Quick Summary
Executive Summary
Maglificio Liliana has been identified as a victim on the Stormous ransomware group’s dark web portal, with the listing published on June 24, 2026. The exact sector and country for Maglificio Liliana were not recorded in SOCRadar’s dataset. However, based on its exposed infrastructure, it is inferred to be a business-to-business supplier in the commerce or manufacturing sector. This listing is part of a cluster of Stormous targets in the retail and e-commerce sectors on the same day. Stormous has claimed approximately 18 victims in the 60 days prior to this listing, with a focus on consumer services, business services, and financial services. Geographically, their victims are spread across Mexico, Italy, and Vietnam. Previous Stormous victims with a similar profile to Maglificio Liliana include Impulso Store, Montechiaro Store, Lorenzoni Store, and FANASA.COM.
Technical Analysis
SOCRadar’s analysis of stealer logs revealed limited exposure for the maglificioliliana.com domain. The data contained seven records related to the organization’s business-to-business and order portals. These records utilized masked, non-email handles, suggesting they belonged to external customers or partners rather than corporate employees. No corporate employee credentials or identity provider endpoints were found. The reuse of one handle across multiple timestamps and URLs indicates potential credential reuse or persistent access to the B2B portal. These records, spanning from July 2025 to March 2026, point towards customer account takeovers or supplier risk rather than internal workstation compromises. For ransomware groups like Stormous, credentials harvested by information stealers are a known initial access vector. Threat actors source these logs, validate corporate credentials, and use them to access systems before deploying ransomware. The observed exposure is limited to external-facing B2B portal accounts. This does not confirm Stormous’s use of these credentials or a corporate network intrusion. The masked nature of the handles leaves the initial access question open, and continued monitoring for corporate domain credentials and B2B portal access reviews is recommended.