Discord and Gemini Database Claims, Cisco FMC RCE Leak, Xia Stealer Sale, and IMSS Donor Records Listing

SOCRadar Dark Web Team identified several new underground posts, including an alleged Discord database dump shared with “simple” user style fields, and a separate claim of a gemini.google.com database being distributed for free. Another post referenced an alleged Cisco Secure Firewall Management Center vulnerability leak tied to CVE-2026-20131, raising concern for exposed management interfaces.

Other activity included a sale post for a stealer tool called xia that was marketed around DLL sideloading and “fully undetected” runtime behavior, plus an alleged healthcare data listing claiming 3,225,614 IMSS blood donor record PDF files for $500.

Receive a Free Dark Web Report for Your Organization:

Alleged Discord Database Leak is Detected

SOCRadar Dark Web Team detected a post advertising an alleged Discord database leak. The shared “Simple Data” snippet suggested user-related fields such as Discord or user IDs, usernames, and IP address references, which could support follow-on targeting even without passwords.

If authentic, datasets like this often get used for targeted phishing, doxxing attempts, and identity enrichment when combined with other breach material. Defenders typically treated it as an early warning to push password hygiene, enforce 2FA, and watch for spikes in social engineering aimed at Discord users and communities.

Alleged Cisco FMC RCE Leak is Linked to CVE-2026-20131

SOCRadar Dark Web Team detected a forum post claiming details of an alleged vulnerability affecting Cisco Secure Firewall Management Center (FMC), referenced as CVE-2026-20131. The post described an unauthenticated remote code execution scenario tied to insecure deserialization, with attackers allegedly able to execute arbitrary code as root on affected FMC systems.

The vulnerability carries a CVSS v3.1 score of 10.0, placing it in the critical severity range. According to the available details, the flaw affects the web-based management interface and relates to how Cisco FMC processes Java byte stream data, which aligns with CWE-502: Deserialization of Untrusted Data.

Because Cisco FMC is used to manage firewall policies and security controls, successful exploitation could give attackers control over a core network security system. Organizations using Cisco FMC should apply Cisco’s fixes, restrict access to the management interface, and review systems for signs of unauthorized configuration changes, unexpected admin activity, or other suspicious behavior.

New Stealer Tool Sale is Detected for xia

SOCRadar Dark Web Team detected a post advertising a stealer tool called xia, described as a ~500 KB DLL stealer and promoted around DLL sideloading through legitimate executables. The seller claimed broad data theft coverage, including browser artifacts and wallet extension targets, and marketed “fully undetected” behavior at runtime and scan time.

Even when marketing claims were exaggerated, the combination of sideloading plus credential and wallet targeting often signaled real operational intent. Defenders typically looked for abnormal DLL load patterns, tightened application control, and reviewed endpoint telemetry for suspicious process chains that abused trusted binaries.

Alleged Google Gemini Database Leak is Shared for Free

SOCRadar Dark Web Team detected a post claiming a gemini.google.com database leak and offering it for free. The sample fields resembled support or ticketing style metadata, including items like submitter_email, subject, timestamps, and other structured ticket attributes.

If valid, this type of dataset tended to increase social engineering risk because it gave attackers context about user issues, workflows, and identities tied to support interactions. Security teams usually flagged the potential for targeted phishing that referenced ticket subjects or account-related themes to improve credibility.

Alleged Sale of 3.2 Million IMSS Blood Donor Records is Detected

SOCRadar Dark Web Team detected a post claiming the sale of 3,225,614 IMSS blood donor record PDF files, advertised as a complete donor registry and medical record collection from IMSS (Instituto Mexicano del Seguro Social). The listing highlighted highly sensitive personal and medical content and priced the package at $500 USD.

Healthcare datasets with this depth typically created immediate risk for identity theft, medical fraud, and targeted harassment, especially when identifiers and contact details were included alongside medical context. Organizations commonly treated such claims as high priority due to regulatory exposure and long-term harm potential for affected individuals.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.