EDR Terminator Sale, Alleged Adobe Business Leak, Serbia MUP Data Offer, and Argentina BCRA IOMA GDEBA Claims

SOCRadar Dark Web Team identified several new underground posts, including a listing advertising a kernel-level “EDR/XDR terminator” package, a separate claim of an 832.87GB “Adobe Business” data collection, and two government-focused datasets involving Serbia’s Ministry of Interior (MUP) and Argentina’s BCRA, IOMA, and GDEBA. Across these posts, threat actors emphasized high-volume data, identity-heavy fields, and “exclusive” or “fresh” positioning that typically signals intent for fraud, extortion, or follow-on access operations.

0-Day EDR XDR Terminator Sale Is Detected

SOCRadar Dark Web Team detected a threat actor post advertising an alleged 0-day “EDR/XDR terminator” sold as source code plus a compiled driver. The actor framed it as a ring-0 kernel driver designed to terminate endpoint security processes, and marketed it for use alongside follow-on payload execution. The post also claimed compatibility with Windows 10/11 and referenced HVCI (Memory Integrity) support.

The seller advertised pricing at $8,000 for the base package, with an additional upsell that brought the total to $12,000, and promoted “one buyer only” exclusivity plus short-term support terms. Even when these claims are exaggerated, listings like this often reflect active demand for tooling that reduces defender visibility during intrusion chains.

Alleged Adobe Business Database Collection Is Detected

SOCRadar Dark Web Team detected a post claiming an alleged 832.87GB “business.adobe.com” dataset and a broader “databases collection” tied to multiple marketing and email platforms. The listing included structured rows that looked like company and technology profiling (for example, product names, industries, markets, and descriptions), and it also referenced large-scale email and phone counts across services such as MailChimp, SendGrid, HubSpot, Mailgun, and others.

If authentic, this type of dataset is typically used for targeted phishing, lead enrichment, and business email compromise style pretexting, because it helps attackers map org structure, tooling, and contact paths. Even when the “Adobe” branding is used loosely, the data fields and scale suggest the core value was contactability and segmentation, not just a single brand’s records.

Alleged Serbian Ministry of Interior Data Sale Is Detected

SOCRadar Dark Web Team detected a post claiming a breach of Serbia’s Ministry of Interior (MUP), specifically referencing a “Foreigners Office” related division. The actor claimed possession of 180,000 records labeled “2024–2026 fresh”, split between 150,000 foreign nationals and 30,000 Serbian citizens, and highlighted identity-linked fields such as a national identifier comparable to SSN or visa ID.

The post also included a “notice” section suggesting negotiation conditions with authorities and offered contact for “full database pricing.” Datasets framed this way commonly increase risk for identity fraud, document forgery, and targeted scams, especially when residency and status attributes can be weaponized in lures or coercion narratives.

Alleged Argentina BCRA IOMA GDEBA Data Leak Claims Are Detected

SOCRadar Dark Web Team detected a post claiming multiple Argentina-focused data releases involving BCRA (credit scoring scraping), IOMA (affiliates and patient-related records), and GDEBA, alongside references to classified documents and additional “bonus” materials. The actor promoted “proofs,” partial downloads, and promised larger follow-on releases depending on community support.

Claims included large-scale counts, such as BCRA “+32 million” scraping and IOMA “+1 million” or larger affiliate-related datasets, with examples that suggest identity and demographic fields. Posts that mix public-sector data, alleged medical affiliation data, and “dossier” language tend to drive high-impact downstream abuse, including impersonation, fraud targeting, and long-tail privacy harm when records are mirrored across channels.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.