What is "From The Dark Side" intelligence?

From The Dark Side is Security Arsenal's curated intelligence feed covering the criminal underground — ransomware gang leak sites, dark web markets, Telegram criminal channels, initial access broker activity, credential theft operations, and emerging attack tooling. Our analysts monitor these sources so your team doesn't have to.

How do ransomware groups choose their victims?

Modern ransomware gangs operate as Ransomware-as-a-Service (RaaS) businesses. Affiliates purchase access from initial access brokers (IABs) who specialize in compromising networks via phishing, stolen VPN credentials, or unpatched vulnerabilities. Targets are selected based on revenue, sector, and perceived ability to pay. Healthcare, manufacturing, and local government are consistently over-represented.

What are initial access brokers (IABs) and why do they matter?

Initial access brokers are specialized threat actors who compromise networks and sell that access on dark web forums — typically for $500–$50,000 depending on company size and network depth. Monitoring IAB listings for your organization's domains and IP ranges can provide early warning days to weeks before a ransomware deployment.

How do credential infostealers work and what should I do if my data appears?

Infostealers like RedLine, Lumma, and Vidar are malware distributed via phishing, malvertising, and trojanized software. They harvest browser-saved credentials, session cookies, crypto wallets, and autofill data, then upload to criminal Telegram channels or dark web markets. If your organization's credentials appear in a stealer log: force password resets for all affected users, invalidate active SSO sessions, review for lateral movement, and implement phishing-resistant MFA immediately.

How does Security Arsenal detect dark web threats targeting my organization?

Our AlertMonitor platform integrates dark web monitoring feeds alongside your SIEM and EDR telemetry. When your domains, IP ranges, or executive identities appear in underground activity, we alert your team in real time and initiate a pre-defined response playbook. Contact us for a dark web exposure assessment.

Live Underground Intelligence

From The Dark Side

Intelligence from the criminal underground — ransomware gang activity, credential markets, initial access brokers, data breach tracking, and emerging attack tooling. Curated by Security Arsenal analysts so your team has what it needs to stay ahead.

15+Intel Sources

5mRefresh Interval

6Threat Categories

24/7Analyst Coverage

Incident Response Services Managed SOC & MDR Dark Web Exposure Check

LIVE INTEL

⚠ RANSOMWARE: RansomHub — double-extortion op targeting healthcare sector⚠ IAB: RDP access to mid-market manufacturing firm listed on underground forum⚠ INFOSTEALER: Lumma Stealer campaign — 1.4M credentials harvested from browser sessions⚠ APT: Nation-state actor targeting critical infrastructure with spear-phishing⚠ RANSOMWARE: Akira affiliate — network access via exposed VPN credential⚠ CREDENTIALS: Combo list from enterprise SSO breach surfaced on Telegram⚠ IAB: Cloud admin access to financial sector org listed at $18K⚠ MALWARE: New evasion-capable RAT advertised on criminal forums — C2 via Telegram⚠ DATABREACH: Tor leak site posting — legal sector data including PII and contracts⚠ RANSOMWARE: LockBit variant — active RaaS affiliate recruitment observed⚠ CREDENTIALS: Vidar stealer log drop — corporate VPN credentials included⚠ APT: Supply chain compromise targeting software vendors in critical sectors⚠ RANSOMWARE: RansomHub — double-extortion op targeting healthcare sector⚠ IAB: RDP access to mid-market manufacturing firm listed on underground forum⚠ INFOSTEALER: Lumma Stealer campaign — 1.4M credentials harvested from browser sessions⚠ APT: Nation-state actor targeting critical infrastructure with spear-phishing⚠ RANSOMWARE: Akira affiliate — network access via exposed VPN credential⚠ CREDENTIALS: Combo list from enterprise SSO breach surfaced on Telegram⚠ IAB: Cloud admin access to financial sector org listed at $18K⚠ MALWARE: New evasion-capable RAT advertised on criminal forums — C2 via Telegram⚠ DATABREACH: Tor leak site posting — legal sector data including PII and contracts⚠ RANSOMWARE: LockBit variant — active RaaS affiliate recruitment observed⚠ CREDENTIALS: Vidar stealer log drop — corporate VPN credentials included⚠ APT: Supply chain compromise targeting software vendors in critical sectors

Live Ransomware Victims

refreshed every 5 min

Active ransomware gang postings from public leak sites. For awareness and defensive intelligence only.

Threat Group	Victim	Website	Sector	Country	Discovered
lapsus$	INGKA GROUP	ingka.com	Consumer Services	SE	Jun 13, 2026	Details
lapsus$	GITHUB INTERNAL 🇺🇸 US COMPANY	github.com	Technology	US	Jun 13, 2026	Details
krybit	www.mbt-energy.com	www.mbt-energy.com	Energy	DE	Jun 13, 2026	Details
payload	myipo.gov.my	myipo.gov.my	Public Sector	MY	Jun 12, 2026	Details
threeam	jetmachprod.com	jetmachprod.com	Manufacturing	—	Jun 12, 2026	Details
threeam	jastrebarsko.hr	jastrebarsko.hr	Not Found	HR	Jun 12, 2026	Details
threeam	palmero.com	palmero.com	Not Found	—	Jun 12, 2026	Details
threeam	insamani.com.ar	insamani.com.ar	Not Found	AR	Jun 12, 2026	Details
threeam	bsynchro.com	bsynchro.com	Technology	DE	Jun 12, 2026	Details
threeam	molinoscabodi.com.ar	molinoscabodi.com.ar	Agriculture and Food Production	AR	Jun 12, 2026	Details

Showing latest 10 victims. Full searchable database available.

View All & Search

Intelligence Categories

Click a category for full archive + SIGMA rules

Ransomware

179

Gang campaigns, RaaS operations, victim disclosures, double-extortion activity. SIGMA rules for every active family.

View archive →

Credential Leaks

176

Infostealer campaigns — Lumma, RedLine, Vidar. Combo list releases and enterprise credential exposure tracking.

View archive →

Underground Markets

IAB network access listings, dark web marketplace trends, tool sales, and criminal forum intelligence.

View archive →

Data Breaches

Data sales on Tor markets, breach disclosures, exposure scope analysis, and affected sector reporting.

View archive →

Criminal Tooling

New malware families, loaders, droppers, RATs, and stealers emerging from criminal underground channels.

View archive →

APT & Nation-State

122

Nation-state actors — Lazarus, Sandworm, Volt Typhoon. Campaign TTPs, MITRE mapping, KQL/SIGMA rules.

View archive →

Telegram Intel

Criminal Telegram channels: malware drops, C2 announcements, stolen data dumps, and initial access postings.

View archive →

Underground Intelligence Feed

APT & Nation-State

Storm-3075 AI Phishing & SilabRAT MaaS: OTX Pulse Analysis — Enterprise Detection Pack

High urgency: Storm-3075 AI phishing, UAT-8616 Cisco SD-WAN exploitation, and SilabRAT MaaS detected. Actionable IOC pack.

Jun 13, 2026

Credential Leaks

Vidar, Lumma, and SilabRAT: Multi-Vector Credential Theft Campaigns via AI Lures & Supply Chains

OTX Pulse: Vidar/Lumma stealers spreading via AI lures & TikTok; SilabRAT MaaS targeting crypto; Cisco SD-WAN exploits active. (High Urgency)

Jun 13, 2026

Ransomware

QILIN Ransomware: Surge in Business Services Attacks & Exploitation of New Check Point CVE

Qilin posts 19 new victims, heavily targeting US Business Services. Immediate patching of Check Point and ScreenConnect CVEs required.

Jun 13, 2026

Credential Leaks

Operation AI Bait & Crypto MaaS: Vidar, SilabRAT, and Needle Campaign Analysis — OTX Pulse Intelligence

Active infostealer campaigns leveraging AI hype, TikTok, and PyPI to distribute Vidar, SilabRAT, and Needle. High urgency for credential defense.

Jun 13, 2026

Ransomware

QILIN Ransomware Gang: 19 New Victims Posted — Sector Targeting Analysis & Detection Rules

QILIN intensifies attacks on Business Services sector across US and Europe. Detection rules provided.

Jun 13, 2026

Criminal Tooling

The Gentlemen RaaS & AI Supply Chain Poisoning: SystemBC, AMOS Stealer, and CVE-2024-55591 Exploitation

Active RaaS operation Storm-2697 exploits CVE-2024-55591 while threat actors poison AI supply chains with AMOS Stealer. Urgent patching required.

Jun 12, 2026

APT & Nation-State

Storm-3075 AI-Themed Social Engineering & 4BID ProxyShell Exploitation: OTX Pulse Intelligence — Enterprise Detection Pack

Storm-3075 & 4BID campaigns: AI phishing & ProxyShell attacks. Urgent: Hunt for Vidar, SilabRAT, Sliver, Lumma Stealer IOCs across enterprise.

Jun 12, 2026

Credential Leaks

Vidar, SilabRAT & Needle C2: Multi-Vector Credential Theft Campaigns Targeting Devs and End Users

Active infostealer campaigns (Vidar, SilabRAT) using AI phishing, TikTok tutorials, and malicious PyPI packages. Urgency: High.

Jun 12, 2026

Ransomware

QILIN Ransomware: 19 New Victims Posted — Surge in Professional Services & Detection Engineering

Qilin claims 19 new victims, heavily targeting Business Services & Legal sectors via VPN/RDP exploits. Patch ScreenConnect & Check Point immediately.

Jun 12, 2026

Criminal Tooling

The Gentlemen RaaS (Storm-2697) & AI Supply Chain (AMOS Stealer): OTX Pulse Analysis

Alert: The Gentlemen ransomware exploiting CVE-2024-55591 and AI supply chain trojans dropping AMOS stealer. High urgency.

Jun 12, 2026

APT & Nation-State

SilabRAT MaaS & Storm-3075 AI Phishing: OTX Pulse Analysis — Enterprise Detection Pack

OTX pulses reveal Storm-3075 AI phishing, SilabRAT MaaS, and 4BID hacktivism. Detect stealers, RATs, and ProxyShell exploits.

Jun 12, 2026

Credential Leaks

Storm-3075, SilabRAT, and AI-Themed Infostealers: OTX Pulse Analysis — Enterprise Detection Pack

Active campaigns using AI phishing, TikTok tutorials, and PyPI supply chain attacks deploy Vidar, SilabRAT, and RustyStealer to steal credentials.

Jun 12, 2026

Ransomware

QILIN Ransomware Gang: 19 New Victims Posted — Critical Firewall & RaaS Activity Surge

QILIN claims 19 new victims, heavily targeting US Business Services. Immediate action required on Check Point & Cisco CVEs and RDP hardening.

Jun 12, 2026

APT & Nation-State

Storm-3075 AI Phishing, SilabRAT MaaS, and 4BID ProxyShell Campaigns: OTX Pulse Analysis

Analysis of AI-themed credential theft, SilabRAT MaaS operations, and 4BID ProxyShell attacks targeting critical sectors.

Jun 12, 2026

Credential Leaks

AI-Themed Phishing, MaaS Crypto-Stealers, and PyPI Worms: OTX Pulse Analysis — Enterprise Detection Pack

Surge in infostealers (Vidar, SilabRAT) via AI-branded lures and supply chain attacks targeting finance and tech sectors.

Jun 12, 2026

Ransomware

QILIN Ransomware Gang: Surge in Attacks on US Business Services & Critical Infrastructure Vulnerabilities

QILIN posts 21 victims, heavily targeting US Business Services via Check Point and ScreenConnect exploits. Immediate patching required.

Jun 12, 2026

APT & Nation-State

Storm-3075 AI Phishing, SilabRAT MaaS & 4BID ProxyShell: OTX Pulse Analysis — Enterprise Detection Pack

Storm-3075 uses AI themes for Vidar/Lumma infections; SilabRAT MaaS targets crypto; 4BID exploits ProxyShell for Sliver C2 deployment.

Jun 11, 2026

Credential Leaks

Storm-3075 AI Hype & SilabRAT MaaS: Multi-Vector Infostealer Surge & PyPI Supply Chain Compromise

Critical surge in infostealer campaigns (Vidar, Lumma, SilabRAT) leveraging AI hype, TikTok tutorials, and PyPI supply chains for credential theft.

Jun 11, 2026

View All Intel Articles

Frequently Asked Questions

Is Your Organization in the Underground?

Security Arsenal monitors dark web markets, ransomware leak sites, and criminal forums for your domains, IP ranges, and executive identities. We'll tell you if you're already being sold — before the attack begins.

Get a Dark Web Exposure Report Incident Response Services