From the Dark Seas of Cyberspace: Unraveling “Fun” Facts of the Dark Web
Just as today’s media is in motion every second, the world of the Dark Web is as turbulent as a raging sea, and the reason you don’t see it is that there aren’t many outlets for the news. As the SOCRadar team, we continue to keep up to date on this issue and in this blog post we have brought you the news that attracted our attention in the last month.
September – October
Ransomed’s relationship with BreachForums
Following this, BreachForums admin Baphomet published an announcement and made a statement to clear the air:
Baphomet reported that there is no formal partnership established with RansomedVC. The discussions between the two entities were purely exploratory, initiated after RansomedVC expressed an interest in active participation within BreachForums’ community and falsely conveyed a partnership via a blog post.
According to the Baphomet, BreachForums maintains a stringent policy against ransomware activities and victim harassment, focusing on ethical data sharing about breaches to inform and empower its users.
Baphomet underscores, “No partnership exists,” and insists discussions were solely around considering the feasibility of RansomedVC’s potential involvement, always safeguarding the community’s integrity and values.
Source code leak of HelloKitty Ransomware
As ransomware variant that has been active since late 2020 and is known for targeting Windows systems, HelloKitty Ransomware’s source code has been leaked on the XSS forum by kapuchin0 user:
The HelloKitty ransomware has been used in several high-profile attacks, including against a game development studio, CD Projekt Red.
SiegedSec, 8Base and Team_Herox are looking for a new house
SiegedSec announced in an Telegram post that their telegram channel has disappeared and they have started to share their posts on a new channel:
Ransomware group 8Base experienced the same situation on Twitter and announced a new Twitter channel:
Anonymous ally Team_Herox seems to be suffering from the same situation:
ThreatSec’s recruitment message
ThreatSec, a hacktivist who is part of Five Families (ThreatSec, GhostSec, Stormous, Blackforums, and SiegedSec), announced that they are hiring and are looking for people with skills in Network, Web penetration, malware creation, encryption, cryptography and reverse engineering:
XSS’s 7th issue of Inception has been released!
Hacker forums continue to compile their own content and publish it in magazine form, the 7th issue of XSS was recently released:
This issue contains many topics such as NoSQL injection, disabling Windows Defender, hiding cobalt strike, Bypassing Kaspersky.
Telegram is so safe!
Does Telegram, which is frequently used by threat actors, provide enough anonymity? As we can see from the “Telegram Nearby Map” repo on Github, Telegram users in the neighborhood can be seen using OpenStreetMap:
Anonymous Sudan is Targeting Kenya
Anonymous Sudan is shifting from its typical DDoS attack approach, now targeting comprehensive access to Kenyan governmental entities.
Similar leak sites are on the rise!
It seems that some ransomware groups are so focused on their operations that they don’t think about where to share their activity. On the leak page that the CryptBB group opened to share their leaks, we can see that they directly used 8Base’s site source code:
Following this, we see the same thing happening between LostTrust and Metaencrpytor, which brings to mind the question: are these the same groups?
New threat actor has entered the ring
An Iranian anti-Iran threat actor has appeared on the scene with the name of antimullah1337:
The threat actor mentioned Black Reward, who made major Iranian leaks, and LabDookhtegan, who tracked down various actors and shared its findings, is this move because of a connection or because it attracted attention?
The Dark Web is not at rest and we don’t expect it to become slower, you can use Dark Web News in SOCRadar XTI’s Cyber Threat Intelligence module to keep up to date with developments on the Dark Web: