early detection of persistent manipulation prevents attackers from establishing a sustainable foothold within your ecosystem. 

Access Token Manipulation: Token Impersonation and Theft 

Modern applications rely on tokens for authentication, making token theft an attractive target for adversaries. DarkOwl monitors darknet Initial Access Broker advertisements and sales activity to detect when tokens from your organization enter criminal circulation. This intelligence on token compromise allows your team to invalidate affected tokens and audit token-based access before unauthorized actions occur. 

Brute Force: Password Guessing 

While brute force attacks are blunt instruments, they remain effective when attackers possess compromised password lists. DarkOwl detects compromised passwords of staff and supply chain partners circulating on darknet breach sites, indicating that your organization faces elevated risk of password-guessing attacks. Proactive password resets based on DarkOwl’s compromise intelligence significantly reduces the success rate of these attacks. 

Reversible Encryption 

Weak password hashing algorithms create reversible encryption risks, allowing attackers to crack stored passwords at scale. DarkOwl automatically surfaces hashed passwords from corporate domain exposures in historic breach files, highlighting those with weak algorithms subject to reversal by threat actors. This capability allows your team to identify and remediate weak hashing implementations before attackers exploit them. 

Unsecured Credentials 

Credentials often leak beyond your network perimeter, appearing in messenger apps and across distributed networks like TOR, I2P, and Zeronet. DarkOwl collects these widely-scattered credential exposures to demonstrate the full scope of your credential compromise landscape. Understanding where your credentials have been exposed enables comprehensive remediation across all affected platforms and services. 

Internal Spear phishing 

Executive and supplier credentials are prized targets for internal phishing campaigns. DarkOwl continuously monitors darknet sources to detect when your executives’ and partners’ credentials are newly shared by threat actors.  

Browser Session Hijacking 

Stealer logs inherently capture browser sessions, creating direct risks of session hijacking attacks. DarkOwl actively monitors and collects stealer log data containing compromised corporate and personal browser sessions, providing visibility into hijacking risks before attackers exploit them. This intelligence enables your team to invalidate compromised sessions and investigate the scope of browser-based compromise. 

Exfiltration Over Web Service 

Data exfiltration frequently occurs across web services where attackers blend malicious activity with legitimate traffic. DarkOwl detects when your corporate data appears on darknet services including Telegram, TOR sites, ransomware platforms, and underground forums. Rapid detection of exfiltration allows your incident response team to contain the breach, quantify the exposure, and implement targeted notifications. 

External Defacement 

Attackers often publicize breaches through external defacement to maximize damage and reputation impact. DarkOwl monitors for keyword/signpost mentions of your company and alleged stolen data across TOR, I2P, file repositories, and paste sites throughout the darknet. This continuous monitoring ensures your security team detects external defacement threats before they escalate into widespread public disclosure or regulatory complications. 

Financial Theft 

Cryptocurrency plays an increasingly central role in attacks, making financial theft tracking essential for investigation and attribution. DarkOwl allows your organization to validate illicit activity by linking it to specific crypto wallet IDs involved in attacks. This capability supports forensic analysis, law enforcement cooperation, and the tracking and tracing of cryptocurrency flows used to fund future attacks. 

The DarkOwl Advantage: Deep Darknet Intelligence for Modern Threats 

DarkOwl doesn’t attempt to be a universal MITRE ATT&CK solution. Instead, it excels at what matters most: providing transparent, flexible navigation of darknet data to deliver unprecedented visibility into how adversaries gather intelligence, compromise credentials, and exfiltrate data. By mastering these critical categories, DarkOwl gives organizations the early warning and actionable intelligence needed to transform defense from reactive to proactive. 

In today’s threat landscape, organizations need platforms that go deep rather than wide. DarkOwl’s specialized focus on darknet reconnaissance and threat actor activity provides exactly this—strategic depth where it matters most. For security teams committed to staying ahead of emerging threats, DarkOwl represents the specialized intelligence layer that bridges the gap between your internal detection systems and the criminal activity planning your compromise. 

Prepare for attacks before they begin. Detect compromise before it escalates. Respond with confidence backed by darknet intelligence. That’s the DarkOwl advantage in the MITRE ATT&CK era.  

---

For specific details on how DarkOwl meets MITRE ATT&CK framework, contact us.

October 21, 2025

What is a Command-and-Control Framework (C2)? 

Command-and-control (C2) frameworks are used by both red teams and cybercriminals. They provide a wide range of functionality and capabilities that make post-exploitation tactics easier and more effective. In simple terms, a C2 acts as a central server that connects to, communicates with, and manages compromised systems. It establishes persistence and allows the operator to control dozens of infected machines from one central environment. 

There are many reasons why C2 frameworks are popular among attackers and red teams. Most frameworks offer operators powerful capabilities such as privilege escalation, network pivoting, scanning, and data exfiltration. They are so useful, in fact, that cybersecurity companies have developed their own commercial C2 products for ethical red-team engagements. Cobalt Strike is often regarded as the industry leader for production-grade post-exploitation operations due to its broad set of easy-to-use features, making engagements accessible even to less technically skilled operators. Open-source options are also widely available, with frameworks like Covenant, Sliver, Metasploit, and many others freely downloadable from GitHub. 

Regardless of the framework, stealth is the most critical factor for both ethical red teams and cybercriminals. Security Operations Centers (SOCs) constantly monitor traffic and look for suspicious packets moving through the network. No matter how polished a C2 product may appear, it is useless if detected and blocked. In addition to internal monitoring, dedicated threat-hunting teams at Microsoft, Google, Meta, Cisco, CrowdStrike, IBM, and others search for malicious infrastructure outside their own networks as well. 

Security Through Obscurity 

Offensive security operators understand the importance of obfuscating traffic and minimizing detection. Great effort is made to ensure payloads are covertly delivered, network traffic is routed inconspicuously, and C2 frameworks are hidden behind innocent-looking websites. This constant need for concealment has led to several tactics, techniques, and procedures (TTPs) that blue teams, SOCs, and organizational leaders should be aware of. 

“Small Sieve,” for example, uses the Telegram bot API to communicate over HTTPS and relay commands to and from malicious C2 servers. To defenders, this HTTPS-encrypted traffic moving through the organization’s network may appear normal. Since Telegram is not considered a malicious service, such traffic could easily be overlooked by blue teams and SOC analysts. 

Throughout 2021, a suspected Iranian-backed threat group known as “Oil Rig” conducted an operation called “Outer Space” targeting Israeli organizations. To conceal their malicious traffic, they compromised an Israeli human resources server and repurposed it as a dedicated C2. Subsequent operations appeared to originate from this trusted source. 

This technique is not limited to concealing C2 servers. When a stage-one payload needs to download additional malware, threat actors often host stage-two payloads on trusted platforms that are less likely to raise alarms. Saint Bear, a Russian threat actor active against Ukraine and Georgia as early as 2021, frequently used Discord’s content delivery network for hosting malicious files. To defenders, this traffic appeared to come from Discord, making it harder for intrusion detection systems to flag as suspicious. 

DarkOwl Vision: Threat Intelligence on C2 

The popularity and awareness of these C2 techniques have expanded beyond nation-state actors and advanced attackers. Using the DarkOwl Vision platform, we can observe multiple discussions emphasizing the importance of stealth in C2 operations. 

Source: DarkOwl Vision

One user highlights the software’s ability to “function covertly, employing stealthy techniques to avoid detection… and [avoid detection from] network security monitoring tools”. 

The following example describes another piece of malware that uses Telegram as its command-and-control platform for communication with infected machines. Again, the author boasts of the software’s “low detection rates due to its advanced obfuscation techniques”. 

Source: DarkOwl Vision

Conclusion: Cyber Cat and Mouse 

For cyber defenders and blue teams, it is critical to understand these TTPs. In some cases, an SOC analyst may identify something suspicious within an otherwise benign Telegram packet. In others, endpoint detection and response platforms can be tuned to better recognize this malicious traffic. More importantly, the cybersecurity community must accept that these TTPs will continue to evolve into more sophisticated methods. Just as blue teams grow comfortable detecting one technique, red teams adopt the next lesser-known approach that has yet to be widely publicized. 

Resources such as attack.mitre.org are invaluable for fingerprinting and understanding the TTPs that a company, organization, or industry might face during an incident. After an attack, investigators and cyber experts often publish their findings, which can help future targets prepare to identify and thwart similar threats. 

In this blog, we explained how powerful C2 frameworks can be in maintaining stealthy operations for both red teams and cybercriminals. We highlighted examples where advanced persistent threats (APTs) leverage trusted applications and networks to conceal post-exploitation activity. The dark web remains a rich source of intelligence, where forums and discussion boards provide valuable insight into evolving trends and shared techniques. Ultimately, staying ahead in this cyber cat-and-mouse game requires defenders to remain adaptive, vigilant, and continuously informed.

---

Curious how DarkOwl can help you? Contact us.