Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | Stansberry Data Sale, Oracle 0-Day, and Salesforce Leaks Highlight Dark Web Activity
Oct 13, 2025
5 Mins Read
Moon

Stansberry Data Sale, Oracle 0-Day, and Salesforce Leaks Highlight Dark Web Activity

SOCRadar’s Dark Web Team observed a surge of underground activity this week, including data sales, exploit discussions, and unauthorized access listings. Actors advertised a database allegedly containing 1.5 million Stansberry Research records, shared exploit details for CVE-2025-10035 and an Oracle E-Business 0-day, and offered SSH access to a Brazilian telecom firm. Meanwhile, the Scattered LAPSUS$ Hunters group began leaking Salesforce data after ransom negotiations failed, underscoring the diverse and persistent threats emerging across dark web forums.

Receive a Free Dark Web Report for Your Organization:

Alleged Database of Stansberry Research is on Sale

Alleged Database of Stansberry Research is on Sale

SOCRadar Dark Web Team detected an alleged database sale claiming to include fresh investor and client leads belonging to Stansberry Research, a prominent financial research company. The post appeared on a dark web forum where the actor offered around 1.5 million records for $4,000, stating that the dataset would be sold only once and sharing a private contact for communication. Although no proof of authenticity or sample data was presented, the claim suggests potential exposure of valuable financial information that could enable phishing, investment fraud, or other social engineering attacks.

CVE-2025-10035 Exploit News is Shared for GoAnywhere

CVE-2025-10035 Exploit News is Shared for GoAnywhere

SOCRadar Dark Web Team detected a post on an underground forum discussing an exploit for CVE-2025-10035, a critical vulnerability in the GoAnywhere MFT License Servlet affecting versions up to 7.8.3. The actor claims the flaw allows attackers to forge a license response signature, bypass verification, and execute arbitrary commands remotely without authentication.

The shared notes describe post-exploitation steps such as adding RMM tools, deploying JSP web shells, performing reconnaissance with PowerShell, tunneling command-and-control traffic, exfiltrating data with rclone, and eventually deploying Medusa ransomware. The vulnerability is rated CVSS 10.0 (Critical), and while the post lacks proof-of-concept code, its technical accuracy aligns with reports of active exploitation, posing a severe risk for organizations running outdated GoAnywhere MFT instances.

Alleged Unauthorized SSH Access Sale is Detected for a Brazilian Telecom Company

Alleged Unauthorized SSH Access Sale is Detected for a Brazilian Telecom Company

SOCRadar Dark Web Team detected an alleged sale offering unauthorized SSH access to a Brazilian telecom company. The actor claims to have root or root-level accounts on eight compromised servers and invites potential buyers to discuss pricing through private messages on the forum. No technical proof or company details were shared. If the claim is accurate, this access could allow intruders to move inside the network, steal data, or disrupt services.

Alleged 0-Day Vulnerability Sale Is Detected for Oracle E-Business

Alleged 0-Day Vulnerability Sale Is Detected for Oracle E-Business

SOCRadar Dark Web Team identified a forum post where a threat actor is allegedly offering an 0-day exploit for Oracle E-Business Suite tracked as CVE-2025-61882. The post claims that the vulnerability is remotely exploitable without authentication and may allow remote code execution.

Threat Group “Scattered LAPSUS$ Hunters” Begins Leaking Alleged Salesforce Data After Ransom Deadline Passes

Alleged 0-Day Vulnerability Sale Is Detected for Oracle E-Business

SOCRadar Dark Web Team detected a new wave of alleged data leaks connected to the threat group calling itself Scattered LAPSUS$ Hunters, which began publishing data claimed to be stolen from several major companies using Salesforce’s platform after a ransom deadline passed on October 10, 2025. The threat group, reportedly composed of members linked to ShinyHunters, Scattered Spider, and LAPSUS$, first announced its campaign on October 3 through a dedicated leak site, threatening to expose nearly one billion stolen records if their demands were not met.

The leaked data allegedly includes sensitive PII and business records from firms such as Qantas Airways, Vietnam Airlines, Albertsons, GAP, Fujifilm, and Engie Resources. Researchers note that the compromise did not exploit Salesforce vulnerabilities but rather relied on social engineering and vishing tactics, tricking employees into approving malicious third-party applications that granted persistent OAuth tokens.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.