Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | Riyadh Airports Access Claim, Golden Goose Trojan, and NEWSAN Leak Surface Online
Dec 01, 2025
5 Mins Read
Moon

Riyadh Airports Access Claim, Golden Goose Trojan, and NEWSAN Leak Surface Online

SOCRadar’s Dark Web Team identified several notable underground posts this week, including alleged unauthorized access to Riyadh Airports’ operational systems, a new malware loader called the Golden Goose Trojan, and multiple network access listings offered by an Initial Access Broker targeting companies in France, the United States, and Canada. Another post advertised an alleged NEWSAN customer database containing sensitive personal information.

Receive a Free Dark Web Report for Your Organization:

Alleged Unauthorized Control Panel Access Sale is Detected for the Riyadh Airports

Alleged Unauthorized Control Panel Access Sale is Detected for the Riyadh Airports

The SOCRadar Dark Web Team has detected a claim involving Riyadh Airports (RAC), the operator of Saudi Arabia’s King Khalid International Airport. A threat actor asserts they have compromised the internal network, granting them unauthorized access to critical infrastructure management systems. To support these allegations, video footage was released purportedly showing real-time navigation of the airport’s operational dashboards.

New Golden Goose Trojan Sale is Detected

New Golden Goose Trojan Sale is Detected

The SOCRadar Dark Web Team has detected a new post on an underground forum advertising the sale of a malware loader dubbed the “Golden Goose Trojan.” The threat actor appears to be gauging demand for this new tool, which is positioned as a sophisticated loader capable of stealthy operations and persistence.

According to the listing, the Trojan offers advanced features such as customized pinning via vulnerable user applications and the ability to execute DLLs directly in memory, a technique often used to evade traditional antivirus detection by avoiding disk writes. The malware reportedly utilizes a private encrypted protocol based on the Diffie-Hellman (DH) key exchange for secure communication with its Command and Control (C2) server.

The post also describes a modern administration panel built on AngularJS and Bootstrap, providing operators with functionalities to list infected bots, terminate processes, upload/download files, and execute arbitrary code. The approximate subscription cost is listed at $700 per month.

Alleged Unauthorized Access Sale is Detected for Various Companies

Alleged Unauthorized Access Sale is Detected for Various Companies

The SOCRadar Dark Web Team has identified a series of new listings on an underground forum wherein a threat actor is commercializing unauthorized network access to three significant corporations. These entities are situated in France, the United States, and Canada, with reported annual revenues ranging from $689 million to over $1 billion.

The threat actor, operating as an Initial Access Broker (IAB), has detailed specific entry vectors and network specifications for each target. Notably, the listings reference the status of Endpoint Detection and Response (EDR) systems, implying that the access remains viable within these secured environments. The specifics of the compromised assets are as follows:

  • France (FR): Access to a corporation generating $950 million in revenue via VPN credentials. The network infrastructure includes 229 hosts, with a listing price of $1,900.
  • United States (USA): Access to an entity with $689 million in revenue via Citrix. The compromised network comprises 3,049 hosts, listed at $4,500.
  • Canada (CA): Access to a major enterprise with revenue exceeding $1 billion via Remote Desktop Protocol (RDP). This network encompasses 2,693 hosts, with a price point of $4,000.

All listings indicate that the compromised accounts possess “Domain User” privileges, which typically facilitate internal reconnaissance and potential lateral movement within the network.

Alleged Database of NEWSAN is on Sale

Alleged Database of NEWSAN is on Sale

The SOCRadar Dark Web Team has detected a significant new data leak claim targeting Newsan, a leading Argentine electronics manufacturer and distributor. A threat actor has posted a database for sale on a cybercrime forum, asserting that it was exfiltrated directly from the company’s primary domain, newsan.com.ar. The dataset, allegedly containing 1.4 million rows of user information, is currently being offered for a price of $2,000 USD. The actor claims the leak includes over 900,000 unique telephone numbers and nearly 900,000 unique email addresses.

According to the alleged samples provided by the seller, the compromised data encompasses highly sensitive Personally Identifiable Information (PII). This includes Full Names, Dates of Birth, Physical Addresses (Street, City, Province, Postal Code), and National ID Numbers (DNI). Furthermore, the dataset reportedly exposes Social Media Profiles, Internal Customer IDs, and precise Geographic Coordinates (Latitude/Longitude).

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.