Jul 07, 2025
Fusion Stealer Rises, Android 0-Day for Sale, EDF Leak Exposed
SOCRadar’s Dark Web Team has uncovered a series of concerning cybercriminal offerings this week, ranging from an alleged Android 0-day exploit with global espionage implications to the rental of the new Fusion Stealer malware. Notable discoveries include unauthorized VPN access to a U.S. healthcare provider, admin panel access for multiple South American FinTech companies, and a massive alleged leak of EDF Energy’s customer database. These developments highlight the persistent and evolving threat landscape facing organizations and individuals worldwide.
Receive a Free Dark Web Report for Your Organization:
Alleged 0-Day Exploit for Android is on Sale
SOCRadar Dark Web Team has identified a new alleged 0-day exploit for Android being offered for sale. The threat actor claims the exploit works with a single click on all Android versions and states it was previously used in operations targeting an organization based in the United States and members of the Israeli Defense Forces. The current asking price is 3 BTC. The threat actor also claims to possess and intends to release footage involving IDF personnel.
New Fusion Stealer Tool Sale is Detected
SOCRadar Dark Web Team has identified a new stealer tool called Fusion Stealer being offered for rent on a hacker forum. The threat actor states that the tool is written in C++ without external dependencies, with a build size of 120–130 KB using MSBuild. The output is a native file that is reportedly easy to encrypt. Fusion Stealer is advertised to collect data from multiple browsers (Chrome, Firefox, Opera, Edge, Brave), messaging and VPN platforms (TDATA, Discord, VPN, FTP), and cryptocurrency wallets (Exodus, Zcash, Electrum, Atomic).
According to the threat actor, It also exfiltrates system information and features Telegram-based client decryption with protection against log interception. The current rental price is $35 per month. The threat actor notes that the stealer does not communicate with systems in the CIS region, which may suggest an attempt to avoid local law enforcement or indicate a possible connection to one of these countries.
Alleged Unauthorized VPN Access Sale is Detected for an American Healthcare Provider
SOCRadar Dark Web Team has detected the alleged sale of unauthorized VPN access on a hacker forum, claimed to be linked to a regional healthcare provider in the northeastern United States. According to the threat actor, the access involves a Palo Alto Networks GlobalProtect VPN and belongs to an organization operating in the NGO and healthcare services sector. The threat actor states that the offer is limited to a single buyer and that the price is negotiable via direct contact. Communication is offered through Telegram and Signal.
Alleged Admin Panel of FinTech Companies in South America is on Sale
SOCRadar Dark Web Team has identified an alleged sale of admin panel access related to multiple FinTech companies operating in South America. According to the threat actor, the panel contains data on over 10,000 users, primarily located in Argentina, Colombia, and Brazil, but also from various global regions including the EU, US, Canada, Asia, and Africa. The threat actor claims the panel allows full administrative control, including the ability to review applications, manage identity verification data, and download associated PDF reports with AML checks. The access is said to have been obtained via a spam campaign, and the actor asserts that only the seller and the original owner currently have access. The auction starts at $5,000 with a blitz price of $7,500.
Alleged Customer Database of EDF Energy is Leaked
SOCRadar Dark Web Team has detected an alleged sale of a customer database claimed to belong to EDF Energy, a French energy company. According to the threat actor, the data is linked to the domain edfenergy.com and contains over 12 million records. The database is said to include personally identifiable information such as full names, dates of birth, national IDs, contact details, contract information, payment methods, IBANs, and energy consumption data. The threat actor is offering the dataset for sale via Telegram and Tox, with the price available upon direct request.
Powered by DarkMirror™
Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.
Related Articles
Subscribe to our newsletter and stay updated on the latest insights!