MuskanS

Started with a single #BASHE victim. Ended with links to an older operation called #Eraleign (#APT73). Sometimes the real story isn’t the leak, it’s what’s hiding behind it. Read the full report on @stealthmole_int: …lthmole-intelligence-hub.blogspot.com/2026/05/from-e…

Visit @stealthmole_int website and register now! stealthmole.com

Tomorrow, I’ll be conducting a live @stealthmole_int webinar on #BASHE that unexpectedly uncovered links to an older operation. Sometimes ransomware groups don’t disappear, they rebrand. Join us to see how we investigate using #StealthMole stealthmole.com

Wild

Mirrors of Free City: Investigating the Chinese Marketplace Across Dark & Deep Web What initially appeared to be a single Chinese-language onion marketplace gradually revealed a much broader operational ecosystem built across mirrored infrastructure, Telegram communities, administrative channels, and automated bot activity. As the investigation progressed, Free City consistently demonstrated patterns associated with more mature underground environments, particularly through its use of multiple onion domains and Telegram-based coordination. The investigation also highlighted how closely Telegram and Tor infrastructure now operate together within parts of the Chinese-language underground ecosystem. Marketplace visibility, announcements, escrow-related communication, and promotional activity were no longer confined to hidden services alone, but instead distributed across interconnected Telegram channels and repost networks that helped sustain the platform’s presence over time. At the same time, the fragmented nature of these ecosystems made attribution and infrastructure mapping significantly more challenging. Marketplace references, mirrored domains, automated activity, and community discussions frequently overlapped across unrelated underground spaces, making it difficult to separate direct operational infrastructure from broader ecosystem noise without continuous pivot-based investigation. Although Free City appeared to function as an anonymous escrow marketplace and underground community platform, the investigation ultimately demonstrated something larger: modern underground marketplaces increasingly survive not through a single hidden service, but through distributed ecosystems designed to maintain visibility, continuity, and resilience across multiple interconnected platforms. …lthmole-intelligence-hub.blogspot.com/2026/05/mirror…

Join our upcoming webinar: From Eraleign to BASHE: Investigating the Evolution of a Ransomware Operation BASHE may appear as a newer ransomware operation, but traces across infrastructure, Telegram activity, and leak site behavior point toward something older: Eraleign (APT73). In this session, we’ll walk through how those connections were uncovered using StealthMole through a live dark web intelligence investigation. 📅 Wednesday, 20th May 2026 🕓 4:00 PM (SGT) 🔗 us06web.zoom.us/webinar/regist… 🎁 Lucky draw for selected participants #CyberSecurity #ThreatIntel #Ransomware #DarkWeb #OSINT #CyberSecurityWebinar #StealthMole

Started exploring #Chinese #darkweb through @stealthmole_int and stumbled upon “Free City” (自由城) marketplace. What looked like a single onion site turned into a much larger ecosystem. Full report on #StealthMole Intelligence Hub: …lthmole-intelligence-hub.blogspot.com/2026/05/mirror…

Not all ransomware actors start as “groups.” Some start as: a username, a leak post, and a Telegram channel. Followed one of them → #ShadowByt3$ Mapped the full ecosystem using @stealthmole_int. This is how early-stage #RaaS actually looks. …lthmole-intelligence-hub.blogspot.com/2026/04/from-b…

Not all dark web marketplaces operate alone. Sometimes, they’re just one part of a much larger system: quietly linked through forums, mirrors, and shared infrastructure. We followed one such trail using @stealthmole_int! Read the full report: …lthmole-intelligence-hub.blogspot.com/2026/04/breaki…

#XpertTechy didn’t appear just once. Across different platforms, same patterns kept showing up: similar tools, structures & links that quietly led back to #BlackHat Tools. A closer look using @stealthmole_int revealed how these pieces fit together. …lthmole-intelligence-hub.blogspot.com/2026/04/from-x…

What started as Ransomed News on #Telegram didn’t stay that way. After multiple rebrands and a partnership with #Stormous, it became part of a larger ransomware ecosystem. @stealthmole_int shows this isn’t just rebranding, it’s ecosystem convergence. …lthmole-intelligence-hub.blogspot.com/2026/04/ransom…

While tracking @HellCat, I kept seeing one name tied to access sales not leaks. #Miyako. What started as a simple search on @stealthmole_int turned into: forum profiles, Telegram channels, and rotating accounts all pointing to the same pattern. …lthmole-intelligence-hub.blogspot.com/2026/04/inside…

#Rey wasn’t the target. The name just kept showing up while I was tracking #HellCat. So I followed it using @stealthmole_int. One alias turned into many. Different platforms. Same pattern. Full report on #StealthMole Intelligence Hub: …lthmole-intelligence-hub.blogspot.com/2026/04/rey-ma…

Started looking into #HellCat thinking it was just another #ransomware group. Using @stealthmole_int, the same name kept showing up across forums, #Telegram, onion site tied to multiple victims. What looked scattered at first slowly started connecting. …lthmole-intelligence-hub.blogspot.com/2026/04/hellca…

#IS supporters aren’t just switching platforms anymore, they’re trying to re-engineer how those platforms are accessed. My latest for @GNET_research explores “Operation Ghost Protocol: The 2026 Telegram Hardening Manual” and the shift toward infrastructure-level evasion.

#IndoHaxSec is more than a #hacktivist group: it’s a distributed network operating across #Telegram, forums, and multiple platforms. From data leaks to defacements and alliances, this investigation maps how they operate. Full report on @stealthmole_int: …lthmole-intelligence-hub.blogspot.com/2026/03/indoha…

Free Webinar: From Alias to Attribution Threat actors rarely operate on just one platform. From exploit tools to compromised account sales, their activities often span multiple underground spaces — leaving behind traces that investigators can connect. 𝗜𝗻 𝘁𝗵𝗶𝘀 𝘄𝗲𝗯𝗶𝗻𝗮𝗿, we’ll examine the operational model behind the actor “𝗤𝘂𝗲𝘀𝘀𝘁𝘀” and show how cross-platform signals can be used to link aliases, map activity patterns, and move toward attribution using dark web intelligence. 🗓 𝗠𝗮𝗿𝗰𝗵 𝟮𝟱, 𝟮𝟬𝟮𝟲 ⏰ 𝟰:𝟬𝟬 𝗣𝗠 - 𝟱:𝟬𝟬 𝗣𝗠 (𝗦𝗚𝗧) 📍 𝗟𝗶𝘃𝗲 𝗼𝗻 𝗭𝗼𝗼𝗺 𝗪𝗲𝗯𝗶𝗻𝗮𝗿 🎁 Bonus: Join the session for a chance to win a 𝗟𝘂𝗰𝗸𝘆 𝗗𝗿𝗮𝘄 𝗽𝗿𝗶𝘇𝗲. Secure your spot and join the investigation: egv9g.share-na2.hsforms.com/2PihgCDzxRAaoL… #CyberThreatIntelligence #DarkWeb #ThreatActors #CyberSecurity #OSINT #ThreatIntel #CyberCrime #StealthMole

Started with a leak platform. Ended up inside a #ransomware recruitment network. #RasCorp isn’t just a #Telegram group, it’s where 💬 recruitment 🛠️ RAT tooling 🔐 ransomware ambitions all come together. Full report available on @stealthmole_int: …lthmole-intelligence-hub.blogspot.com/2026/03/inside…

Viewed in this light, RasCorp is less notable for a specific attack or dataset and more significant as an example of how cyber groups attempt to organize themselves in the early stages of operation. Monitoring these emerging networks, particularly those built around recruitment and partnerships, can provide valuable insight into how future ransomware or cybercrime campaigns may develop. …lthmole-intelligence-hub.blogspot.com/2026/03/inside…

While investigating #THEPERSEPHONE ecosystem on @stealthmole_int, I came across #RasCorp. what looked like a simple #Telegram group turned out to be part of a growing #ransomware-focused network. …lthmole-intelligence-hub.blogspot.com/2026/03/inside…