What is "From The Dark Side" intelligence?

From The Dark Side is Security Arsenal's curated intelligence feed covering the criminal underground — ransomware gang leak sites, dark web markets, Telegram criminal channels, initial access broker activity, credential theft operations, and emerging attack tooling. Our analysts monitor these sources so your team doesn't have to.

How do ransomware groups choose their victims?

Modern ransomware gangs operate as Ransomware-as-a-Service (RaaS) businesses. Affiliates purchase access from initial access brokers (IABs) who specialize in compromising networks via phishing, stolen VPN credentials, or unpatched vulnerabilities. Targets are selected based on revenue, sector, and perceived ability to pay. Healthcare, manufacturing, and local government are consistently over-represented.

What are initial access brokers (IABs) and why do they matter?

Initial access brokers are specialized threat actors who compromise networks and sell that access on dark web forums — typically for $500–$50,000 depending on company size and network depth. Monitoring IAB listings for your organization's domains and IP ranges can provide early warning days to weeks before a ransomware deployment.

How do credential infostealers work and what should I do if my data appears?

Infostealers like RedLine, Lumma, and Vidar are malware distributed via phishing, malvertising, and trojanized software. They harvest browser-saved credentials, session cookies, crypto wallets, and autofill data, then upload to criminal Telegram channels or dark web markets. If your organization's credentials appear in a stealer log: force password resets for all affected users, invalidate active SSO sessions, review for lateral movement, and implement phishing-resistant MFA immediately.

How does Security Arsenal detect dark web threats targeting my organization?

Our AlertMonitor platform integrates dark web monitoring feeds alongside your SIEM and EDR telemetry. When your domains, IP ranges, or executive identities appear in underground activity, we alert your team in real time and initiate a pre-defined response playbook. Contact us for a dark web exposure assessment.

Live Underground Intelligence

From The Dark Side

Intelligence from the criminal underground — ransomware gang activity, credential markets, initial access brokers, data breach tracking, and emerging attack tooling. Curated by Security Arsenal analysts so your team has what it needs to stay ahead.

15+Intel Sources

5mRefresh Interval

6Threat Categories

24/7Analyst Coverage

Incident Response Services Managed SOC & MDR Dark Web Exposure Check

LIVE INTEL

⚠ RANSOMWARE: RansomHub — double-extortion op targeting healthcare sector⚠ IAB: RDP access to mid-market manufacturing firm listed on underground forum⚠ INFOSTEALER: Lumma Stealer campaign — 1.4M credentials harvested from browser sessions⚠ APT: Nation-state actor targeting critical infrastructure with spear-phishing⚠ RANSOMWARE: Akira affiliate — network access via exposed VPN credential⚠ CREDENTIALS: Combo list from enterprise SSO breach surfaced on Telegram⚠ IAB: Cloud admin access to financial sector org listed at $18K⚠ MALWARE: New evasion-capable RAT advertised on criminal forums — C2 via Telegram⚠ DATABREACH: Tor leak site posting — legal sector data including PII and contracts⚠ RANSOMWARE: LockBit variant — active RaaS affiliate recruitment observed⚠ CREDENTIALS: Vidar stealer log drop — corporate VPN credentials included⚠ APT: Supply chain compromise targeting software vendors in critical sectors⚠ RANSOMWARE: RansomHub — double-extortion op targeting healthcare sector⚠ IAB: RDP access to mid-market manufacturing firm listed on underground forum⚠ INFOSTEALER: Lumma Stealer campaign — 1.4M credentials harvested from browser sessions⚠ APT: Nation-state actor targeting critical infrastructure with spear-phishing⚠ RANSOMWARE: Akira affiliate — network access via exposed VPN credential⚠ CREDENTIALS: Combo list from enterprise SSO breach surfaced on Telegram⚠ IAB: Cloud admin access to financial sector org listed at $18K⚠ MALWARE: New evasion-capable RAT advertised on criminal forums — C2 via Telegram⚠ DATABREACH: Tor leak site posting — legal sector data including PII and contracts⚠ RANSOMWARE: LockBit variant — active RaaS affiliate recruitment observed⚠ CREDENTIALS: Vidar stealer log drop — corporate VPN credentials included⚠ APT: Supply chain compromise targeting software vendors in critical sectors

Live Ransomware Victims

refreshed every 5 min

Active ransomware gang postings from public leak sites. For awareness and defensive intelligence only.

Threat Group	Victim	Website	Sector	Country	Discovered
safepay	olipes.com	olipes.com	Not Found	ES	May 19, 2026	Details
incransom	Nothing	nothing.tech	Technology	TW	May 19, 2026	Details
dragonforce	TAURUS INVESTMENT HOLDINGS	tiholdings.com	Financial Services	CY	May 19, 2026	Details
dragonforce	ZFG ALTHERM Engineering	zfg-altherm.at	Manufacturing	AT	May 19, 2026	Details
SilentRansomGroup	Barclay Damon 🇺🇸 US COMPANY	barclaydamon.com	Business Services	US	May 19, 2026	Details
play	Zuther Hautmann	www.z-h.de	Not Found	DE	May 19, 2026	Details
lamashtu	ROTH‑TECHNIK AUSTRIA	rothtechnik.eu	Manufacturing	AT	May 19, 2026	Details
krybit	SARL CANIS EVENTS SÉCURITÉ PRIVÉE	SARL CANIS EVENTS SÉCURITÉ PRIVÉE	Business Services	FR	May 19, 2026	Details
krybit	nacs.com.hk	nacs.com.hk	Not Found	HK	May 19, 2026	Details
krybit	mindmastersg.com	mindmastersg.com	Business Services	SG	May 19, 2026	Details

Showing latest 10 victims. Full searchable database available.

View All & Search

Intelligence Categories

Click a category for full archive + SIGMA rules

Ransomware

103

Gang campaigns, RaaS operations, victim disclosures, double-extortion activity. SIGMA rules for every active family.

View archive →

Credential Leaks

104

Infostealer campaigns — Lumma, RedLine, Vidar. Combo list releases and enterprise credential exposure tracking.

View archive →

Underground Markets

IAB network access listings, dark web marketplace trends, tool sales, and criminal forum intelligence.

View archive →

Data Breaches

Data sales on Tor markets, breach disclosures, exposure scope analysis, and affected sector reporting.

View archive →

Criminal Tooling

New malware families, loaders, droppers, RATs, and stealers emerging from criminal underground channels.

View archive →

APT & Nation-State

Nation-state actors — Lazarus, Sandworm, Volt Typhoon. Campaign TTPs, MITRE mapping, KQL/SIGMA rules.

View archive →

Telegram Intel

Criminal Telegram channels: malware drops, C2 announcements, stolen data dumps, and initial access postings.

View archive →

Underground Intelligence Feed

APT & Nation-State

UAT-8616, Interlock & The Gentlemen: Cisco Edge Exploitation, Sliver C2, and PlasmaLoader OTX Pulse Analysis

Active exploitation of Cisco SD-WAN & FMC zero-days by UAT-8616 & Interlock; Sliver C2, Godzilla webshells, and SystemBC detected. Urgent patching required.

May 19, 2026

Credential Leaks

Vidar v1.5 Go, Gremlin Stealer & Shai-Hulud: OTX Pulse Intelligence on Multi-Vector Infostealer Campaigns

Active infostealer campaigns (Vidar Go, Gremlin) and npm supply chain attacks targeting credentials. Block C2 IPs immediately.

May 19, 2026

Ransomware

QILIN Ransomware: Global Campaign Targets Agriculture & Healthcare via Critical Remote Access Exploits

Qilin aggressively targets Manufacturing and Healthcare sectors using ConnectWise and SmarterMail exploits. Immediate patching required.

May 19, 2026

Credential Leaks

Vidar v1.5, Gremlin & Shai-Hulud: OTX Pulse Analysis — Credential Theft Campaigns

Analysis of Vidar Go, Gremlin Stealer, and Shai-Hulud supply chain attacks. Urgent credential harvesting and RaaS activity detected.

May 19, 2026

Ransomware

QILIN Ransomware: Global Expansion Targeting Healthcare & Agriculture — Critical CVE Analysis

QILIN claims 15 victims targeting Healthcare, Agriculture, and Manufacturing. Detection rules for ScreenConnect and SmarterMail exploitation included.

May 19, 2026

Credential Leaks

Vidar v1.5 Go, Gremlin & SHub Reaper: Multi-Platform Infostealer Surge & SD-WAN Initial Access

Active campaigns using Vidar Go, Gremlin, and macOS SHub Reaper target credentials via SD-WAN exploits and fake installers.

May 19, 2026

Ransomware

QILIN Ransomware: Global Surge in Healthcare & Manufacturing — Campaign Analysis & Detection Rules

Qilin posted 22 victims recently, heavily targeting Healthcare and Manufacturing via ScreenConnect and Exchange exploits.

May 19, 2026

Credential Leaks

Vidar v1.5, Gremlin, and SHub Reaper: Surge in Multi-Platform Infostealers & Edge Device Exploitation

Active campaigns leveraging Vidar Go, Gremlin Stealer, and macOS SHub Reaper alongside exploitation of Cisco/Fortinet edge devices.

May 18, 2026

Ransomware

QILIN Ransomware: Global Surge Exploiting SmarterMail & ScreenConnect — 15 Victims in 72 Hours

Qilin posted 15 new victims in 72 hours targeting Healthcare and Manufacturing. Immediate patching of SmarterMail and ScreenConnect is critical.

May 18, 2026

Criminal Tooling

Nexcorium IoT Botnet, UNC1945 Financial Threats, and NKAbuse Supply Chain: OTX Pulse Analysis — Enterprise Detection Pack

Active campaigns involving Nexcorium IoT botnet, UNC1945 targeting finance, and NKAbuse via HuggingFace. Urgent detection required.

May 18, 2026

APT & Nation-State

Cisco Edge Exploitation & SystemBC C2: UAT-8616, Interlock, and The Gentlemen Campaign Analysis

Active exploitation of Cisco SD-WAN/FMC & Fortinet. Threats include webshells, ransomware (Interlock), and SystemBC (Gentlemen).

May 18, 2026

Credential Leaks

Vidar v1.5, SHub Reaper, and UAT-8616: Multi-Vector Credential Harvesting and Edge Exploitation

Active campaigns involving Go-based Vidar, macOS SHub Reaper, and Cisco SD-WAN exploits by UAT-8616 threaten enterprise credentials. Urgent.

May 18, 2026

Ransomware

QILIN Ransomware: Global Surge in Manufacturing & Healthcare Targets — Critical IOCs & Detection Logic

QILIN adds 26+ victims targeting Manufacturing & Healthcare globally via ScreenConnect and Exchange exploits. Immediate detection rules inside.

May 18, 2026

APT & Nation-State

UAT-8616 & Chollima APTs: Cisco SD-WAN Exploits & NPM Supply Chain Attacks — OTX Pulse Analysis

Active exploitation of Cisco SD-WAN & npm packages by UAT-8616 & Chollima. Detection for webshells, stealers, & ransomware. Urgency: High.

May 18, 2026

Credential Leaks

Gremlin & Vidar Infostealers + SD-WAN RaaS Attacks: OTX Pulse Analysis — Enterprise Detection Pack

Active credential theft via Gremlin/Vidar and SD-WAN exploitation. Urgent blocking required for C2 IPs and file hashes.

May 18, 2026

Ransomware

QILIN Ransomware: Surge in Manufacturing & Healthcare Targeting via Critical CVE Exploits

Qilin ramps up attacks on Manufacturing and Healthcare sectors globally. Patch ConnectWise and Exchange immediately.

May 18, 2026

APT & Nation-State

Cisco SD-WAN Zero-Days & NPM Supply Chain Attacks: UAT-8616, FAMOUS CHOLLIMA, and Interlock Campaigns

Critical exploitation of Cisco infrastructure and npm supply chains. UAT-8616 and Chollima active; crypto-mining and ransomware payloads confirmed.

May 17, 2026

Credential Leaks

Gremlin Stealer, OtterCookie, and The Gentlemen RaaS: OTX Pulse Analysis — Enterprise Credential Theft & Infostealer Campaigns

Active campaigns using Gremlin Stealer and OtterCookie npm packages target credentials. High urgency.

May 17, 2026

View All Intel Articles

Frequently Asked Questions

Is Your Organization in the Underground?

Security Arsenal monitors dark web markets, ransomware leak sites, and criminal forums for your domains, IP ranges, and executive identities. We'll tell you if you're already being sold — before the attack begins.

Get a Dark Web Exposure Report Incident Response Services