From The Dark Side
Intelligence from the criminal underground — ransomware gang activity, credential markets, initial access brokers, data breach tracking, and emerging attack tooling. Curated by Security Arsenal analysts so your team has what it needs to stay ahead.
Updated 3× daily via automated OSINT feeds monitoring 15+ clearnet sources that track dark web forum activity, Telegram criminal channels, and ransomware leak sites.
Live Ransomware Victims
refreshed hourlyActive ransomware gang postings from public leak sites. Updated hourly. For awareness and defensive intelligence only.
| Threat Group | Victim | Sector | Country | Discovered |
|---|---|---|---|---|
| lamashtu | WEDA ROBOTICS | Manufacturing | — | Apr 14, 2026 |
| thegentlemen | PsychPlus | Healthcare | — | Apr 14, 2026 |
| thegentlemen | UK Electronics | Manufacturing | GB | Apr 14, 2026 |
| thegentlemen | Intra | Not Found | — | Apr 14, 2026 |
| thegentlemen | GEM Terminal | Technology | — | Apr 14, 2026 |
| thegentlemen | Brand Collective | Business Services | — | Apr 14, 2026 |
| thegentlemen | Cleor | Not Found | FR | Apr 14, 2026 |
| thegentlemen | Harlem Stage | Consumer Services | US | Apr 14, 2026 |
| thegentlemen | International Maritime Hospita | Healthcare | — | Apr 14, 2026 |
| thegentlemen | Double C Farm | Agriculture and Food Production | — | Apr 14, 2026 |
| thegentlemen | BRC Biotechnology | Healthcare | — | Apr 14, 2026 |
| thegentlemen | NSOFT | Technology | — | Apr 14, 2026 |
Intelligence Categories
Underground Intelligence Feed
Intel: APT37 RokRAT & APT28 PRISMEX Operations — Zero-Day & GitHub C2 Campaigns April 2026
Active DPRK & Russian APT campaigns detected: RokRAT via social apps, PRISMEX zero-days, and GitHub C2. High risk to supply chains.
Intel: STX Rat Supply Chain Attack & Global Credential Harvesting Wave — April 2026
Active STX Rat campaign via trojanized HWMonitor/CPUID. Urgent credential theft & RDP risk. Review installs immediately.
Intel: BYOVD Ransomware (Qilin/Warlock) & Storm-1175 Rapid Attacks — April 2026
Surge in ransomware using BYOVD to disable EDRs; Storm-1175 breaches networks in under 72 hours; Lynx and Lamashtu claim new victims.
RAMP Forum Takedown: Disrupting the Ransomware Supply Chain and What Comes Next
The recent seizure of the RAMP forum fractures the cybercrime underground. Learn how threat actors are reorganizing and how to defend your network.
RAMP Forum Takedown: Fracturing the Ransomware Ecosystem and Strategic Shifts for Defenders
The seizure of the RAMP forum disrupts the ransomware supply chain. Learn how to leverage this strategic shift in threat intelligence.
Arkanix Stealer: Dissecting the AI-Assisted Malware Experiment on the Dark Web
Arkanix Stealer highlights the growing threat of AI-generated malware. Discover how this short-lived experiment exploits browser data and why it matters.
Frequently Asked Questions
Is Your Organization in the Underground?
Security Arsenal monitors dark web markets, ransomware leak sites, and criminal forums for your domains, IP ranges, and executive identities. We'll tell you if you're already being sold — before the attack begins.