DarkJester

Ransomware attack Victim: BASE SPA Data: / TA: Space Bears POC: / Country: Italy @ransomnews

From WOMEN.dll dropper → Sleestak infrastructure: Multi-stage JScript + PowerShell loader with AES-256 + XOR, process hollowing into aspnet_compiler.exe, Microsoft-spoofed scheduled task (logon trigger), and exposed daily-rotating payload directories on open index listing.Full chain analysis, builder artifacts, IOCs : @darkjstr/tracking-a-live-heracles-rat-campaign-from-women-dll-to-sleestak-infrastructure-7545df27646a" target="_blank" rel="nofollow noopener">medium.com/@darkjstr/trac…

Ransomware attack Victim: GITIS S.r.l. Data: / TA: Akira POC: yes Country: Italy @ransomnews

⚠️ New threat actor on the radar ⚠️ 🥷🏻 Spy Corporate 🗓️ added on May 21, 2026 #ransomNews #cybersecurity #newthreatactor

New sale on DarkForums: full Domain Admin access to Italian company SIAV SPA is being offered. The seller claims to have compromised the Domain Admin account, giving access to the internal network and more than 80 SIAV SPA customers. Screenshots and proof pics are available in the post. Exfiltrated / accessible material includes full domain control and customer data. Post published today on DarkForums by user SinobiFan.

IAB listing, today. Italy, manufacturing sector, $5M–$10M revenue. Access type: OpenVPN. Privilege level: Database Admin (SA). AV/EDR: none detected. Network size: ~50 hosts. Actor: CocoMel0n account Apr 2026, reputation 0, 10 posts. Likely fresh or disposable identity. Asking $708 / 0.00832608 BTC. m @ransomnews

🚨 nuova rivendicazione #ransomware Italia 🚨 🏴‍☠️ gruppo #Titan 🧬 ABP Autoricambi S.R.L. | Palma Campania (NA) 🎯 settore: ricambi auto 🔗 abpautoricambi.it 🗓️ 18 maggio 2026 📄 sample: sì ▪️ dati esfiltrati dichiarati: - ▪️ dati esfiltrati pubblicati: 29.80GB ⏲️ scadenza: - #ransomNews #cyberthreats #cybersecurity

New Ransomgroup in town: Titan x4bccxlsmjsxlnnf3ocvndlshgfkagzytpqmsjnlfykceumnw6i4hkqd[.]onion Abp Autoricambi SRL listed 🇮🇹 No data right now. @ransomnews

🚨 nuova rivendicazione #ransomware Italia 🚨 🏴‍☠️ gruppo #M3RX 🧬 Società Produttori Sementi S.P.A. | Argelato (Bo) 🎯 settore: lavorazione e produzione sementi 🔗 psbsementi[.]it 🗓️ 17 maggio 2026 📄 sample: - ▪️ dati esfiltrati dichiarati: 364.00GB ▪️ dati esfiltrati pubblicati: - ⏲️ scadenza: - #ransomNews #cyberthreats #cybersecurity

Tracked an OAuth Device Code phishing campaign back to its C2 blackoctopusking[.]xyz. The lure was a fake OneDrive share, polling endpoint at /api/status/{SID} every 3s waiting for the victim to enter the device code. Pulled the admin panel JS bundle from the exposed root. Static analysis of the React source revealed an explicit Anthropic API key integration under Settings -> AI API Keys, with the label: "Primary AI for BEC reply drafting. The call chain: /dash/highvalue -> scans captured mailboxes for financial keywords /dash/bec/analyze -> submits thread to Claude Sonnet /dash/bec/regenerate -> iterative draft refinement IOCs: blackoctopusking[.]xyz (C2 + panel) core-drive-wvzc.p-xmnew9m7.workers[.]dev (lure hosting) mazaigroup[.co[.]tz (redirector, compromised)

⚠️ New threat actor on the radar ⚠️ 🥷🏻 Leak Bazaar 🗓️ added on May 10, 2026 👉 Leak Bazaar appears to be a new cybercrime service, not a classic ransomware group. It was advertised around March 25, 2026 on the Russian-speaking TierOne forum by a user called Snow/SnowTeam. Its pitch: take stolen ransomware datasets and turn them into structured, searchable, resale-ready intelligence. Group core points to post-exfiltration monetization. If viable, stolen data from ransomware incidents may remain exploitable long after ransom talks end, especially for targeted phishing, fraud, secondary extortion, and individual pressure campaigns. That’s why we track it as an emerging criminal data-processing marketplace/service for now, not yet as a ransomware cartel. #ransomNews #cybersecurity #newthreatactor

Malvertising via Typosquatting Identified waybackmachine[.]work impersonating @internetarchive in Google SERP. The site redirects to speedyload[.]site which loads the real archive.org inside an