Weapon Bot Toolkit, MadLicense Exploit Demand, and 413K Credit Cards Observed

SOCRadar’s Dark Web Team identified multiple underground posts this week, including a major auction for global credit card records, a buyer seeking a weaponized PoC for the Windows MadLicense vulnerability (CVE-2024-38077), and the sale of a new multifunctional malware framework known as Weapon Bot. Another post requested valid KeyBank credentials for purchase.

Receive a Free Dark Web Report for Your Organization:

Alleged 413K Credit Cards of Several Countries are on Sale

The SOCRadar Dark Web Team has detected a significant new auction on the prominent Russian-language forum Exploit where a threat actor is selling a massive dataset comprising approximately 413,000 credit card records. The seller indicates that this collection is a consolidation of data previously circulating on other well-known underground marketplaces, spanning 161 countries. The vast majority of the exposed cards belong to cardholders in the United States and Canada, followed by significant numbers from Malaysia, Singapore, and various European nations.

The sale is structured as an auction, with a set starting bid and an immediate purchase option for buyers seeking instant access. To incentivize the purchase, the threat actor offers a complimentary subscription to a card validity checking service, acknowledging that the database contains a mix of active and inactive cards. The seller admits to a relatively low validity rate based on random sampling, suggesting the data is intended for bulk processing rather than high-value individual fraud.

CVE-2024-38077 Exploit Purchasing Announcement is Detected for Windows Remote Desktop Licensing Service

The SOCRadar Dark Web Team has detected a specific purchasing request on a hacker forum wherein a threat actor is actively seeking a fully functional Proof of Concept (PoC) for CVE-2024-38077. This vulnerability, widely known as MadLicense, is a critical Remote Code Execution (RCE) flaw affecting the Windows Remote Desktop Licensing Service.

The buyer asserts that the publicly available exploit code is incomplete or ineffective on updated systems. Consequently, they are soliciting a weaponized version capable of successfully compromising Windows Server 2016, Windows Server 2019, and Windows Server 2022. The individual requires video evidence demonstrating the exploit’s efficacy on these specific operating system versions and has expressed a willingness to utilize forum escrow services to finalize the transaction.

New Weapon Bot/Stealer Tool Sale is Detected

The SOCRadar Dark Web Team has detected a new listing for a sophisticated malware framework referred to as the Weapon Bot. This tool represents an evolution from a standalone information stealer into a multifunctional botnet designed for high persistence and evasion. The developer purportedly utilizes a hybrid architecture combining Node.js, Rust, and PowerShell, packaging the malicious payload within Microsoft Installer (MSI) files.

The threat actor highlights the strategic advantage of the MSI format, asserting that it maintains a low detection rate against endpoint security solutions over extended periods. The malware reportedly features capabilities to bypass modern Endpoint Detection and Response systems and Windows Defender. It includes a modular Rust-based stealer component capable of exfiltrating sensitive browser data, cryptocurrency wallet seeds, and session tokens from messaging platforms like Discord and Telegram. Additionally, the tool offers a modern administration panel built on Next.js with Docker deployment support to streamline campaign management.

Log Data Purchasing Announcement is Detected for KeyBank

The SOCRadar Dark Web Team has identified a specific purchasing announcement on an underground forum where a threat actor is soliciting valid credentials for KeyBank, a major US-based financial institution headquartered in Cleveland, Ohio. The individual is specifically targeting the bank’s dedicated online banking login portal, utilized by both personal and small business clients.

The threat actor has established a pricing tier ranging from $10 to over $500 per log, contingent on the account’s quality or available balance. The request explicitly specifies the user:pass format, indicating a demand for raw credential pairs or stealer logs that facilitate direct account access. The actor directs potential sellers to contact them via the forum for negotiation, emphasizing adherence to the platform’s rules regarding transaction security.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.