Weekly Darkweb in April W1

Resources

2025.04.09

☑️ Weekly Darkweb – April Week 1, 2025

🔍 Israeli Cybersecurity Firm ‘C’’s Sensitive Data for Sale on Dark Web

• On March 30, the threat actor ‘CoreInjection’ posted on the Dark Web forum ‘BreachForums,’ offering to sell confidential data from Israeli cybersecurity firm ‘C’. (Sale price: 5 BTC)

✓ Confidential Data: Customer information (e.g., mobile numbers, emails), user credentials, software source code and executable files.

• Following the threat actor’s post, company ‘C’ stated that the data was outdated and already known, denying any security breach. However, on April 1, the threat actor refuted their claims, accusing them of downplaying the incident.

• The threat actor also disclosed that a major data breach occurred at the company in March, affecting approximately 18,000 customers, and released data on 350 individuals as proof; company ‘C’ has strongly refuted both claims.

🔍 New Ransomware Gang ‘RALord’ Emerges, Encrypt Taiwanese Food Company Networks

• A newly emerged ransomware gang, ‘RALord,’ has been detected targeting multiple companies in a series of cyberattacks.

• On March 19, BreachForums user 'jhonkarry', who is believed to be affiliated with the ransomware gang, uploaded a recruitment post, and on March 23, the same recruitment post was uploaded on the 'gerkitor' forum.

• The ransomware gang disclosed that it had attacked Taiwanese food company ‘F’ on March 31, claiming to have exfiltrated 50GB of data and encrypted 97% of the company’s internal network.

🔍 1.2GB of Iranian Foreign Ministry Internal Data for Sale on Dark Web

• On April 2, a post offering classified information from Iran's Ministry of Foreign Affairs and its embassies for sale was uploaded to the Russian hacking forum ‘Exploit’. (Sale price: $2,500)

• The threat actor uploaded a copy of the passport/visa of an Iranian Foreign Ministry official and a screenshot of the email written by those officials as a sample.

• The seller claimed that some of the information was exfiltrated on April 2, emphasizing that the data being sold is up to date.

• According to S2W’s user profiling tool ‘DarkSpider,’ the threat actor joined the forum last month and has been involved in leaking data related to government agencies in Pakistan, Bangladesh, and Afghanistan, including foreign and defense ministries.

This newsletter is based on news derived from big data collected from over 400 million encrypted pages and channels, including those on the dark web and Telegram.

👉 Subscribe <Weekly Darkweb>: https://bit.ly/4eeDU6I

☎️ Contact us: https://s2w.inc/en/contact

*The full report is available upon request and for XARVIS subscribers.

Attachments

[S2W] Weekly Darkweb_EN (250406).pdf

Threat Intelligence Reports

2024 H2 Ransomware Trends Report

2025.04.08

Threat Analysis Brief Reports

Quick Overview of Telegram User: @whoami0981 - Selling South Korea Military Secrets Data

2025.04.14

List

File download request

This is a consent popup for collecting personal information in order to send you an attachment of S2W's Resource. Please enter the following items and submit, and the attachment will be sent to the email you provided. All information you provide will be subject to S2W's privacy policy.

Name *

Email *

Contact number *

Company / Institute name *

How did you find us?*

Agree to all

[Required] Terms of Service View all

[Required] Collection and Use of Personal Information View all

[Optional] Collection and Use of Information for Marketing Purposes

Collected items: Required : Name, Country, Company/Institute Name,Job Title, Email, Contact Number
Purpose of use: For online/offline marketing and advertising purpose Name, Job Title, Email, Contact Number; Delivery of product brochures, newsletters, event information, etc.
Retention period: Until consent for marketing use is withdrawn.