Alleged Discord Exploit Sale & WormGPT Database Leak Detected

SOCRadar’s Dark Web Team identified several new underground posts this week, including an alleged Discord zero-day RCE exploit sale, a claimed source code leak of the NOXIPOM ULTIMATE ransomware tool, and database breach claims involving Repediu and WormGPT.

Receive a Free Dark Web Report for Your Organization:

Alleged Discord RCE 0-Day Exploit Sale

SOCRadar Dark Web Team detected a threat actor post on a dark web forum advertising the sale of an alleged remote code execution zero-day targeting Discord. The threat actor lists the exploit for $900 and specifies desktop platform coverage across all architectures.

According to the post, the exploit is described as a protocol confusion vulnerability requiring a chained attack path and a single user interaction. The listing claims arbitrary code execution capability and requests private contact for additional technical details. Payment is requested in Monero.

Alleged Source Code of Ransomware Tool Is Leaked

SOCRadar Dark Web Team detected a threat actor post on a dark web forum claiming to leak the source code of a ransomware variant referred to as NOXIPOM ULTIMATE v4.0. The post states that the malware was initially distributed as an obfuscated Python script layered with multiple encoding stages to evade detection.

According to the description shared, the ransomware allegedly performs file encryption using a basic XOR routine with a hardcoded password and appends a custom extension to affected files. The threat actor characterizes the implementation as technically unsophisticated, despite heavy obfuscation intended to create the appearance of complexity. The post includes a download link for the decoded source code and frames the release as exposure rather than commercial sale.

Alleged Database of Repediu Is Leaked

SOCRadar Dark Web Team detected a threat actor post on a dark web forum alleging a database breach involving Repediu, a Brazil-based CRM and delivery management platform designed for restaurants to manage sales, customer loyalty, and automated service operations.

According to the listing, the alleged dataset includes three primary CSV files covering users, customers, and leads, with claims of approximately 21.4 million customer records, 1.2 million leads, and 2,633 user accounts. A shared sample shows structured CRM-style fields including names, phone numbers, email addresses, company identifiers, purchase metrics, and demographic attributes.

Alleged Database of WormGPT.AI Is Leaked

SOCRadar Dark Web Team detected a threat actor post on a dark web forum alleging a database leak involving WormGPT, a platform promoted in underground communities as an AI tool for offensive and phishing-related use cases. The threat actor claims the incident occurred in February 2026 and states that the database has been uploaded for public download.

According to the post, the alleged dataset contains records of more than 19,000 users and includes email addresses, payment-related data, subscription details, user identifiers, and additional account information. A screenshot was shared to support the claim.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.