Dark Peep #5: The Calm Before the Storm
On the dark web, the weather has closed, the thunder is rumbling, and the wind is picking up. Chaos is coming, ahem, not that chaos, ChaosSec is coming(!)
Let’s take a look at what interesting events the SOCRadar team has been observing on the Dark Web as of late.
Welcome to Dark Peep #5:
Anonymous Global shared a website to mobilize a hacktivist operation against Israeli targets.
This cyber call-to-arms by Anonymous Global, draped in digital bravado, sought to marshal the online masses with a “SAVE PALESTINE” clarion call. Yet, for all its rallying cries and click-to-attack simplicity, the operation fizzled out like a weak signal on a sturdy firewall. Intended to be a virtual juggernaut, the campaign instead became a footnote in the annals of hacktivism, a “TANGO DOWN” that couldn’t find its rhythm. In the end, the operation’s only ‘burn’ was perhaps the embarrassment of a plan that couldn’t quite hack it in the grand cyber dance-off.
GhostLocker keeps innovating
With its latest update, GhostLocker is making waves in the RaaS (Ransomware as a Service) sector, touting a suite of advanced features and an enticing affiliate program. The recent overhaul introduces a modernized user interface with in-depth analytics and built-in communication tools designed to streamline the nefarious process of digital extortion. The newly metamorphosed stub promises fully undetectable (FUD) operations, powered by a so-called Metamorphic engine known for rapid encryption capabilities.
More insidiously, GhostLocker now has a victims tab, a grim addition that allows attackers to monitor the status of their cyber hostages. But innovation doesn’t stop at software architecture; GhostLocker’s creators have concocted an affiliate scheme designed to expand their reach. By offering a bounty for referrals and a lifetime commission on ransoms collected from referred sales, they’re not just selling a product but recruiting a sales force of digital marauders. But among the most remarkable features is that GhostLocker will sell the data that customers breach at no additional charge.
This business model echoes legitimate market strategies, twisting them into a dark mirror version of the RaaS space. With sales open for a limited time and a cap on the number of copies sold, GhostLocker is positioning itself as a premium, albeit illicit, service in the cybercrime landscape. It’s clear that as cybersecurity defenses evolve, so too do the tactics and tools of those intent on breaching them.
ACEH and its breaks
The famous ACEH, which has been featured in many of our Dark Peep issues, announced that it is taking a break again, then suddenly came back with a statement attacking India and America.
Doesn’t ACEH take breaks very often? Is ACEH studying history before the attack, and it’s time-consuming or is it taking a break due to its full-time job?
The calm before the storm, chaos is charging…
ChaosSec will be up to something, so with a short Telegram post, it foreshadows big things to come:
We would like to take this opportunity to thank ChaosSec for sharing us as a source:
You should only be scammed by real threat actors, not the fake ones!
SP CRYPTER sells its product for $99 with a one-time purchase and warns against scams. Remember, if you’re going to get scammed, get scammed by the originals, not the fake ones.
A quiet return
Bjorka, who has been on vacation (or on the run) for a while, finally broke her silence and announced her return with a sweet Telegram post. Bjorka, isn’t that too quiet? No one can hear you, shout out!
Well, it seems Telegram doesn’t like some of the hacktivists
Garnesia Team released a statement saying that due to reports, their channel is no longer accessible and that they are continuing their operations through two new channels.
BlackForums is evolving!
BlackForums 2.0 will be released on December 1st and will include reputations of threat actors, a business rating (very important for trust in collaborative crimes!) and a new theme, according to a post on Telegram by BlackForums administrator Chief Astounding.
Goodbye to RansomedVC
In our Ransomed.VC article’s “End of an Era, the Sinking of Ransomed.VC” heading, we mentioned that Ransomed could not be sold and the project was stopped after 6 people were arrested.
Following these events, a new threat actor, RansomCorp, emerged on November 10 with a post on BreachForums claiming to have breached Discord:
However, after some researchers analyzed the dataset and disproved that the data belonged to Discord, the BreachForums admins banned the user’s account, saying that RansomCorp was actually RansomedVC. Ransomed’s second birth was thus ruined, which is a pity…
Jobs where you’d be a top applicant
177 Members Team and CsCrew, the not-so-corporate headhunters of the dark web, are scouting for new cybercriminals for their teams. So, if your keyboard is your cutlass and you’ve never walked the plank in the .my or .id waters, you might just find yourself a “Linked” contender for their next online odyssey. Just don’t expect a LinkedIn endorsement for these roles; the only networking here is done behind a veil of VPNs.
A little suspicion: Both groups have the same posting templates and are looking for fresh blood for the same roles, don’t you think it’s strange?
Was the house raided or was the key forgotten?
8BASE shared that the group updated its onion site. Was it a stealthy maneuver following a close shave with a raid, or did someone simply fumble the old URL after one too many espressos?
StarsX goes into hibernation
StarsX Team is hitting the ‘BRB’ button harder than a teenager dodging chores. In a world where the online never sleeps, these folks are tucking in their servers for a long winter’s nap.
“Busy with real-world affairs,” they say—perhaps the digital realm’s equivalent of “my dog ate my homework.” With no admins to steer the ship, they’re essentially hanging a “Gone Phishing” sign on their homepage. So here’s to the StarsX team, may their offline adventures be as grand as the online escapades they’re pausing.
Let’s just hope they remember their passwords come the New Year and let’s end the 5th issue of peep here.
The Dark Web is not at rest, and we don’t expect it to become slower. You can use Dark Web News in SOCRadar XTI’s Cyber Threat Intelligence module to keep up to date with developments on the Dark Web: