Alleged WordPress 0-Day, HMG Patient Data, Astra Files, OnlineSkills Leak, and RDWeb Access
SOCRadar Dark Web Team identified several new underground posts, including an alleged WordPress plugin zero-day privilege escalation exploit, a claimed 452,578-record patient database tied to Dr. Sulaiman Al Habib Medical Group, and alleged defense-related data from India’s Astra missile program. Other posts involved an OnlineSkills.ru database leak and an alleged RDWeb access auction targeting a U.S. telecommunications equipment supplier.
Receive a Free Dark Web Report for Your Organization:
Alleged WordPress Plugin 0-Day Privilege Escalation Exploit is Offered for Sale

SOCRadar Dark Web Team detected a threat actor post advertising an alleged zero-day privilege escalation vulnerability affecting a WordPress plugin with more than 10,000 installations.
The seller claimed the flaw was found on July 6 and allows privilege escalation to Administrator level. According to the listing, exploitation requires an authenticated user with the create_users capability, but not necessarily an administrator role. The actor assigned the vulnerability a CVSS 3.1 score of 8.8 and offered the exploit through an auction with a $1,500 start, $500 step, and $10,000 blitz price.
If authentic, this type of vulnerability could allow attackers to take over affected WordPress sites, modify content, create privileged accounts, or deploy malicious plugins and backdoors.
Alleged HMG Patient Records Database is Offered for Sale

SOCRadar Dark Web Team detected a post claiming the sale of patient data allegedly tied to Dr. Sulaiman Al Habib Medical Group (HMG) in Saudi Arabia.
The actor claimed to have found 452,578 patient records, with no duplicate patient records, and listed fields such as patient ID, full name, gender, age, email, appointment number, setup ID, identification number, date of birth, mobile number, coordinates, payment-related amounts, service IDs, order details, report information, biological details, and container-related fields.
The database was offered for $2,500, marked as negotiable. If authentic, the exposure could create serious risks for affected patients, including identity theft, medical fraud, targeted phishing, and privacy violations.
Alleged Astra Missile Program Data is Offered for Sale

SOCRadar Dark Web Team detected a post advertising alleged data linked to India’s Astra air-to-air missile program, described as developed by DRDO and BDL.
The seller claimed the dataset includes information on MK-1 and MK-2 versions, contracts and deals, quantities, Indian Air Force stations receiving Astra missiles, integration details, and blueprints. The post listed the data size as 1.7GB and set the price at $1,500.
If authentic, the claimed exposure would be highly sensitive due to the potential inclusion of defense-related technical documentation and operational deployment information.
Alleged OnlineSkills.ru Database Leak is Detected

SOCRadar Dark Web Team detected a post claiming a leaked database from onlineskills.ru, with the actor stating that the breach exposed 1.5 million records.
The listed data included full names, email addresses, phone numbers, physical addresses and location data, payment information and amounts, order composition, task details, subscription status, registration dates, CRM IDs, and customer comments. The actor described the file as CSV format, with a compressed size of 82.7 MB and an uncompressed size of 648 MB.
If authentic, the exposed customer and payment-related information could support phishing, fraud, and targeted social engineering against users of the platform.
Alleged RDWeb Access to a U.S. Telecommunications Supplier is Auctioned

SOCRadar Dark Web Team detected an auction post advertising alleged RDWeb access to a U.S.-based company described as a telecommunications equipment and solutions supplier.
The seller claimed the access had domain user permissions, around 50 LDAP hosts, and Windows Defender running on the login machine. The auction terms included a $1,000 start, $100 step, and $1,500 blitz price, with the auction ending 24 hours after the last bid.
If valid, this access could provide an initial foothold for further compromise, including lateral movement, data theft, or ransomware deployment.
Powered by DarkMirror™
Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.
