LIC India, Bouygues, IMSS Data for Sale; Paris Phishing Toolkit Unveiled
SOCRadar Dark Web Team has uncovered new underground activity involving large-scale data leaks and advanced phishing services. Recent forum posts advertised stolen databases allegedly linked to major organizations across India, France, Mexico, and Brazil. Meanwhile, a newly introduced phishing toolkit, Paris, offers full-featured adversary-in-the-middle services for targeting Gmail and Office 365 users. These developments reveal the continued growth of cybercrime tools and services designed for mass exploitation and identity theft.
Receive a Free Dark Web Report for Your Organization:
Alleged Unauthorized SSH Access Sale is Detected for a Brazilian Telecom Company

SOCRadar Dark Web Team identified a forum post where a threat actor advertised unauthorized SSH access allegedly belonging to a telecom company in Brazil. The listing described root-level access to a single Linux server, with the compromised organization reported to have approximately 150 employees and an estimated revenue of $8 million. The threat actor offered the access for $300 and directed interested buyers to make contact via private messages on the forum.
Alleged Phishing Campaign Announcement is Detected

SOCRadar Dark Web Team identified a forum post where a threat actor advertised a phishing campaign service named Paris. The platform was presented as an Adversary-in-the-Middle solution that provides phishing kits for Gmail and Office 365, SMTP servers with high sending capacity, inbox management, and access to target databases. It also offered supporting components such as a Telegram bot, traffic distribution system, admin panel, domain and SSL management, and analytics, positioning itself as a turnkey phishing toolkit.
Alleged Database of Mexican Social Security Institute is on Sale

SOCRadar Dark Web Team identified a forum post where a threat actor advertised the sale of a database allegedly belonging to the Mexican Social Security Institute (IMSS). The dataset was described as the Pensionados section, which refers to records of retired beneficiaries, and contained approximately 20 million entries. The threat actor claimed the data was being offered after an earlier leak and directed interested buyers to Telegram for further details and pricing.
Alleged Data of Bouygues Telecom are on Sale

SOCRadar Dark Web Team identified a forum post where a threat actor advertised the sale of a database allegedly belonging to Bouygues Telecom in France. The dataset was described as containing more than 6.3 million rows with fields including first name, last name, date of birth, address, postal code, city, phone number, email, IBAN, and BIC. The threat actor claimed the breach occurred about a month earlier and stated that the data was available for sale or trade with other French databases. Contact information was shared through Session ID and forum messages.
Alleged Data of Life Insurance Corporation of India are on Sale

SOCRadar Dark Web Team identified a forum post where a threat actor advertised the sale of a database allegedly belonging to the Life Insurance Corporation of India (LIC). The dataset was described as containing more than 454 million rows with detailed insurance records, including policy numbers, types, terms, premium details, commencement dates, maturity values, payment modes, and status codes. According to the threat actor, ,it also included sensitive customer information such as names, addresses, phone numbers, email addresses, dates of birth, PAN numbers, nominee details, and agent information. The threat actor indicated that some individuals may have multiple entries due to different insurance products.
Powered by DarkMirror™
Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.
