What is "From The Dark Side" intelligence?

From The Dark Side is Security Arsenal's curated intelligence feed covering the criminal underground — ransomware gang leak sites, dark web markets, Telegram criminal channels, initial access broker activity, credential theft operations, and emerging attack tooling. Our analysts monitor these sources so your team doesn't have to.

How do ransomware groups choose their victims?

Modern ransomware gangs operate as Ransomware-as-a-Service (RaaS) businesses. Affiliates purchase access from initial access brokers (IABs) who specialize in compromising networks via phishing, stolen VPN credentials, or unpatched vulnerabilities. Targets are selected based on revenue, sector, and perceived ability to pay. Healthcare, manufacturing, and local government are consistently over-represented.

What are initial access brokers (IABs) and why do they matter?

Initial access brokers are specialized threat actors who compromise networks and sell that access on dark web forums — typically for $500–$50,000 depending on company size and network depth. Monitoring IAB listings for your organization's domains and IP ranges can provide early warning days to weeks before a ransomware deployment.

How do credential infostealers work and what should I do if my data appears?

Infostealers like RedLine, Lumma, and Vidar are malware distributed via phishing, malvertising, and trojanized software. They harvest browser-saved credentials, session cookies, crypto wallets, and autofill data, then upload to criminal Telegram channels or dark web markets. If your organization's credentials appear in a stealer log: force password resets for all affected users, invalidate active SSO sessions, review for lateral movement, and implement phishing-resistant MFA immediately.

How does Security Arsenal detect dark web threats targeting my organization?

Our AlertMonitor platform integrates dark web monitoring feeds alongside your SIEM and EDR telemetry. When your domains, IP ranges, or executive identities appear in underground activity, we alert your team in real time and initiate a pre-defined response playbook. Contact us for a dark web exposure assessment.

Live Underground Intelligence

From The Dark Side

Intelligence from the criminal underground — ransomware gang activity, credential markets, initial access brokers, data breach tracking, and emerging attack tooling. Curated by Security Arsenal analysts so your team has what it needs to stay ahead.

15+Intel Sources

5mRefresh Interval

6Threat Categories

24/7Analyst Coverage

Incident Response Services Managed SOC & MDR Dark Web Exposure Check

LIVE INTEL

⚠ RANSOMWARE: RansomHub — double-extortion op targeting healthcare sector⚠ IAB: RDP access to mid-market manufacturing firm listed on underground forum⚠ INFOSTEALER: Lumma Stealer campaign — 1.4M credentials harvested from browser sessions⚠ APT: Nation-state actor targeting critical infrastructure with spear-phishing⚠ RANSOMWARE: Akira affiliate — network access via exposed VPN credential⚠ CREDENTIALS: Combo list from enterprise SSO breach surfaced on Telegram⚠ IAB: Cloud admin access to financial sector org listed at $18K⚠ MALWARE: New evasion-capable RAT advertised on criminal forums — C2 via Telegram⚠ DATABREACH: Tor leak site posting — legal sector data including PII and contracts⚠ RANSOMWARE: LockBit variant — active RaaS affiliate recruitment observed⚠ CREDENTIALS: Vidar stealer log drop — corporate VPN credentials included⚠ APT: Supply chain compromise targeting software vendors in critical sectors⚠ RANSOMWARE: RansomHub — double-extortion op targeting healthcare sector⚠ IAB: RDP access to mid-market manufacturing firm listed on underground forum⚠ INFOSTEALER: Lumma Stealer campaign — 1.4M credentials harvested from browser sessions⚠ APT: Nation-state actor targeting critical infrastructure with spear-phishing⚠ RANSOMWARE: Akira affiliate — network access via exposed VPN credential⚠ CREDENTIALS: Combo list from enterprise SSO breach surfaced on Telegram⚠ IAB: Cloud admin access to financial sector org listed at $18K⚠ MALWARE: New evasion-capable RAT advertised on criminal forums — C2 via Telegram⚠ DATABREACH: Tor leak site posting — legal sector data including PII and contracts⚠ RANSOMWARE: LockBit variant — active RaaS affiliate recruitment observed⚠ CREDENTIALS: Vidar stealer log drop — corporate VPN credentials included⚠ APT: Supply chain compromise targeting software vendors in critical sectors

Live Ransomware Victims

refreshed every 5 min

Active ransomware gang postings from public leak sites. For awareness and defensive intelligence only.

Threat Group	Victim	Website	Sector	Country	Discovered
qilin	Law Office of Steven R Smith 🇺🇸 US COMPANY	www.newyorkattorneyatlaw.com	Business Services	US	May 4, 2026	Details
qilin	Foxstone Financial	www.foxstonefinancial.com	Financial Services	AU	May 4, 2026	Details
qilin	Lexus	www.lexus.ua	Manufacturing	JP	May 4, 2026	Details
qilin	Rizzuto Law Firm 🇺🇸 US COMPANY	www.rizzutolawfirm.com	Business Services	US	May 4, 2026	Details
qilin	General Hardware	www.generalhardware.co	Manufacturing	CO	May 4, 2026	Details
chaos	vacaero.com	vacaero.com	Hospitality and Tourism	MX	May 4, 2026	Details
chaos	www.cswindustrials.com 🇺🇸 US COMPANY	www.zoominfo.com/c/csw-industrials-inc/370826515	Manufacturing	US	May 4, 2026	Details
interlock	Lonestar Truck Group & Tag Truck Center 🇺🇸 US COMPANY	tntxtruck.com	Transportation/Logistics	US	May 4, 2026	Details
lamashtu	Luna Group	lunagroupeg.com	Not Found	EG	May 4, 2026	Details
qilin	City of Sandstone 🇺🇸 US COMPANY	sandstone.govoffice.com	Public Sector	US	May 4, 2026	Details

Showing latest 10 victims. Full searchable database available.

View All & Search

Intelligence Categories

Click a category for full archive + SIGMA rules

Ransomware

Gang campaigns, RaaS operations, victim disclosures, double-extortion activity. SIGMA rules for every active family.

View archive →

Credential Leaks

Infostealer campaigns — Lumma, RedLine, Vidar. Combo list releases and enterprise credential exposure tracking.

View archive →

Underground Markets

IAB network access listings, dark web marketplace trends, tool sales, and criminal forum intelligence.

View archive →

Data Breaches

Data sales on Tor markets, breach disclosures, exposure scope analysis, and affected sector reporting.

View archive →

Criminal Tooling

New malware families, loaders, droppers, RATs, and stealers emerging from criminal underground channels.

View archive →

APT & Nation-State

Nation-state actors — Lazarus, Sandworm, Volt Typhoon. Campaign TTPs, MITRE mapping, KQL/SIGMA rules.

View archive →

Telegram Intel

Criminal Telegram channels: malware drops, C2 announcements, stolen data dumps, and initial access postings.

View archive →

Underground Intelligence Feed

Credential Leaks

KarstoRAT, LofyStealer & Malicious AI Extensions: OTX Pulse Analysis — Credential Theft & Supply Chain Threats

Emerging threats: KarstoRAT, ClickFix, LofyStealer, and malicious AI extensions target credentials via gaming lures, supply chain, and browser extensions. Urgency: High.

May 4, 2026

Ransomware

FULCRUMSEC Campaign: Exchange & SmarterMail Exploits Drive Surge in US Tech & Healthcare Sector Attacks

FULCRUMSEC exploits Exchange & SmarterMail flaws to target US Tech/Healthcare. Immediate patching of CVE-2023-21529 & CVE-2025-52691 critical.

May 4, 2026

Criminal Tooling

Rebex Telegram RAT, GachiLoader & TeamPCP CanisterWorm: OTX Pulse Analysis

Urgent: Active Telegram RAT targeting Vietnam, AI-themed GachiLoader, and TeamPCP supply chain wiper detected. Immediate action required.

May 3, 2026

APT & Nation-State

TeamPCP PyPI Supply Chain Attack, LofyStealer, and GhostSocks Proxy Botnet: OTX Pulse Analysis — Enterprise Detection Pack

OTX detects TeamPCP PyPI attack, LofyStealer targeting gamers, and GhostSocks MaaS proxy botnet. Immediate credential theft risk.

May 3, 2026

Credential Leaks

OTX Pulse Analysis: TeamPCP Supply Chain Attack, LofyStealer, & Lumma Campaigns

Active credential theft via PyPI compromise, ClickFix phishing, and mobile trojans targeting banking/gaming.

May 3, 2026

Ransomware

FULCRUMSEC Gang: Aggressive US Healthcare & Tech Campaign — SmarterMail & Exchange Exploitation Analysis

FULCRUMSEC posts 15+ new victims targeting US Tech/Healthcare via SmarterMail and Exchange exploits. Immediate detection rules included.

May 3, 2026

Credential Leaks

TeamPCP Supply Chain & Lumma Stealer Surge: Multi-Vector Credential Theft Campaign — OTX Analysis

OTX pulses reveal active TeamPCP and Lumma Stealer campaigns utilizing PyPI supply chain attacks, ClickFix phishing, and Android malware. Urgency: High.

May 3, 2026

Ransomware

FULCRUMSEC Ransomware: Critical Campaign Targeting US Tech & Healthcare Sectors

FULCRUMSEC claims 15 new victims in 48 hours, heavily targeting US Technology and Healthcare sectors via Exchange and SmarterMail vulnerabilities.

May 3, 2026

Criminal Tooling

Rebex Telegram RAT, GachiLoader & TeamPCP CanisterWorm: OTX Pulse Analysis — Enterprise Detection Pack

Active campaigns involving Telegram RATs, AI-themed infostealers, and supply chain attacks on security tools identified.

May 3, 2026

APT & Nation-State

Supply Chain Attack: TeamPCP Telnyx SDK, LofyStealer & GhostSocks — OTX Pulse Analysis

Active PyPI supply chain compromise (TeamPCP), LofyStealer infostealer, and GhostSocks proxy MaaS detected. Critical credential theft risk.

May 3, 2026

Credential Leaks

Supply Chain & Stealer Surge: TeamPCP, Lumma, and KYCShadow — OTX Pulse Analysis

Active credential theft campaigns via PyPI supply chain (TeamPCP), ClickFix phishing (Lumma), and Android banking trojan (KYCShadow).

May 3, 2026

Ransomware

FULCRUMSEC Campaign Alert: High-Volume Attacks on US Tech & Healthcare Leveraging Edge Vulnerabilities

FULCRUMSEC posts 15+ US victims, exploiting Exchange & Cisco flaws. Immediate patching of CVE-2023-21529 required.

May 3, 2026

Criminal Tooling

TeamPCP Supply Chain, Rebex Telegram RAT, & GachiLoader: OTX Pulse Analysis

Active campaigns detected: TeamPCP supply chain attack (CanisterWorm), Rebex RAT targeting Vietnam, and GachiLoader dropping Rhadamanthys via AI lures. Urgency: High.

May 2, 2026

APT & Nation-State

TeamPCP Supply Chain Attack, LofyStealer & GhostSocks Proxy: OTX Pulse Analysis — Enterprise Detection Pack

Critical OTX alerts reveal TeamPCP PyPI supply chain attack, LofyStealer targeting gamers, and GhostSocks MaaS infecting education.

May 2, 2026

Credential Leaks

Lumma Stealer Resurgence & Supply Chain Attacks: OTX Pulse Analysis — Enterprise Detection Pack

Active campaigns using Lumma, LofyStealer, and TeamPCP via supply chain and phishing. Urgent credential theft risk.

May 2, 2026

Ransomware

FULCRUMSEC Campaign Alert: Mass Exploitation of Mail & Firewall Flaws; 15 New US Victims

FULCRUMSEC targets US Tech & Healthcare with SmarterMail/Exchange exploits. 15 new victims posted May 1. Immediate detection guidance inside.

May 2, 2026

Credential Leaks

OTX Pulse Analysis: Lumma, LofyStealer, and Supply Chain Attacks — Credential Theft Surge

OTX detects active credential theft campaigns via PyPI supply chain (TeamPCP), ClickFix phishing (Lumma), and Android trojans (KYCShadow). High urgency.

May 2, 2026

Ransomware

FULCRUMSEC: Aggressive 2026 Campaign Targets US Tech & Healthcare via Exchange & React Exploits

FULCRUMSEC posts 15+ victims in 24 hours; active exploitation of CVE-2023-21529 (Exchange) and React RCEs signals high risk for US Tech/Healthcare sectors.

May 2, 2026

View All Intel Articles

Frequently Asked Questions

Is Your Organization in the Underground?

Security Arsenal monitors dark web markets, ransomware leak sites, and criminal forums for your domains, IP ranges, and executive identities. We'll tell you if you're already being sold — before the attack begins.

Get a Dark Web Exposure Report Incident Response Services