PSN Satellite Data Re-Listed, CryptoRipper Tool, and Chromium 0-Day Advertised

SOCRadar’s Dark Web Team observed several new underground listings this week, including a re-surfaced data sale claim involving Indonesian satellite operator PT Pasifik Satelit Nusantara, the distribution of a cryptocurrency-stealing malware tool named “CryptoRipper”, and an auction offering Canadian credit card records. Another post advertised a high-priced zero-day exploit allegedly targeting Chromium-based browsers.

Receive a Free Dark Web Report for Your Organization:

Alleged Database of PT Pasifik Satelit Nusantara is on Sale

The SOCRadar Dark Web Team has detected a new listing for a massive 92 GB dataset belonging to PT Pasifik Satelit Nusantara (PSN), the premier satellite operator in Indonesia. Intelligence analysis indicates that this is a re-surfaced claim rather than a fresh breach event. The same threat actor previously listed this identical dataset on a different underground forum in May 2025. The archive purportedly contains sensitive technical documents related to the SNL N5 satellite project and involves partners such as Boeing, SpaceX, and Kratos. Notably, the threat actor has significantly lowered their financial demands. While the original listing in May sought 10 Bitcoin, the current asking price has been reduced to 3 Bitcoin.

The price reduction of approximately 70 percent combined with the re-listing of the data suggests that the threat actor struggled to monetize the dataset during the initial offering. This behavior often indicates that the data may have already been sold privately or is no longer considered exclusive.

New Crypto Ripper Stealer Tool Share is Detected

The SOCRadar Dark Web Team has detected the distribution of a malicious tool named Crypto Ripper. According to the post, this malware is designed to silently exfiltrate a wide variety of cryptocurrencies, including Bitcoin, Ethereum, and Monero, from infected devices. The tool includes a builder feature, allowing attackers to generate custom executables with ease. To ensure prolonged access, it employs persistence mechanisms such as registry modifications and startup shortcuts, alongside anti-kill features to resist process termination.

Alleged 30K Credit Cards Belonging to Canada are on Sale

The SOCRadar Dark Web Team has detected a new auction on a hacker forum where a threat actor is selling a dataset containing approximately 30,000 records related to Canadian individuals. The seller describes the data as having a low validity rate, estimated at only two percent active cards. Despite the lack of functional financial instruments, the dataset provides comprehensive personal information.

The compromised records include Credit Card numbers, expiration details, security codes, full names, physical addresses, and phone numbers. The actor specifies that a subset of 5,000 records also contains the date of birth for the victims, while the remaining majority lacks this field. The auction is established with a starting bid of $1,200, and an immediate purchase option is available for $1,500.

Alleged 0-Day Exploit Sale is Detected for Chromium

The SOCRadar Dark Web Team has detected a high-value listing where a threat actor is offering a Zero-Day exploit targeting Chromium-based browsers, including the latest versions of Google Chrome. The threat actor claims this tool, provided as a Windows executable, can forcibly redirect all user search queries to a custom URL chosen by the attacker.

The most significant aspect of this offer is the alleged ability to bypass App-Bound Encryption, a security feature designed to prevent software from tampering with browser settings. The threat actor is asking for $250,000 for this exploit, targeting buyers in the ad-tech and affiliate marketing sectors who wish to monetize hijacked search traffic. The deal is strictly conditional on using the forum’s escrow service.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.