Medline & Treasure Coast Data Claims, Stealer Log Search Service ‘LogSearch Bot’, Windows Exploit Offers
SOCRadar’s Dark Web Team identified fresh underground listings this week claiming patient PHI from Medline Europe and Treasure Coast Cardiology, a stealer-log search service offering access to billions of records, and LPE exploits advertised for multiple Windows versions. The posts included a 50-line PHI sample claim, feature promises for the LogSearch Bot, and high-priced exploit offers with source code options. All findings are actor claims and remain unverified, but they could enable identity theft, account takeover, and targeted intrusions if true.
Receive a Free Dark Web Report for Your Organization:
Alleged Database of Medline Europe is on Sale

SOCRadar Dark Web Team Detected a new post allegedly offering access to data related to Medline Europe and Treasure Coast Cardiology. According to the threat actor’s claims, the listing includes patient Protected Health Information (PHI) such as names, dates of birth, Social Security Numbers (SSNs), addresses, insurance details, and GE MUSE 12-lead electrocardiogram (EKG) reports. The post also references Medicare claims and internal Allscripts and Medicare Beneficiary Identifier (MBI) documentation.
Medline Europe is a medical supply and healthcare solutions provider operating across Europe, while Treasure Coast Cardiology is a cardiology clinic based in Florida, United States. The threat actor alleges that the breach occurred through outdated Allscripts and MUSE databases and insists that the data is not part of a honeypot. The dataset is reportedly offered for $500 in Bitcoin, with Monero also accepted and escrow required. A 50-line PHI sample index is allegedly provided as proof. All information comes solely from the threat actor’s statements and remains unverified at this stage.
Alleged Stealer Log Sale is Detected

SOCRadar Dark Web Team Detected a new advertisement promoting a stealer-log search service referred to as LogSearch Bot. The threat actor claims the platform provides access to more than 10 billion compromised records, with continuous daily growth. The service allegedly allows users to search data using multiple identifiers, including email addresses, phone numbers, usernames or Discord IDs, IP addresses, domains, passwords or hashes, and other personal credentials.
According to the post, subscribers can retrieve original stealer log files containing autofill data, passwords, browser information such as cookies, history, and saved cards, along with system details and files extracted from compromised devices. The threat actor also advertises planned features, including Telegram and Discord file access, real-time alerts for new data breaches, and location lookups for individuals in the United States and the European Union.
Alleged LPE Exploits are on Sale for Microsoft Windows

SOCRadar Dark Web Team Detected a new listing offering Local Privilege Escalation (LPE) exploits for Microsoft Windows. The threat actor advertises two separate lots: a zero-day LPE claimed to affect Desktop Windows 7 through Windows 11 and Server 2012 through Server 2025, supplied with C++ source code and priced at $150,000 per user; and a one-day LPE said to work on Desktop Windows 8 through Windows 11 and Server 2012 through Server 2025, with a referenced advisory for CVE-2025-24990. The post lists $2,000 for a build-only delivery and $10,000 for source code plus technical details.
Powered by DarkMirror™
Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.
