New CipherWolf RaaS, Oracle EBS 0‑Day Exploit & Money Laundering Service Detected on Hacker Forums
SOCRadar’s Dark Web Team has tracked a cluster of high‑impact underground listings this week. Highlights include an advertised cryptocurrency money‑laundering service that converts crypto to fiat via front companies, an alleged sale of Forti VPN access tied to a UK industrial machinery firm, and a claimed exploit targeting Google email addresses. Researchers also observed an N‑day offer for Oracle E‑Business and the emergence of a new Ransomware‑as‑a‑Service called CipherWolf.
Receive a Free Dark Web Report for Your Organization:
A New Alleged Money Laundering Service is Detected

SOCRadar Dark Web Team identified a forum post where a threat actor is promoting an alleged money-laundering service offering to convert cryptocurrency into fiat currency or transfer it through offshore accounts. The service reportedly operates through a network of front companies in sectors such as real estate and consulting, which are used to conceal the origin of funds. The threat actor indicates a commission range of 10–20%, excluding transfer costs, and mentions that processing time varies from one hour to five days based on transaction volume. The post details a structured workflow involving wallet transfers, staged conversions through intermediary entities, and final disbursement of funds to destinations chosen by customers.
Alleged Unauthorized VPN Access Sale is Detected for a British Industrial Machinery & Equipment Company

SOCRadar Dark Web Team identified a forum post where a threat actor is allegedly offering unauthorized VPN access belonging to a company operating in the industrial machinery and equipment sector in the United Kingdom. The organization reportedly generates an annual revenue exceeding 15 million USD and employs more than 250 personnel.
According to the listing, the offered access includes VPN Forti credentials linked to a domain user account. The threat actor states that the compromised environment contains around 80 hosts and 8 domain administrators. The sale is structured with a starting price of 300 USD, a bidding increment of 100 USD, and a blitz (instant purchase) price of 600 USD. The post also indicates a “guarantee acceptance,” implying that the access validity is confirmed before deliver.
Alleged Exploit for Google is on Sale

SOCRadar Dark Web Team identified a forum post where a threat actor offers an exploit, the existence of which is alleged, targeting @google[.]com email addresses. The post claims that the exploit could be used for social engineering activities and bulk distribution of fraudulent alerts.
The listing mentions that the price is negotiable, reportedly in the tens of thousands of dollars, and directs interested buyers to contact the seller through Telegram.
The alleged exploit, if valid, could enable large-scale phishing and impersonation attempts, potentially resulting in credential theft or unauthorized access to Google-associated services and accounts.
Alleged 0-Day Vulnerability Sale Is Detected for Oracle E-Business

SOCRadar Dark Web Team identified a forum post where a threat actor is allegedly offering an 0-day exploit for Oracle E-Business Suite tracked as CVE-2025-61882. The post claims that the vulnerability is remotely exploitable without authentication and may allow remote code execution.
New CipherWolf Ransomware-as-a-Service is Detected

SOCRadar Dark Web Team identified a forum post in which a threat actor announces a new Ransomware-as-a-Service named CipherWolf; the post alleges the payload is written in Rust, targets all Windows systems, and provides affiliates with a web-based dashboard that manages campaigns, victim data, device lists, withdrawal features, and revenue allocation. The threat actor claims the service supports automated file transfer to a dedicated server, deletion of shadow copies and backups, termination of numerous processes, and integration with workgroup and Active Directory environments; the listing advertises a profit-share model of five to ten percent with an introductory one percent rate for the first three affiliates and lists a website and a TOX contact for engagement, both redacted from this summary.
Powered by DarkMirror™
Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.
