零零信安

目前，所谓数据集的真实性、范围和来源尚未获得独立核实。

🌎 A threat actor is claiming to be selling the full database of Grido across multiple countries where the company operates. According to the post, the alleged dataset contains approximately 4.9 million records (~2.3GB) and is being offered for sale for $500. The actor also claims to provide ongoing access to newly registered records in “real time” for an additional fee. The threat actor further stated: * The database allegedly spans multiple countries * Access to the original source/system is allegedly available * Future targeting references toward Peru were mentioned * The actor issued direct warnings toward organizations in the region At this stage, the authenticity of the claims and the extent of any potential compromise have not been independently verified. #DDW #Intelligence #Grido #DarkWeb

🚨 威胁行为者 mosad 泄露了俄罗斯 FSB（联邦安全局）2份机密报告！ 主要泄露字段/内容包括： • Methodological Recommendations（情报拦截操作方法论建议） • Review of Detection of Intelligence Activities（情报活动侦测审查报告） • 详细说明情报拦截流程、授权机制、数据处理方法 • 2022年以来外国情报活动激增分析（重点指向乌克兰及西方情报机构） • 在线招募、OSINT、社会工程等具体手法及防范建议 #ThreatIntelligence #DataLeak #FSB #Russia #CyberSecurity

🇰🇷🚨 威胁行为者 mosad 泄露了 韩国军方 3.8GB UAV（无人机）完整文档！ 主要泄露字段/内容包括： • 3.8 GB 南韩军方无人机完整文档 • 操作手册、技术规格、维护说明、工程图纸等 • 涉及韩国军用无人机研发与部署相关资料 #ThreatIntelligence #DataLeak #UAV #SouthKorea #CyberSecurity

🇨🇳🚨 威胁行为者泄露了中国56qq.com（货车帮）用户联系和活动日志数据库！ 主要泄露字段包括： • Contacts（用户联系信息：用户名、邮箱、性别、出生日期、注册信息、地址等） • User Access Logs（用户访问日志：IP地址、登录记录、在线时长、活动时间戳等） • User Credits And Engagement（用户信用积分和互动数据） #ThreatIntelligence #DataBreach #CyberSecurity #china #leaks

4. 本日大事件 1. 希德拉科威特医院 (Sidra Kuwait Hospital)（科威特，医疗保健行业）：希德拉科威特医院是科威特知名医院，提供综合医疗服务。此次被Everest攻击并公开相关数据。 2. 萨凡纳临终关怀 (Hospice Savannah)（美国，医疗保健行业）：萨凡纳临终关怀是美国提供临终关怀和姑息治疗服务的医疗机构。此次被Cmd Organization攻击并公开相关数据。 3. 阿尔派恩航空技术 (Alpine Aerotech)（加拿大，航空维护行业）：阿尔派恩航空技术是加拿大航空维护和部件制造企业，主要服务航空公司。此次被Akira攻击并公开相关数据。 4. 美国电池工厂 (American Battery Factory)（美国，电池制造行业）：美国电池工厂是美国电池制造企业，主要生产锂电池产品。此次被Worldleaks攻击并公开相关数据。 #Ransomware #Everest #TheGentlemen #CyberSecurity #ThreatIntelligence #DataBreach

2026年5月28日 勒索软件监测日报 | 零零信安暗网威胁情报 零零信安作为国内领先的暗网威胁情报服务商，专注于为政府和企业提供全域暗网情报监测、数据泄露检测及闭环事件响应服务。 2026年5月28日共约35起新勒索事件，9个勒索组织保持活跃，主要攻击医疗、制造、物流和教育领域。建议重点关注Everest、The Gentlemen高危IOC。 1. 关键洞察 2026年5月28日勒索软件事件分析： 2026年5月28日共约35起新勒索事件，9个勒索组织保持活跃，较前一日明显回升。Everest以8起大幅领跑，The Gentlemen 5起、Akira 4起紧随其后。主要攻击医疗、制造、物流和教育领域，美国、欧洲、亚洲等多地高价值目标遭精准打击。整体影响程度中等偏高，预计短期内医疗、制造及物流行业将加强安全防护。本日Everest、The Gentlemen等群组活跃度较高，建议企业重点关注Everest、The Gentlemen高危IOC。 #Ransomware #RansomwareDaily #CyberSecurity #ThreatIntelligence #DataBreach

3. 活跃勒索组织分析 当日活跃组织9个。以下列出组织、当日事件数量及常用攻击技术（基于公开情报）。

2. 勒索软件事件分析 当日总事件35起。以下列出当日监测到的明确受影响企业。

4. 本日大事件 1. 总统集装箱集团 (President Container Group)（美国，集装箱制造行业）：总统集装箱集团是美国领先的集装箱制造企业，主要为物流和运输行业提供产品。此次被Dragonforce攻击并公开相关数据。 2. 威廉·戴维斯房屋公司 (William Davis Homes)（加拿大，房屋建造行业）：威廉·戴维斯房屋公司是加拿大房屋建造企业，主要从事住宅开发与建设。此次被Qilin攻击并公开相关数据。 3. 主流房地产经纪人组织 (Mainstreet Organization of REALTORS)（加拿大，房地产行业）：主流房地产经纪人组织是加拿大房地产经纪人专业组织。此次被Qilin攻击并公开相关数据。 4. J.C. 里普伯格建筑公司 (J.C. Ripberger Construction Corporation)（美国，建筑行业）：J.C. 里普伯格建筑公司是美国专业从事建筑施工的企业。此次被Dragonforce攻击并公开相关数据。 #Ransomware #Dragonforce #Qilin #CyberSecurity #ThreatIntelligence #DataBreach

2026年5月27日 勒索软件监测日报 | 零零信安暗网威胁情报 零零信安作为国内领先的暗网威胁情报服务商，专注于为政府和企业提供全域暗网情报监测、数据泄露检测及闭环事件响应服务。 2026年5月27日共38起新勒索事件，8个勒索组织保持活跃。Dragonforce以15起大幅领跑，建议重点关注Dragonforce、Qilin高危IOC。 1. 关键洞察 2026年5月27日勒索软件事件分析： 2026年5月27日共38起新勒索事件，8个勒索组织保持活跃，较前一日明显回升。Dragonforce以15起大幅领跑，Qilin 4起紧随其后。主要攻击制造、房地产、物流和教育领域，美国、加拿大、欧洲等多地高价值目标遭精准打击。整体影响程度中等偏高，预计短期内制造、房地产及物流行业将加强安全防护。本日Dragonforce、Qilin等群组活跃度较高，建议企业重点关注Dragonforce、Qilin高危IOC。 #Ransomware #RansomwareDaily #CyberSecurity #ThreatIntelligence #DataBreach

3. 活跃勒索组织分析 当日活跃组织8个。以下列出组织、当日事件数量及常用攻击技术（基于公开情报）。

2. 勒索软件事件分析 当日总事件38起。以下列出当日监测到的明确受影响企业。

🚨🇪🇸 Spanish public payroll panel allegedly offered for sale A threat actor claims to have access to 371 payroll accounts tied to a Spanish public management portal, allegedly allowing modification of bank deposit details used for SEPA payroll payments. What’s allegedly exposed: • 371 payroll accounts • April payroll total of €962,246.73 net after taxes • Employee bank/payment fields including IBAN-related details • Claimed PDF proof and access screenshots Details: 𝗧𝗮𝗿𝗴𝗲𝘁: Spanish public management payroll portal 𝗖𝗼𝘂𝗻𝘁𝗿𝘆: Spain 𝗦𝗲𝗰𝘁𝗼𝗿: Public sector / Payroll 𝗔𝗰𝘁𝗼𝗿: pw0x2 𝗖𝗹𝗮𝗶𝗺: Administrative payroll access sale 𝗢𝗯𝘀𝗲𝗿𝘃𝗲𝗱: May 26, 2026 Stop guessing what's redacted. Subscribers see everything: darkwebinformer.com/pricing

赞成🙆‍♀️

Chat, let me tell you something In cybersecurity there are two things of immense value that will determine your career prospects as well as how your peers will treat you. 1. Your knowledge base 2. Your ability to shut up Literally nothing else matters. You don't have to be some 1337 demigod zero day researcher to have respect, but if you're educated enough in your discipline (cloud security, physical security, malware, whatever), you're golden. Pick a topic, know your stuff, don't be a jerk. The infinitely MORE valuable asset though is your ability to remain SILENT. Hear some crazy rumor? Shut the fuck up and don't say anything to anyone. Hear about a potential arrest coming from some Threat Intel people? Shut the fuck up and don't say anything to anyone. Did you hear some Threat Actors discuss a compromise? Shut the fuck up and don't say anything to anyone. See someone get "doxxed"? Shut the fuck up and don't say anything to anyone. Did a colleague or peer disclose something to you that they shouldn't have? Shut the fuck up and don't say anything to anyone. Are some Threat Actors having a conflict online? Shut the fuck up and don't say anything to anyone. The only time, with little to no nuance, something can be discussed is if it is public-public. Otherwise, it is in your best interest to remain quiet and mind your own business. Being loud can cause many problems, but drama and conflict is a big no-no in our field especially with it being so relatively small

🇺🇸 A new underground post is claiming a “1 million Bank of America database” leak being distributed for free. At the moment, there is no verified evidence confirming this is a fresh or legitimate breach of Bank of America itself. However, posts like this are still operationally significant for several reasons: • Criminal actors frequently use major financial brands to attract attention, reputation, and traffic on underground forums • “Free leaks” are often used to build credibility, distribute malware, spread stealer logs, or promote premium services • Old datasets are commonly repackaged and rebranded as “new” breaches • Threat actors may combine multiple historical leaks into a single “mega database” and market it as fresh One important detail here is the wording: “We distribute this database for free.” That language is commonly associated with: • Reputation-building campaigns • Traffic generation • Forum promotion • Credential validation operations • Malware seeding • Telegram/Session channel growth • Escrow baiting • Follow-on monetization schemes Financial-sector themed leaks also create immediate psychological impact because users instinctively associate them with: • Account compromise • Banking fraud • Identity theft • Card abuse • Wire fraud • Credential stuffing attacks Even if the dataset itself is recycled, the operational risks remain real because threat actors routinely weaponize: • Historical credential collections • Password reuse • Email enumeration • Social engineering enrichment • SIM swap preparation • Banking phishing campaigns Another major concern is downstream fraud amplification. When a large financial brand is mentioned in underground forums, secondary actors often rapidly launch: • Fake breach notifications • Smishing campaigns • MFA reset scams • Fake banking portals • Customer support impersonation • Mobile banking phishing kits This means the “announcement effect” itself can become dangerous even before the authenticity is confirmed. For defenders and financial institutions, events like this should trigger: • Credential monitoring • Brand impersonation tracking • Phishing infrastructure hunting • Customer awareness alerts • Fraud telemetry review • Login anomaly monitoring • Password reset abuse detection • SIM swap escalation monitoring because modern underground ecosystems increasingly blend: Data leaks + phishing + telecom abuse + social engineering + financial fraud into coordinated attack chains. One additional observation: The post lacks many characteristics typically associated with high-confidence ransomware or elite access broker disclosures: • No technical proof • No schema breakdown • No sample structure • No timestamps • No access methodology • No verification artifacts That raises the possibility this may be: • recycled data • fake branding • attention-seeking activity • scam monetization • forum engagement bait But until datasets are independently validated, these posts should still be treated as potential early-warning indicators rather than ignored outright. #DDW #BankOfAmerica #CyberCrime #DarkWeb #DataLeak #ThreatIntelligence #Fraud #IdentityTheft #FinancialSecurity #CyberSecurity

🇨🇳 A threat actor is advertising the alleged sale of 65,000+ user records from the Chinese forum “pincong.rocks,” including usernames and passwords. According to the underground post, the dataset allegedly contains: • User IDs • Usernames • Passwords • Forum profile metadata The actor also claims the credentials could be used for credential stuffing attacks against: • Gmail • Hotmail • Outlook • Other email services where users reused passwords This is one of the most common downstream risks following forum and community platform breaches. Threat actors increasingly rely on: • password reuse • credential stuffing • automated login attempts • identity correlation • email takeover campaigns rather than directly breaching hardened enterprise systems. Even relatively small forum leaks can become operationally valuable because online communities often contain: • politically active users • researchers • journalists • dissidents • activists • pseudonymous identities linked to real-world accounts If credentials are reused across services, compromise can quickly escalate beyond the original platform. The underground post specifically emphasizes reuse attacks against email providers, which highlights how attackers continue to monetize: “one password reused everywhere.” Organizations and individuals should prioritize: • unique passwords per service • MFA adoption • credential exposure monitoring • password manager usage • login anomaly detection At this stage, the authenticity and freshness of the alleged dataset remain unverified. #DDW #Intelligence #Pincong

这个论坛很高危啊，建议都了解一下

🇯🇵 A threat actor is advertising an alleged dataset linked to Japan’s National Personnel Authority (jinji.go.jp), claiming exposure of approximately 742,000 records involving government employee and payroll-related data. According to the listing, the alleged dataset includes: • full names and demographic information • dates of birth and personal contact details • home addresses and postal information • payroll and salary records • pension and health insurance identifiers • bank account and payroll administration data • ministry and departmental assignment details • employment status and organizational role information Government personnel datasets are considered highly sensitive due to their potential value for espionage, social engineering, and financial fraud operations. The alleged inclusion of payroll and departmental assignment records could potentially enable: • targeted phishing against government employees • impersonation and identity theft • financial fraud using payroll metadata • mapping of government organizational structures • intelligence gathering against public-sector personnel The exposure of employee allocation, ministry affiliations, and payroll-related information may also present national security and insider-risk concerns depending on the authenticity and scope of the alleged data. At this stage, the authenticity and scope of the alleged dataset remain unverified. #DDW #Intelligence #Jinji 🇯🇵 A threat actor is advertising an alleged dataset linked to my.au.com, claiming exposure of approximately 243,000 customer and service-management records. According to the listing, the alleged dataset includes: • customer names and phone numbers • email addresses and mailing information • encrypted passwords • service order and subscription records • billing and payment-related metadata • device and equipment serial references • customer support ticket information • account status and login activity details Telecommunications and customer account datasets are frequently targeted because they can be leveraged for: • credential stuffing and account takeover attacks • SIM swap and mobile fraud operations • phishing and impersonation campaigns • social engineering using customer service history • identity theft and subscription fraud The alleged inclusion of encrypted passwords, billing cycles, subscription data, and service-order history may significantly increase the operational value of the dataset for cybercriminal actors. At this stage, the authenticity and scope of the alleged dataset remain unverified. #DDW #Intelligence #MyAU #DarkWeb