Alleged Police Tipline Data Sale, iOS and Adobe Exploits, RDWeb Access Listings, and Gunra Recruitment

SOCRadar’s Dark Web Team identified several new underground posts this week, including an alleged sale of U.S. and Canada tipline database records, claims of high-end exploitation tooling for iOS and Adobe Reader, and multiple RDWeb access listings marketed with elevated privileges. Another post promoted recruitment for a ransomware affiliate program, signaling continued activity around ransomware-as-a-service style operations.

Receive a Free Dark Web Report for Your Organization:

The Alleged Data of American Police is on Sale

SOCRadar Dark Web Team detected a threat actor post on a dark web forum advertising an alleged dataset described as United States and Canada tipline databases, referenced as originating from P3Global / CrimeStoppers.

According to the listing, the dataset contains 8.3 million records and includes anonymous crime tips alongside associated suspect or tipster data fields such as names, addresses, phone numbers, email addresses, and Social Security number references. The seller presented the sale as an auction with a $5,000 start, a $200 step, and a $12,000 “blitz” price, and claimed they would use a guarantor.

Threat Actor Claims to Be Selling Full-Chain Exploit for iOS 18 Through 18.7 and GhostBlade Stealer

SOCRadar Dark Web Team detected a threat actor post on a dark web forum advertising an alleged “full-chain exploit” targeting iOS 18 through 18.7, bundled with a stealer referenced as GhostBlade.

The threat actor claimed the package enables one-click compromise through a browser-based attack path and advertised broad access to device data after compromise, including messaging content, account artifacts, and other sensitive information. The post listed a $50,000 negotiable price point and requested private contact for details and proof.

Unauthorized RDWeb Access Sales are Detected for Many Companies

SOCRadar Dark Web Team detected a threat actor post on a dark web forum advertising multiple RDWeb access listings tied to organizations across different sectors and regions.

The post advertised access to a telecommunications company in Austria with claimed cloud admin privileges, an insurance company in India with similar privileges, and a legal services organization in the United States with claimed domain admin privileges. The listing also referenced various AV/EDR solutions in the target environments, which suggests the actor aimed to market the accesses as high-value initial footholds suitable for follow-on activity.

The Alleged 0-Day Exploit Sale is Detected for Adobe Acrobat Reader

SOCRadar Dark Web Team detected a threat actor post on a dark web forum advertising an alleged Adobe Acrobat and Reader exploit described as a “0day/1day” PDF-based capability.

According to the post, the seller claimed the exploit targets Adobe’s JavaScript handling and enables code execution through a crafted PDF file that appears legitimate. The actor also claimed the sale would be exclusive to a single buyer, handled via a guarantor, and would include documentation and proof-of-concept material shared privately.

This dark web activity adds more urgency to the risks discussed in our blog on CVE-2026-34621, where Adobe confirmed in-the-wild exploitation and released emergency fixes for Acrobat and Reader. In that context, the alleged sale may reflect growing attacker interest in PDF-based exploitation and reinforces the need for organizations to patch quickly and monitor related exploit chatter closely.

Recruitment for the Gunra Ransomware Affiliate Program 2026 is Detected

SOCRadar Dark Web Team detected a threat actor post on a dark web forum promoting recruitment for the Gunra ransomware affiliate program.

The post claimed multi-platform support across Windows and Linux architectures, referenced strong encryption, and advertised an affiliate panel and negotiation support. The actor also described a revenue-share model and stated operational restrictions excluding CIS countries, which aligns with patterns often seen in ransomware affiliate recruitment and program rules.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.