Author: DarkOwl Content Team

October 21, 2025

What is a Command-and-Control Framework (C2)? 

Command-and-control (C2) frameworks are used by both red teams and cybercriminals. They provide a wide range of functionality and capabilities that make post-exploitation tactics easier and more effective. In simple terms, a C2 acts as a central server that connects to, communicates with, and manages compromised systems. It establishes persistence and allows the operator to control dozens of infected machines from one central environment. 

There are many reasons why C2 frameworks are popular among attackers and red teams. Most frameworks offer operators powerful capabilities such as privilege escalation, network pivoting, scanning, and data exfiltration. They are so useful, in fact, that cybersecurity companies have developed their own commercial C2 products for ethical red-team engagements. Cobalt Strike is often regarded as the industry leader for production-grade post-exploitation operations due to its broad set of easy-to-use features, making engagements accessible even to less technically skilled operators. Open-source options are also widely available, with frameworks like Covenant, Sliver, Metasploit, and many others freely downloadable from GitHub. 

Regardless of the framework, stealth is the most critical factor for both ethical red teams and cybercriminals. Security Operations Centers (SOCs) constantly monitor traffic and look for suspicious packets moving through the network. No matter how polished a C2 product may appear, it is useless if detected and blocked. In addition to internal monitoring, dedicated threat-hunting teams at Microsoft, Google, Meta, Cisco, CrowdStrike, IBM, and others search for malicious infrastructure outside their own networks as well. 

Security Through Obscurity 

Offensive security operators understand the importance of obfuscating traffic and minimizing detection. Great effort is made to ensure payloads are covertly delivered, network traffic is routed inconspicuously, and C2 frameworks are hidden behind innocent-looking websites. This constant need for concealment has led to several tactics, techniques, and procedures (TTPs) that blue teams, SOCs, and organizational leaders should be aware of. 

“Small Sieve,” for example, uses the Telegram bot API to communicate over HTTPS and relay commands to and from malicious C2 servers. To defenders, this HTTPS-encrypted traffic moving through the organization’s network may appear normal. Since Telegram is not considered a malicious service, such traffic could easily be overlooked by blue teams and SOC analysts. 

Throughout 2021, a suspected Iranian-backed threat group known as “Oil Rig” conducted an operation called “Outer Space” targeting Israeli organizations. To conceal their malicious traffic, they compromised an Israeli human resources server and repurposed it as a dedicated C2. Subsequent operations appeared to originate from this trusted source. 

This technique is not limited to concealing C2 servers. When a stage-one payload needs to download additional malware, threat actors often host stage-two payloads on trusted platforms that are less likely to raise alarms. Saint Bear, a Russian threat actor active against Ukraine and Georgia as early as 2021, frequently used Discord’s content delivery network for hosting malicious files. To defenders, this traffic appeared to come from Discord, making it harder for intrusion detection systems to flag as suspicious. 

DarkOwl Vision: Threat Intelligence on C2 

The popularity and awareness of these C2 techniques have expanded beyond nation-state actors and advanced attackers. Using the DarkOwl Vision platform, we can observe multiple discussions emphasizing the importance of stealth in C2 operations. 

Source: DarkOwl Vision

One user highlights the software’s ability to “function covertly, employing stealthy techniques to avoid detection… and [avoid detection from] network security monitoring tools”. 

The following example describes another piece of malware that uses Telegram as its command-and-control platform for communication with infected machines. Again, the author boasts of the software’s “low detection rates due to its advanced obfuscation techniques”. 

Source: DarkOwl Vision

Conclusion: Cyber Cat and Mouse 

For cyber defenders and blue teams, it is critical to understand these TTPs. In some cases, an SOC analyst may identify something suspicious within an otherwise benign Telegram packet. In others, endpoint detection and response platforms can be tuned to better recognize this malicious traffic. More importantly, the cybersecurity community must accept that these TTPs will continue to evolve into more sophisticated methods. Just as blue teams grow comfortable detecting one technique, red teams adopt the next lesser-known approach that has yet to be widely publicized. 

Resources such as attack.mitre.org are invaluable for fingerprinting and understanding the TTPs that a company, organization, or industry might face during an incident. After an attack, investigators and cyber experts often publish their findings, which can help future targets prepare to identify and thwart similar threats. 

In this blog, we explained how powerful C2 frameworks can be in maintaining stealthy operations for both red teams and cybercriminals. We highlighted examples where advanced persistent threats (APTs) leverage trusted applications and networks to conceal post-exploitation activity. The dark web remains a rich source of intelligence, where forums and discussion boards provide valuable insight into evolving trends and shared techniques. Ultimately, staying ahead in this cyber cat-and-mouse game requires defenders to remain adaptive, vigilant, and continuously informed.

---

Curious how DarkOwl can help you? Contact us.

October 16, 2025

Practical Habits That Protect Your People, Your Data, and Your Peace of Mind

Since the Covid Pandemic in 2020, it’s been proven time and again that the boundary between work and home is thin. Your “office” might be a kitchen table. Your “help desk” might be your teenager asking for the Wi-Fi password. And while we like to think that security is something handled by IT or left to our antivirus, the truth is simpler. It’s your daily habits: at work and at home. They can decide whether attackers get a foothold. 

Below is a field-tested guide to cyber hygiene that treats all aspects of your life with the reality that they are all connected. Use it to harden the places you click, type, scan, and share, no matter where you are. 

Step 1: Start with the “Big Four” (everywhere you log in) 

1. Multi-Factor Authentication (MFA)

• Turn on MFA for every important account. It adds a second proof (app prompt, code, or security key) so a stolen password alone won’t grant access.

2. Strong, Unique Passwords (via a Password Manager)

• Use a password manager to generate and store long, unique passwords for each site. This prevents one breach from unlocking multiple accounts.

3. Relentless Updates (OS, Apps, Browsers, Firmware)

• Keep everything current—laptops, phones, browsers, and even routers/IoT. Updates patch known flaws attackers actively exploit.

4. Phishing Awareness & Reporting

• Slow down on links and attachments. Verify unusual requests on a separate channel and report suspicious emails/messages to IT.

Go one level deeper: choose phishing-resistant MFA

Not all MFA is equal. SMS codes and push prompts can be bypassed (push fatigue, SIM swaps). Where available, use FIDO2/WebAuthn security keys or passkeys for phishing-resistant authentication (CISA). 

Passkeys = fewer headaches, more security

Passkeys use public-key cryptography, so there’s nothing reusable for criminals to steal or phish—and they’re now supported across major platforms. If a site offers passkeys, turn them on (FIDO Alliance). 

Step 2: Treat your home like a branch office 

Attackers don’t care if they land on a CFO’s laptop or a teenager’s tablet, both act as launchpads to your data. 

Segment your Wi-Fi

Create separate networks for primary devices, guests, and IoT (cameras, TVs, smart speakers). This limits blast radius if one thing gets infected. At minimum: Primary, Guest, and IoT SSIDs (U.S. Department of War). 

Harden the router

Change default passwords, disable WPS, enable WPA3/WPA2, update firmware, and hide/rename default SSIDs that leak your router model (CISA). 

Update edge devices

Firewalls, routers, VPN gateways, and internet-facing boxes need regular patching—treat them like crown jewels, not appliances (CISA). 

Family reality check

Kids and elders are prime targets because they’re helpful and curious. Set up non-admin accounts, turn on automatic updates, and require approval for new installs. Teach a simple rule: no scanning random QR codes. EVER! QR-based phishing (“quishing”) is rising—from stickers on parking meters to QR codes sent in the mail. 

Step 3: Close the “human gaps” at work 

Technology can’t save us from workflows that reward speed over safety. 

Slow down where it counts

Clicking a link, approving an MFA prompt, or running an attachment is a risk decision. If something feels rushed or emotional, pause and verify on a separate channel. 

Defend against MFA fatigue

Never approve a push you didn’t initiate; report repeated prompts to IT. Ask your org to move critical apps to phishing-resistant MFA (CISA). 

Kill shadow IT kindly

People use unsanctioned tools to get work done. Offer safe, approved alternatives—and make them easier than the workaround. 

Separate identities and browsers

Use different browser profiles (or separate browsers) for corporate vs. personal accounts to avoid cross-contamination of cookies, extensions, and autofill. 

Step 4: Five Pillars of Cyber Hygiene (with “Work” and “Home” plays) 

Think of these as your daily vitamins—boring, effective, non-negotiable. 

1. Identity 

• Work: Require MFA everywhere; prefer FIDO2 keys or platform passkeys for high-risk roles. Review admin privileges quarterly (CISA). 

• Home: Use a password manager for everyone in the house. Turn on passkeys where offered. Store account recovery codes securely (not in your email) (CISA). 

2. Devices 

• Work: Enforce OS/browser/driver updates. Block unsigned macros; restrict USB media. 

• Home: Auto-update everything. On kids’ devices, require approval for new apps and in-app installs. Back up photos/docs to a service or external drive (3-2-1 rule). 

3. Network 

• Work: Patch edge devices; audit remote access and VPN portals; disable unused services (CISA). 

• Home: Separate SSIDs: Primary | Guest | IoT. Change router defaults; update firmware; prefer WPA3 (U.S. Department of War). 

4. Applications 

• Work: Maintain an allow-list of approved software and browser extensions. Monitor OAuth app grants to corporate accounts. 

• Home: Delete apps you don’t use. In browsers, keep extensions minimal and reputable; disable third-party cookies; use separate profiles for kids. 

5. People 

• Work: Run short, contextual training (60–90 seconds) tied to real incidents: “Why this phish worked,” “How that MFA prompt slipped through,” etc. 

• Home: Have a five-minute family drill: “If a pop-up says we’re infected, what do we do?” (Answer: close the browser, don’t call numbers, tell an adult.) 

Step 5: A 15-Minute Monthly Tune-Up 

Set a recurring reminder synced to all your devices will help and knock these out 

1. Update all devices (phones, laptops, tablets, routers, smart TVs). 

2. Review your password manager for weak/reused passwords; rotate any shared family passwords. (CISA) 

3. Check bank and email alerts (sign-ins, transfers, forwarding rules). 

4. Audit browser extensions and remove anything you don’t use. 

5. Test backups by restoring a file (don’t wait for an emergency). 

Step 6: If you slip (because we all do) 

• At work: Unplug from the network if malware is suspected; call IT; do not try to “clean it” yourself; preserve evidence (timestamps, screenshots). 

• At home: Power down the affected device; change important account passwords from a different device; call your bank if credentials were exposed; reset router and update firmware; reinstall OS if necessary. 

• If you scanned a suspicious QR code or clicked a fake login: reset any password, you entered and revoke OAuth sessions for the affected app. Watch for new MFA prompts you didn’t initiate. 

The Takeaway 

Cyber hygiene isn’t a fancy toolkit; it’s a set of small, repeatable habits your whole circle can manage. Enable MFA that resists phishing. Use passkeys when available. Update relentlessly. Segment the home network. Slow down on links, attachments, QR codes, and MFA prompts. These are the same moves that security teams recommend, because they meaningfully cut risk at work and at home (IT Services). 

Do this now, and when Clean Out Your Computer Day rolls around next February, you’ll be cruising through a short, satisfying tune-up instead of tackling a backlog. 

Finally, the next time a child asks for your phone at dinner or a relative forwards a “too-good-to-be-true” link, remember: YOU may be the gateway (for better or worse).  

Make the safer choice first. 

---

Keep up with all tips shared by DarkOwl. Subscribe to email.

October 09, 2025

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees. 

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, doxing, data harvesting, IoCs, and credential stuffing. In this edition, we dive into DDoS attacks.

DDoS Attacks 101 

DDoS is an acronym for Distributed Denial of Service Attack – a malicious attack on a network that is executed by flooding a server with useless network traffic, which exploits the limits of TCP/IP protocols and renders the network inaccessible. This excessive traffic prevents legitimate users from accessing the service, effectively causing a “denial of service.”

The frequency of DDoS attacks are constantly on the rise. Some reports estimate that there were approximately 2,200 DDoS attacks every hour in the first three quarters of 2024 – a staggering 49% QoQ increase in DDoS attacks and a 55% increase YoY. The United States ingested more than 40% of DDoS attacks, followed by Germany, then Brazil, Singapore, Russia, South Korea, Hong Kong, United Kingdom, Netherlands, and Japan.

While the average length of a DDoS attack is under 10 minutes, the financial damage that it can cause to the attacked can be very damaging – the average cost per minute of downtime is $22,000. On the flip side, attackers can rent tools online to launch an attack for as little as $5 an hour.

How Does a DDoS Attack Work?

A DDoS attack leverages a large network of botnets. Botnet can be defined as an army of compromised computers or internet of things (IoT) devices that collectively utilized for a malicious purpose. This flood of traffic leaves the device unable to be used by legitimate users. Motivations for committing a DDoS attack range:

• Extortion: Attackers demand a ransom from the target to stop the attack.
• Hacktivism: Attackers use hacking techniques to achieve a political or social agenda, such as protesting against organizations, governments, or ideologies they disagree with, raising awareness on a political agenda, or exposing corruption.
• Business Competition: A business might launch an attack on a competitor to disrupt their services and gain a competitive edge.
• Cyber Warfare: Nation-states damage another nation’s digital infrastructure, information systems, or critical services for military or political objectives.
• Distraction: A DDoS attack can be a smokescreen to distract security teams while attackers conduct a more sophisticated breach, such as stealing data.

DDoS Attacks in the Wild

Esports and Gaming

Esports platforms, streamers, and tournaments have become prime targets for cyberattacks. The reasons are simple: high visibility, massive online audiences, and often, poorly secured infrastructure. 

A report from Control Risks explains that “the sheer popularity of esports, combined with lax security protocols in some areas, makes them an ideal target for DDoS attacks, credential theft, and extortion.” In fact, the report states that over 37% of all DDoS attacks are directed at online gaming and esports platforms. This makes gaming and gambling the industry most targeted by DDoS attacks.

These aren’t hypothetical threats. In recent years, major tournaments have been halted mid-stream due to attacks, players have been forced offline during crucial matches, and attackers have used ransomware to hold tournament servers hostage.

UK Councils

One group of organizations which has been increasingly targeted by ransomware groups and other threat actors is UK councils which are the local level of government in the UK.  Recently hacktivist groups which are associated with countries involved in conflict such as Russia, Ukraine, Palestine, Iran and Israel have been known to conduct DDoS attacks targeting council websites. The image to the left shows proof of DDOS against London Borough of Harrow from Palestinian affiliated hacktivist group which caused temporary website outages and service disruptions across multiple local councils including Blackburn with Darwen, Exeter, and Arun District Council. These attacks were politically motivated in response to the UK’s support for Ukraine and carried out by hacktivist group NoName057(16). 

Hacktivist Group: Dark Storm

Earlier this year, X suffered multiple worldwide outages. The hacktivist group Dark Storm has claimed responsibility for the DDoS attacks which caused the outages. Specifically, the group made posts on their Telegram channel the same day the attacks took place and shared screenshots from check-host.net as proof of the attack. Tens of thousands of users were impacted by the outages. 

A month after Dark Storm caused the outages of X, the notorious hacking forum BreachForums went offline, this time possibly as a result of a Distributed Denial-of-Service (DDoS) attack. Dark Storm, once again, claimed that it was behind a DDoS attack against BreachForums. The group shared a Check-Host.net link in its Telegram channel which showed that the hacking forum was down in over two dozen countries.

Protection and Mitigation

As always, DarkOwl recommends practicing good cyber hygiene in order to prevent an attack before it happens if at all possible. While attackers are constantly changing their TTPs (tactics, techniques, and procedures), there is no single foolproof way to prevent a DDoS attack, a multi-layered approach to protection is recommended. Every organization should have a DDoS Response Plan and keep it up to date (who to contact, what systems to check, etc), know the normalities of your network so you can know when patterns or activities look off, maintain good cyber hygiene by keeping all systems, software, and applications updated with the latest security patches, and increase your system bandwidth so if an attack does happen, you have more capacity to handle the flood of traffic and stay online.

---

Keep up with DarkOwl. Follow us on LinkedIn.

October 01, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Hackers breach fintech firm in attempted $130M bank heist – Bleeping Computer

Sinqia, Evertec’s Brazilian subsidiary, disclosed to the U.S. Securities and Exchange Commission (SEC) that its systems were breached by hackers on August 29, with the intent to conduct unauthorized transactions. The hackers specifically targeted their Brazilian Central Bank real-time payment system, Pix. Access to Pix was gained by the use of stolen credentials belonging to an IT vendor. Evertec has reported that an undisclosed portion of the $130 million has been recovered. No specific hacker group has been linked to the attack. Read full article.

2. Iranian Hackers Exploit 100+ Embassy Email Accounts in Global Phishing Targeting Diplomats – The Hacker News

Dream, the Israeli cybersecurity company, claims an Iranian-nexus group targeted embassies and consulates in Europe via a spear phishing campaign. The emails contained information regarding geopolitical tensions between Iran and Israel, and prompted individuals to open a Word document that “urges recipients to “Enable Content” in order to execute an embedded Visual Basic for Applications (VBA) macro, which is responsible for deploying the malware payload. The hackers sent emails to organizations located in the Middle East, Africa, Europe, Asia, and the Americas casting a wide net in an attempt to successfully gain access and harvest information. Article here.

3. Kosovo hacker pleads guilty to running BlackDB cybercrime marketplace – Bleeping Computer

Following extradition from Kosovo in May, Liridon Masurica has pled guilty in a Florida Federal Court. Masurica was the lead administrator of the online criminal marketplace BlackDB.cc from 2018 to 2025. Records show he pled guilty to leading the organization and has also been charged with five counts of fraudulent use of unauthorized access devices and one count of conspiracy to commit access device fraud. Read more here.

4. FBI Issues Flash Alert for UNC6040 and UNC6395 – FBI Flash

On September 12, the FBI “releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395”. The alert follows the tracking of UNC6395, which targeted company’s support case information in Salesforce” that occurred from August 8th – 18th. The exfiltrated data was analyzed to extract secrets, credentials, and authentication tokens share din support cases. After discovery, Salesforce was able to revoke all Drift tokens and required customers to reauthenticate the platform. Mandiant disclosed information regarding UNC6040 in June, warning social engineering and vishing attacks connected to Salesforce accounts. Read here.

6. AI-powered malware hit 2,180 GitHub accounts in “s1ngularity” attack – Bleeping Computer

On August 26, threat actors exploited a flaw GitHub Actions workflow in the Nx repository resulting in the exposure of 2,180 accounts. The telemetry.js malware is a credential stealer that targets Linux and macOS systems. The malware attempted to steal “GitHub tokens, npm tokens, SSH keys, .env files, crypto wallets”. Three separate phases were completed during the attack which led to 7,200 repositories being exposed. Read full article.

7. Massive anti-cybercrime operation leads to over 1,200 arrests in Africa – Bleeping Computer

In an August 22 press release, INTERPOL announced the arrest of 1,209 cybercriminals who targeted nearly 88,000 victims as part of an INTERPOL-coordinated operation dubbed “Operation Serengeti 2.0.” As noted in the statement, the operation took place between June and August 2025 and involved investigators from 18 countries across Africa as well as from the U.K. Nine private sector partners also assisted with the investigation. The operation resulted in the recovery of $97.4 million and the dismantling of 11,432 malicious infrastructures. Read full article.

8. Google nukes 224 Android malware apps behind massive ad fraud campaign – Bleeping Computer

Android ad fraud operation, “SlopAds”, was disrupted following 224 malicious applications on Google Play that generated 2.3 billion ad requests per day. The operation was discovered by HUMAN’s Satori Threat Intelligence team. The applications were downloaded over 30 million times and used obfuscation and steganography to avoid detection. Once detection was avoided “FatModule” malware would be activated. One evasion tactic used by the app was in the way it was downloaded. If installed through the Play Store it acted as a normal app, if installed by clicking through an ad “it downloads four PNG images that utilize steganography to conceal pieces of a malicious APK.” Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

October 01, 2025

In light of Cybersecurity Awareness month, DarkOwl is committed to sharing research, trends and industry news from our analysts.

Be the first to know as we release new research by entering your email below!

Upcoming Content This Month

BLOG

Threat Intel Round Up: September

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence. Check it out.

EVENT

it-sa Expo & Congress

We will be at it-sa 365, Europe’s largest trade fair for IT security and one of the most important dialogue platforms for IT security solutions. The trade fair covers the entire range of products and services in the field of cybersecurity: hardware, software, training and consulting services as well as Security as a Service. Stop by and meet with us at Booth 9 – 349. Meet us!

WEBINAR

New Regulations & What They Mean for Your Supply Chain

This fireside chat explores challenges and opportunities of incoming regulations impacting cybersecurity in the UK and EU.

Greater digitalization brings with it an avalanche of Third Party integrations and supplier exposure. Rich Hanstock (pwn.legal) and Lindsay Whyte (DarkOwl) explore what new regulations mean for cybersecurity teams, and the change in attitudes required to reassure regulators and customers alike.

Discover how DarkOwl’s DarkSonar helps organizations build a resilient, responsive supply chain security strategy that aligns with Europe’s regulatory future. Transcription and recording here.

BLOG

What is a DDoS Attack?

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees. 

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, brute force attacks, zero-day exploits, doxing, data harvesting, IoCs, and credential stuffing. In this edition, we dive into DDoS attacks. Read it here!

WEBINAR

AI vs AI: How Threat Actors and Investigators are Racing for Advantage

AI is transforming investigations, but also transforming adversarial tradecraft. How do we keep pace? From Telegram channels to dark web marketplaces, threat actors are using AI to accelerate crime, propaganda and deception. OSINT Combine and DarkOwl break down what’s happening behind the scenes and how investigators can keep up. Topics of discussion:

• Exploration of how cybercriminals and terrorist groups are experimenting with AI technologies
• Emerging dark web trends
• Overview of AI-augmented investigation techniques
• How investigators use AI for data collection
• Detecting Disinformation and Synthetic Content
• Live collaborative analysis by DarkOwl and OSINT Combine

Register here. Transcription to follow.

BLOG

Q3 Product Updates

Stay tuned for our quarterly update blog highlighting new product features and collection stats updates. There is always something exciting coming from our Product and Collections teams and the team is excited to share this round of updates!

BLOG

Cyber Hygiene at Work & Home

In this blog, we will highlight best practices for a safer digital life.

BLOG

Command-and-Control Frameworks – Post Exploitation in Plain Sight

The blog “Indicator of Attack 101” introduces the concept of Indicators of Attack (IoAs), explaining how they differ from Indicators of Compromise (IoCs) and why IoAs are crucial for proactive cyber defense.

BLOG

How Cybercriminals Build Trust in Darknet Marketplaces

Command-and-control (C2) frameworks are used by both red teams and cybercriminals. They provide a wide range of functionality and capabilities that make post-exploitation tactics easier and more effective. In simple terms, a C2 acts as a central server that connects to, communicates with, and manages compromised systems. It establishes persistence and allows the operator to control dozens of infected machines from one central environment.

BLOG

Halloween: Spooky Finds on the Dark Web

The darknet can be a scary place. 👻 For Halloween, we will highlight some spooky findings from our analyst team that they have come across this past year. In the meantime, check out our previous edition where the team uncovered human organs for sale, human meat for sale, and hitmen for hire! Check out last years’ blog here.

---

Curious to see how darknet data can improve your cybersecurity situational awareness? Contact us.

September 23, 2025

Dark web “pharmacies” have become a global black market for prescription medications and counterfeit drugs. These underground vendors operate on hidden parts of the internet, accessible only with special software like Tor, and sell everything from opioid painkillers and anxiety meds to fake pills. Recent international crackdowns have led to hundreds of arrests across multiple continents, showing just how far-reaching and organized this trade has become. By using encryption and anonymous networks, dark web drug sellers connect with buyers around the world while evading traditional law enforcement. This blog looks at where these rogue pharmacies are found and the platforms they use to move drugs outside the law. 

Where They are Sold

Darknet Marketplaces

The majority of dark web pharmacy operations take place on multi-vendor marketplaces – hidden websites (with “.onion” addresses) that function like illicit versions of eBay or Amazon. Vendors set up listings for drugs, and buyers browse and purchase through the marketplace. These sites provide built-in escrow payment systems and customer review ratings, which help establish trust between anonymous buyers and sellers. Well-known examples from the past include Silk Road and AlphaBay, and new marketplaces continually arise to replace those shut down by police. 

Independent Vendor Sites

Some drug sellers also run their own standalone websites on the dark web. Instead of using a shared marketplace, they maintain a dedicated “storefront” hidden service. For example, one U.S. vendor continued operating a personal darknet website offering several types of illicit pills even after facing initial charges. These independent sites let a vendor control their platform, though attracting customers can be harder without the built-in traffic of a large market. They also lack the escrow protections of major marketplaces, meaning buyers have to trust the vendor directly. 

Encrypted Chats and Forums

In addition to Tor websites, a portion of illegal drug trade is arranged in private forums or encrypted messaging apps. Recent threat intelligence reports note a shift toward dealers making direct deals via platforms like Telegram, Signal, or Discord. Vendors advertise in chat groups or forums and then accept orders one-to-one, often taking payment in cryptocurrency. This method helps them reach less tech-savvy buyers (who may not navigate Tor) and avoid the fees or exit scams associated with big darknet markets. However, like independent sites, these direct transactions usually forego escrow – increasing the risk of scams or non-delivery if the buyer isn’t careful. 

How They Operate  

Sourcing & Production 

Supply acquisition 

• Diverted Rx stock, bulk APIs from overseas brokers, or outright counterfeit precursors; opioids/benzos are common targets.  

Counterfeit manufacture  

• Pill-pressing with dies/logos to mimic pharma tablets (e.g., “Xanax” bars); dosage is inconsistent and unregulated.  

Platform & Presence 

Channel selection  

• Multi-vendor marketplaces (escrow, ratings), independent Tor shops, and encrypted chat/closed forums; vendors diversify IDs to hedge takedowns.  

Reputation management

• Leverage market feedback systems; promote “stealth,” shipping success rates, and refunds to drive buyer trust. (Observed repeatedly in takedown summaries and market analyses.)  

Security & Comms 

 Anonymity stack

• Tor access; PGP for messages; crypto payments (BTC; privacy coins like XMR increasingly preferred per EU assessments).  

Operational security (OPSEC)

• Rotate handles, swap P.O. boxes/mailing points, segment roles (pressing vs. packing vs. posting), and avoid reusing identifiers.  

Listings, Sales & Payment 

Product listings 

• Detailed SKU pages (dosage, “brand,” batch claims), pricing tiers, bulk discounts; some offer testing “proofs.”   

Escrow & dispute flow  

• Funds held until delivery confirmation; DM/PGP comms for issues; off-platform direct deals used to avoid fees—higher scam risk.  

Fulfillment & “Stealth” Shipping 

Packaging

• Vacuum sealing, odor barriers, concealment in benign items, innocuous labels/returns; postal systems are the primary vector.  

Drop & distribution

• Frequent post-office drops.  

Cash-out & Continuity 

Funds handling

• Peel chains, mixers, P2P off-ramps. 

Migration & recovery

• After market seizures, vendors relist quickly elsewhere under new monikers.  

Risk & Authenticity Note (for Rx specifically) 

Authenticity is unreliable

• A non-trivial share of “pharma” listings are counterfeit or misbranded (e.g., fake alprazolam/oxycodone); several rings pressed millions of pills sold as name-brand meds.  

Are Dark Web Pills the Real Thing? 

Most pills sold on the dark web are not genuine pharmaceuticals. Law enforcement has caught countless vendors making their own tablets with pill presses, stamping them with real drug logos, and selling them as Xanax, oxycodone, or Adderall. Some are made with raw ingredients shipped from overseas; others are mixed in makeshift labs with no quality control. 

The danger is what’s inside: pills advertised as painkillers often contain fentanyl, and fake Adderall tablets have been found packed with meth. Even if a pill looks real, its contents may be wrong, too strong, or contaminated. A single counterfeit dose can be deadly. 

Scams are common too—some sellers simply take your money and never ship. Marketplaces use escrow to limit this, but if you buy directly through a website or chat, you’re on your own. 

Conclusion 

Dark web pharmacies may look like convenient, no-questions-asked sources for prescription drugs, but the reality is far more dangerous. Most pills sold online are counterfeit, misbranded, or laced with powerful substances like fentanyl or meth. Even when products appear legitimate, there is no quality control, no guarantee of safety, and no way for buyers to know what they are really taking. 

While these underground vendors rely on encryption, hidden websites, and clever shipping tactics to stay one step ahead, law enforcement has shown that they are not untouchable. Major operations around the world have taken down marketplaces, seized millions of fake pills, and arrested key players. Still, new vendors and sites quickly emerge to replace the old ones. 

In the end, buying from a dark web pharmacy is a gamble with high stakes. The risks include wasting money, falling victim to scams, or, most critically, consuming a counterfeit pill that could be deadly. The safest choice remains the obvious one: only use medications prescribed by a doctor and dispensed by a licensed pharmacy. 

September 18, 2025

Artificial intelligence has quickly become one of the most disruptive forces in cybersecurity. On the surface, AI promises efficiency, smarter defenses, and automation. But it is also being exploited by criminals in underground forums and marketplaces. The darknet has always been a hub for phishing kits, ransomware gangs, and stolen data markets. What has changed is the speed and polish of those attacks. AI has not created new crimes, but it has made the old one’s sharper, more scalable, and harder to defend against. 

To understand the risks, you need to look closely at how threat actors are adopting AI in three areas where the damage is already visible: phishing, ransomware, and stealer logs. Alongside that, it’s worth exploring how the darknet economy itself is shifting to a subscription-based model that feels eerily similar to legitimate tech marketplaces. 

Phishing Gets Smarter 

Phishing is one of the oldest tricks in the book. Traditionally, it relied on blasting out mass emails and hoping a few recipients clicked on malicious links. These campaigns were often riddled with error, bad grammar, odd formatting, and suspicious sender addresses. They worked well enough to snare the unwary, but many were easy to spot. 

AI has changed that. In 2023, tools like FraudGPT and WormGPT appeared for sale across darknet forums and Telegram channels. FraudGPT was promoted as a chatbot with “no limitations, no filters, no boundaries.” It promised to help criminals craft polished phishing emails, generate fake websites, and even produce malicious code. Sellers marketed it in the same way a SaaS startup would market legitimate tools, with clear feature lists and monthly or annual subscription options. Reports suggest prices started around $200 per month or $1,700 per year, and the tool quickly gained traction among low-skill actors. 

WormGPT took a similar path. Built on GPT-J, an open-source large language model, it was pitched as a blackhat version of ChatGPT. Access was sold for about $110 per month. Its purpose was direct and simple: create convincing phishing emails at scale. No broken grammar, no obvious red flags, just messages that looked like they came from HR, finance, or a trusted business partner. 

The sophistication of phishing is no longer limited to email. Voice cloning and deepfakes have introduced new angles. A call that sounds exactly like your CEO asking for an urgent wire transfer is no longer a far-fetched scenario. In fact, there have already been documented cases where voice cloning was used to defraud companies out of millions. With AI, creating those convincing imitations is faster, cheaper, and accessible to far more actors. 

Phishing is no longer amateur hour. It is a professionalized service where attackers can outsource creativity to AI. 

Ransomware Learns New Tricks 

Ransomware groups are also adapting AI to their playbooks. Their goal is still the same: encrypt critical systems, steal sensitive data, and demand payment. But AI is streamlining the process. 

Some ransomware crews are using AI to refine malicious code and bypass defenses more effectively. Others are experimenting with automated infection chains where AI scripts help identify weak points in networks and tailor payloads to exploit them. In some cases, AI has even been proposed for ransom negotiations, where chatbots could pressure victims with manipulative tactics and personalized responses. 

This isn’t happening in a vacuum. Ransomware gangs are structured like businesses. They often run affiliate programs, recruit developers, and maintain support channels for buyers. AI fits neatly into that structure. It reduces the technical barrier, speeds up development, and frees attackers to scale operations. 

The real danger is not just that AI makes ransomware more efficient. It also makes entry into ransomware easier. Someone with little coding experience can join an affiliate program, buy access to AI tools, and launch a campaign without building malware from scratch. The result is more actors competing for victims, which increases the volume of attacks globally. 

Stealer Logs Become Supercharged 

If phishing is the entry point and ransomware is the hammer, stealer logs are the raw material that fuels countless other crimes. A stealer log is a collection of data siphoned from an infected machine: usernames, passwords, browser cookies, autofill data, cryptocurrency wallets, system details. For years, these logs have been sold in bulk on darknet markets. 

AI has made them far easier to exploit. Instead of combing through messy text files manually, criminals now use AI-driven tools to parse, filter, and prioritize data. They can search for keywords like “PayPal” or “VPN” and instantly extract the most valuable credentials. Dashboards sold with these logs make it simple for even unskilled actors to profit. 

Consider Rhadamanthys, a stealer that first appeared in late 2022. By mid 2024, version 0.7.0 introduced an unusual AI-powered capability: optical character recognition. It could scan images on infected devices and extract text, including cryptocurrency wallet seed phrases. This meant that even if users thought they were safe storing keys as screenshots, the malware could still retrieve them. 

Rhadamanthys is sold openly on forums. Licenses go for about $250 per month or $550 for 90 days. Its operators actively update the malware, provide customer support via Telegram, and advertise new features. In 2024, it was deployed through phishing campaigns disguised as copyright infringement notices, targeting victims across Europe, Asia, and the Americas. 

Beyond individual families, the stealer ecosystem is vast. Russian Market alone lists millions of stolen logs, and services like MoonCloud repackage them into searchable databases distributed via Telegram. These markets are increasingly structured and automated, looking more like data brokers than ad-hoc criminal sales. 

The Darknet as a Service 

One of the most striking trends is how the darknet has adopted the language and business model of the tech industry. Gone are the days of one-off toolkits passed quietly between hackers. Today, the underground thrives on subscriptions and services. 

Fraud as a service. Phishing as a service. Ransomware as a service. Infostealers with monthly licensing models. AI has lowered the barrier to entry so far that the ecosystem resembles a SaaS marketplace more than a shadowy corner of the web. For a few hundred dollars a month, anyone can buy access to tools that rival those used by advanced threat groups. 

This professionalization is why the threat landscape feels so much more crowded. More people can play the game. The cost of entry is low. And the tools are good enough to work. 

Why Visibility Matters and How DarkOwl Helps 

If criminals are scaling with AI, defenders cannot rely on traditional defenses alone. Organizations need visibility into the spaces where these tools are sold and discussed. That is where DarkOwl provides value. 

DarkOwl monitors darknet forums, encrypted channels, and marketplaces where AI-enabled tools and stolen data appear. It can identify when a new phishing kit is advertised, when stealer logs containing company credentials are posted, or when chatter about impersonation campaigns surfaces. More importantly, DarkOwl delivers context. A stolen password alone is one data point. Context explains whether it is tied to a broader campaign, how it was obtained, and whether similar data is being circulated elsewhere. 

This intelligence is not meant to sit in a report. Organizations can act on it by building alerting workflows, so security teams are notified when company credentials show up in stealer logs, updating phishing playbooks with new lures seen in underground communities, and protecting executives and brands by monitoring for deepfake or impersonation campaigns. 

DarkOwl does not just collect data; it helps organizations use it. That difference is what turns visibility into defense. 

Final Thought 

AI has not changed the fundamentals of cybercrime. Criminals are still phishing, encrypting, and stealing. What has changed is the scale and accessibility. FraudGPT makes phishing believable. WormGPT mass-produces scams. Rhadamanthys uses AI to scrape sensitive data from images. Marketplaces sell logs with dashboards and filters that look like professional analytics tools. The Darknet is evolving, and AI is accelerating the pace. 

The world cannot afford to ignore that shift. Defenders need to see what is happening in the underground as it unfolds. DarkOwl delivers that window, giving organizations the ability to anticipate threats, connect the dots, and respond before AI-driven attacks land. 

---

Have questions? Contact us.

September 16, 2025

We all know cybersecurity has its own language. As being cyber safe becomes more and more vital to both companies and individuals alike, it’s important to have a basic understanding on common terms. In this blog, let’s explore the subtle differences between antivirus and antimalware and if you need both.

Antivirus Vs Antimalware

The terms “antivirus” and “antimalware” are often used interchangeably. It is important to understand that while they are related, there is a historical difference and a functional distinction.

Antivirus

Antivirus is a type of software designed to detect, prevent, and remove malicious programs from a computer or network. While the name historically refers to software that protects against computer viruses specifically, the term has evolved to encompass protection against a wide range of cyber threats. It acts as a crucial defense against various digital threats that can harm your system, steal data, or compromise your privacy.

Traditionally, antivirus software excelled at:

• Signature-Based Detection: This method relies on a vast database of “signatures” – unique digital fingerprints of known viruses. When a file is scanned, its code is compared to these signatures. If a match is found, the virus is identified and dealt with.
• Preventing Replication: Its primary objective was to stop viruses from attaching themselves to legitimate programs and spreading across your system or network.
• Cleaning and Quarantining: Upon detection, it would either “clean” (remove the malicious code from an infected file) or “quarantine” (isolate the infected file to prevent it from causing further harm) the threat.

One can think of antivirus as a specialist. It was exceptionally good at identifying and neutralizing the self-replicating, often disruptive, digital invaders that defined the early days of cybercrime.

As the threat landscape evolved, so did the sophistication of malicious software. Viruses were still a threat but now, we were up against worms, Trojans, spyware, adware, ransomware, rootkits, and more. This is where the lines begin to blur and the term “malware” enters. It is important to note that while all viruses are malware, not all malware are viruses. This difference between malware and virus is the crux of the difference between “antivirus” and the more encompassing “antimalware.”

Antimalware

Antimalware is a type of software designed to detect, prevent, and remove all forms of malicious software (malware) from computers and other digital devices. Unlike traditional “antivirus” that historically focused primarily on computer viruses, antimalware offers a broader, more comprehensive defense against the entire spectrum of digital threats.

Threats that antimalware defends against include:

• Viruses: The original self-replicating programs that attach to legitimate software.
• Worms: Standalone malicious programs that spread across networks without needing a host program.
• Trojans (Trojan Horses): Programs that appear legitimate but hide malicious functions, often creating backdoors for attackers.
• Ransomware: Malware that encrypts a victim’s files, demanding payment (ransom) for their decryption.
• Spyware: Software that secretly monitors and collects information about a user’s activities without their knowledge or consent.
• Adware: Software that automatically displays unwanted advertisements, often bundled with free programs.
• Rootkits: Malicious software designed to hide the existence of other malware and enable persistent privileged access to a computer.
• Keyloggers: Programs that record every keystroke made by a user, potentially capturing sensitive information like passwords.
• Bots/Botnets: Software that allows an attacker to remotely control a compromised computer, often as part of a larger network of infected machines (a botnet).

Antivirus traditionally focuses on file-infecting threats; Antimalware is more adept at combating newer, evolving threats that may not be file-based.

A Side by Side Comparison

A Real Life Example: Mustang Panda

Earlier this year, researchers at TrendMicro have observed the Chinese state-sponsored threat actor Mustang Panda (also known as Earth Preta) using a new technique to “evade detection and maintain control over infected systems.” Specifically, the hacking group uses the legitimate Microsoft Application Virtualization Injector (MAVInject.exe) to “inject payloads into waitfor.exe whenever an ESET antivirus application is detected.”  As highlighted in TrendMicro’s report, Mustang Panda is known for targeting victims in the Asia-Pacific region, with one of its recent campaigns utilizing a variant of DOPLUGS malware to target multiple countries in the region, including Taiwan, Vietnam, and Malaysia. The threat actor notably targets government entities, and “has had over 200 victims since 2022.” 

Do You Need Both?

DarkOwl does not recommend having both an antimalware software and an antivirus software. This can cause conflicts and redundancies, as well as slow down your computer. It is recommended to have one comprehensive security solution active at a time. This single program will provide all the necessary layers of protection without causing conflicts. This is why many companies have moved from branding their products as “Antivirus” to names like “Internet Security,” “Total Protection,” or simply “Endpoint Protection” to reflect the broad range of threats they address.

As always, practice good cyber hygiene – check to make sure that your current software is up-to-date and offers multi-layered protection.

Conclusion

Ultimately, the distinction between “antivirus” and “antimalware” is not just semantic; it reflects the evolution of the cybersecurity landscape. While antivirus was our original digital defense, designed to combat the classic computer virus, today’s multifaceted threat environment demands a more comprehensive solution. A modern antimalware program is that solution, offering multi-layered protection against everything from file-infecting viruses to sophisticated ransomware and fileless malware.

As we’ve established, you do not need both—and for the sake of your system’s performance and security, you shouldn’t run both. The best practice is to choose one powerful, reputable security suite that is regularly updated. This single tool, combined with your own vigilance and good cyber hygiene, is your strongest defense against the full spectrum of digital threats today and in the future.

---

Don’t miss anything from DarkOwl. Subscribe to email.

September 09, 2025

In 2023, investigators in a midsize U.S. city were tipped off to a darknet marketplace vendor offering “same-day delivery” of fentanyl-laced pills within specific zip codes. The listing named street corners and used coded references to local schools. It was not discovered by routine patrols or a community tip. It was found in an online space most local agencies never check: the dark web. 

The dark web is not just a place for global cybercriminal networks. It is a sprawling ecosystem where local-level threats are planned, traded, and discussed. Understanding what is being said about your city, and acting on it, can mean stopping crime before it happens. 

Why the Dark Web Matters for Local Agencies 

A Hidden Hub for Localized Criminal Activity 

Criminal forums, encrypted chat channels, and darknet leak sites often contain references to specific cities, schools, or government offices. These may range from targeted doxxing threats against police officers to lists of stolen IDs from local residents. Without visibility into these spaces, agencies risk missing critical intelligence (NIJ). 

Growing Scale of Criminal Commerce 

Dark web markets remain a preferred channel for selling drugs, stolen goods, counterfeit currency, and hacking tools. Europol has documented that some sellers specialize in hyper local delivery, building trust with buyers in their own city. One marketplace studied by the NIJ generated $219 million annually, a portion of which was linked to transactions tied to specific U.S. cities. 

Evidence of Real-World Impact 

The FBI’s Internet Crime Complaint Center (IC3) reported 880,418 cybercrime complaints in 2023, a 10 percent increase over 2022, with losses exceeding $12.5 billion (FBI IC3). While many of these cases start online, a significant number have local victims and suspects, with planning or stolen data originating from the darknet. 

Common Local Mentions on the Dark Web 

1. City and County Names – Drug vendors advertising “free delivery within [city limits]” or fencing stolen goods. 
2. Schools and Universities – Targets of swatting threats, harassment campaigns, or worse. 
3. Police Departments – Mentioned in extremist forums or ransomware leak sites after data breaches. 
4. Hospitals and Public Services – Victims of cyberattacks where stolen patient data is posted for sale. 
5. Street-Level Detail – Criminals using neighborhood or landmark names to coordinate illicit meetups. 

These are not hypothetical. They appear regularly in open-source criminal case records and public takedown reports. 

From Discovery to Action: How Agencies Can Use Dark Web Intelligence 

When local law enforcement gains visibility into the darknet, it often changes how investigations unfold. For example: 

• Drug Enforcement – Narcotics units can identify vendors selling in their jurisdiction, connect them to street-level operations, and coordinate controlled buys. 
• Cybercrime and Fraud – Financial crimes units can trace stolen credit cards, bank logins, or PII from local residents back to breaches. 
• Threat Assessment – School resource officers or fusion centers can evaluate online threats referencing specific campuses. 

This process often begins with keyword and geographic monitoring, searching for place names, zip codes, or organizational identifiers in darknet marketplaces, forums, and leak sites. Tools like DarkOwl can streamline this by indexing these spaces and allowing agencies to search them without direct engagement. All DarkOwl data is collected in compliance with U.S. Department of Justice guidelines, ensuring passive, lawful acquisition from darknet and darknet-adjacent sources. 

Case Studies: Real-World Ransomware Attacks on Police Departments 

In 2021, the Babuk ransomware group breached the Metropolitan Police Department in Washington, D.C., and leaked thousands of sensitive internal files on a dark web site. These included disciplinary records, intelligence reports, and details about confidential informants. The incident was described by cybersecurity experts as one of the most serious ransomware attacks ever against a U.S. law enforcement agency. Investigators had to rapidly assess the scope of the breach, contain the fallout, and communicate with the public while attackers continued to post stolen material. 

In a separate case, 200 gigabytes of data from the Presque Isle Police Department in Maine was leaked online by Distributed Denial of Secrets (DDoSecrets). The dataset contained decades of emails, internal reports, and sensitive law enforcement files. While the organization chose not to make the entire dataset publicly available, the breach was confirmed and highlighted the vulnerability of smaller police departments to cyberattacks. 

These incidents are a reminder that police departments of all sizes are potential ransomware targets and that early detection of leaked data on the dark web can help agencies respond more effectively. 

Challenges and Best Practices 

• Legal Compliance – Work only with vetted intelligence sources that follow DOJ guidance. 
• Evidence Handling – Ensure dark web data is preserved in ways that maintain chain of custody. 
• Training – Provide investigators with skills to interpret darknet information and link it to real-world cases. 
• Partnerships – Collaborate with state, federal, and fusion center partners to share findings. 

Conclusion 

Your city is likely being mentioned on the dark web, whether in a passing conversation or as part of a targeted plot. For local law enforcement, this is no longer an obscure cyber issue. It is a street-level problem with online roots. 

By incorporating dark web monitoring into investigative workflows, agencies can spot emerging threats, connect them to local activity, and act before harm occurs. In a world where crime moves between the physical and digital in seconds, ignoring the darknet is no longer an option. 

---

Learn how DarkOwl informs law enforcement investigations.

September 02, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. ‘Chairmen’ of $100 million scam operation extradited to US – Bleeping Computer

In an August 8 press release, the United States Attorney’s Office for the Southern District of New York announced the extradition of four Ghanaian nationals for participating in an international criminal organization “that stole more than $100 million from victims via romance scams and business email compromises.” The four individuals were reportedly high-ranking members of a Ghanaian criminal organization that targeted entities in the U.S. between 2016 and 2023. The defendants were extradited from Ghana and arrived in the U.S. on August 7. Read full article.

2. New EDR killer tool used by eight different ransomware groups – Bleeping Computer

According to BleepingComputer, eight different ransomware groups have been observed using a new endpoint detection and response (EDR) killer believed to be an evolution of the “EDRKillShifter” developed by RansomHub. EDR killers are a useful tool for threat actors as they turn off security products on targeted systems to help remain undetected. As of this writing, the eight groups seen using the new tool include RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC. Article here.

3. CTM360 spots Malicious ‘FraudOnTok’ Campaign Targeting TikTok Shop users – Bleeping Computer

Researchers at CTM360 have identified a new malware campaign dubbed “FraudOnTok” that targets users through fake TikTok Shops with SparkKitty spyware. According to the cybersecurity company’s report, the campaign is characterized by a dual attack strategy combining both phishing and malware to target TikTok users. The threat actors utilize replicas of TikTok Shop, TikTok Wholesale, and TikTok Mall to deceive users into believing they’re using the genuine platforms before stealing cryptocurrency wallets. Read more here.

4. Cyber Espionage Campaign Hits Russian Aerospace Sector Using EAGLET Backdoor – The Hacker News

Researchers at SEQRITE Labs have observed a cyberespionage campaign targeting Russian aerospace and defense industries. According to the company’s report, the campaign has specifically targeted employees at Voronezh Aircraft Production Association (VASO), one of Russia’s largest aircraft production entities. The activity has been dubbed “Operation CargoTalon” and functions by delivering a backdoor called EAGLET to exfiltrate data. The threat actor is currently being tracked as UNG0901. Read here.

6. Hacker extradited to US for stealing $3.3 million from taxpayers – Bleeping Computer

In an August 5 press release, the U.S. Department of Justice announced the extradition of a Nigerian national to the U.S. from France “in connection with hacking, fraud, and identity theft offenses.” According to the statement, the subject participated in multiple fraud schemes, including one targeting U.S. tax businesses to defraud the IRS since at least 2019. The scheme involved other Nigeria-based co-conspirators who used spear phishing emails to hack “several U.S. based businesses located in New York, Texas, and other states.” Read full article.

7. CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court Summons Lures – The Hacker News

In an August 4 press release, Ukraine’s Computer Emergency Response Team (CERT-UA) warned of a series of cyber attacks carried out by the threat actor UAC-0099 against “state authorities, the Defense Forces, and enterprises of the defense-industrial complex of Ukraine.”  As noted in the statement, the threat actor delivers MATCHBOIL, MATCHWOK, and DRAGSTARE malware via phishing emails. The emails are predominantly sent from UKR.NET addresses and are presented as official “court summons.” Read full article.

8. US sanctions North Korean firm, nationals behind IT worker schemes – Bleeping Computer

In a July 24 press release, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced the sanctioning of the North Korea-based Korea Sobaeksu Trading Company and three associated individuals for their participation in fraudulent remote IT worker schemes. As previously noted in DarkOwl’s Weekly Intelligence Summaries, the DPRK government uses these IT worker schemes to generate illicit revenue. The IT workers involved in the scheme use “fraudulent documents, stolen identities, and false personas to obfuscate their identities and infiltrate legitimate companies.” Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.