SOCRadar® Cyber Intelligence Inc. | Dark Peep #5: The Calm Before the Storm
Home

Resources

Blog
Nov 16, 2023
7 Mins Read

Dark Peep #5: The Calm Before the Storm

On the dark web, the weather has closed, the thunder is rumbling, and the wind is picking up. Chaos is coming, ahem, not that chaos, ChaosSec is coming(!)

Let’s take a look at what interesting events the SOCRadar team has been observing on the Dark Web as of late. 

Welcome to Dark Peep #5:

Illustration of the calm before the storm (generated using DALL-E 3), dark peep #5
Illustration of the calm before the storm (generated using DALL-E 3)

#TangoDowned!

Anonymous Global shared a website to mobilize a hacktivist operation against Israeli targets.

Anonymous Global's Telegram message
Anonymous Global’s Telegram message

This cyber call-to-arms by Anonymous Global, draped in digital bravado, sought to marshal the online masses with a “SAVE PALESTINE” clarion call. Yet, for all its rallying cries and click-to-attack simplicity, the operation fizzled out like a weak signal on a sturdy firewall. Intended to be a virtual juggernaut, the campaign instead became a footnote in the annals of hacktivism, a “TANGO DOWN” that couldn’t find its rhythm. In the end, the operation’s only ‘burn’ was perhaps the embarrassment of a plan that couldn’t quite hack it in the grand cyber dance-off.

GhostLocker keeps innovating

With its latest update, GhostLocker is making waves in the RaaS (Ransomware as a Service) sector, touting a suite of advanced features and an enticing affiliate program. The recent overhaul introduces a modernized user interface with in-depth analytics and built-in communication tools designed to streamline the nefarious process of digital extortion. The newly metamorphosed stub promises fully undetectable (FUD) operations, powered by a so-called Metamorphic engine known for rapid encryption capabilities.

GhostLocker's latest update
GhostLocker’s latest update

More insidiously, GhostLocker now has a victims tab, a grim addition that allows attackers to monitor the status of their cyber hostages. But innovation doesn’t stop at software architecture; GhostLocker’s creators have concocted an affiliate scheme designed to expand their reach. By offering a bounty for referrals and a lifetime commission on ransoms collected from referred sales, they’re not just selling a product but recruiting a sales force of digital marauders. But among the most remarkable features is that GhostLocker will sell the data that customers breach at no additional charge.

Announcement from GhostLocker
Announcement from GhostLocker

This business model echoes legitimate market strategies, twisting them into a dark mirror version of the RaaS space. With sales open for a limited time and a cap on the number of copies sold, GhostLocker is positioning itself as a premium, albeit illicit, service in the cybercrime landscape. It’s clear that as cybersecurity defenses evolve, so too do the tactics and tools of those intent on breaching them.

ACEH and its breaks

The famous ACEH, which has been featured in many of our Dark Peep issues, announced that it is taking a break again, then suddenly came back with a statement attacking India and America.

ACEH notifies about a break
ACEH notifies about a break

Doesn’t ACEH take breaks very often? Is ACEH studying history before the attack, and it’s time-consuming or is it taking a break due to its full-time job?

The calm before the storm, chaos is charging…

ChaosSec will be up to something, so with a short Telegram post, it foreshadows big things to come:

ChaosSec’s Telegram post states, “Silence, a sign of something big.”
ChaosSec’s Telegram post states, “Silence, a sign of something big.”

We would like to take this opportunity to thank ChaosSec for sharing us as a source:

You can reach our Cloudflare Protection Bypass Vulnerability article here.
You can reach our Cloudflare Protection Bypass Vulnerability article here.

You should only be scammed by real threat actors, not the fake ones!

SP CRYPTER sells its product for $99 with a one-time purchase and warns against scams. Remember, if you’re going to get scammed, get scammed by the originals, not the fake ones.

SP CRYPTER warns for scams
SP CRYPTER warns for scams

A quiet return

Bjorka, who has been on vacation (or on the run) for a while, finally broke her silence and announced her return with a sweet Telegram post. Bjorka, isn’t that too quiet? No one can hear you, shout out!

Bjorka has returned
Bjorka has returned

Well, it seems Telegram doesn’t like some of the hacktivists

Garnesia Team released a statement saying that due to reports, their channel is no longer accessible and that they are continuing their operations through two new channels.

Telegram message of Garnesia Team
Telegram message of Garnesia Team

BlackForums is evolving!

BlackForums 2.0 will be released on December 1st and will include reputations of threat actors, a business rating (very important for trust in collaborative crimes!) and a new theme, according to a post on Telegram by BlackForums administrator Chief Astounding.

Announcement from BlackForums, for BlackForums 2.0
Announcement from BlackForums, for BlackForums 2.0

Goodbye to RansomedVC

In our Ransomed.VC article’s “End of an Era, the Sinking of Ransomed.VC” heading, we mentioned that Ransomed could not be sold and the project was stopped after 6 people were arrested. 

Following these events, a new threat actor, RansomCorp, emerged on November 10 with a post on BreachForums claiming to have breached Discord:

RansomCorp’s BreachForums post about the breach of Discord (Source: X)
RansomCorp’s BreachForums post about the breach of Discord (Source: X)

However, after some researchers analyzed the dataset and disproved that the data belonged to Discord, the BreachForums admins banned the user’s account, saying that RansomCorp was actually RansomedVC. Ransomed’s second birth was thus ruined, which is a pity…

RansomCorp’s banned BreachForums profile (Source: X)
RansomCorp’s banned BreachForums profile (Source: X)

Jobs where you’d be a top applicant

177 Members Team and CsCrew, the not-so-corporate headhunters of the dark web, are scouting for new cybercriminals for their teams. So, if your keyboard is your cutlass and you’ve never walked the plank in the .my or .id waters, you might just find yourself a “Linked” contender for their next online odyssey. Just don’t expect a LinkedIn endorsement for these roles; the only networking here is done behind a veil of VPNs.

Recruitment posts by 177 Members Team and CsCrew
Recruitment posts by 177 Members Team and CsCrew

A little suspicion: Both groups have the same posting templates and are looking for fresh blood for the same roles, don’t you think it’s strange?

Was the house raided or was the key forgotten?

8BASE shared that the group updated its onion site. Was it a stealthy maneuver following a close shave with a raid, or did someone simply fumble the old URL after one too many espressos?

8Base updates its onion site
8Base updates its onion site

StarsX goes into hibernation

StarsX Team is hitting the ‘BRB’ button harder than a teenager dodging chores. In a world where the online never sleeps, these folks are tucking in their servers for a long winter’s nap.

StarsX goes into hiatus
StarsX goes into hiatus

“Busy with real-world affairs,” they say—perhaps the digital realm’s equivalent of “my dog ate my homework.” With no admins to steer the ship, they’re essentially hanging a “Gone Phishing” sign on their homepage. So here’s to the StarsX team, may their offline adventures be as grand as the online escapades they’re pausing. 

Let’s just hope they remember their passwords come the New Year and let’s end the 5th issue of peep here.

The Dark Web is not at rest, and we don’t expect it to become slower. You can use Dark Web News in SOCRadar XTI’s Cyber Threat Intelligence module to keep up to date with developments on the Dark Web:

SOCRadar XTI’s Dark Web News page under the CTI Panel (Source: SOCRadar)
SOCRadar XTI’s Dark Web News page under the CTI Panel (Source: SOCRadar)