The IT Nerd

Today at RSA Conference 2026, SOCRadar launched its new AI Agent Marketplace, an integrated hub where organizations can browse, purchase, and deploy specialized autonomous AI agents tailored for specific cybersecurity tasks and use cases in the SOCRadar XTI Platform. This includes phishing detection, brand abuse protection, and dark web monitoring. By unbundling the traditional ‘all-in-one’ platform, this modular ecosystem liberates security teams from rigid, legacy software in favor of a precision-led approach. Organizations can easily select and deploy only the specific agents required for their unique use cases, with the granular controls and customization to perfectly fit high-precision workflows.

SOCRadar also introduced Identity and Access Intelligence capabilities to its Extended Threat Intelligence Platform to bridge the gap between internal identity security and external exposure. The new capabilities are designed to secure identity “blind spots” such as credential exposures detected in third-party SaaS environments, dark web marketplaces, and collaboration platforms.

Credentials are a hot commodity for opportunistic threat actors looking to launch identity-based attacks. According to IBM, approximately 388 million credentials were stolen in 2025 from just 10 top online platforms including Meta and Google. Additionally, data breaches have surged 475% over the past decade with adversaries moving faster and hitting harder. This has culminated in the 2025 global average cost of a data breach hitting $4.4 million.

SOCRadar is also launching a new Identity & Access Threat Intelligence AI Agent, which can analyze the data files associated with a compromised machine (e.g. session cookies, credentials, etc.) to help analysts quickly determine the source of a leak and generate a risk analysis report. This is the first of many AI Agents to be released as part of the new AI Agent Marketplace.

Key Features of SOCRadar’s Identity and Access Intelligence Capabilities

SOCRadar’s Identity and Access Intelligence capabilitiesleverage Identity-Related Risk Clarification to understand risk and makefaster decisions.

Clear Security Narratives allow analysts to easilyvisualize attack steps and system-level artifacts to translate raw data into clear, actionable security narratives for analysts. This includes:

Company Insights: Delivers contextualized visibility into an organization’s digital footprint and compromised users so customers learn which function, asset, and risk chain was exposed.

• Enterprise Attack Surface Risk Profile: Maps externally exposed enterprise services and domains into categorized risk profiles so customers can associate risks and prioritize by potential blast radius.
• Third-Party Service Credential Exposure: Reveals external SaaS providers where leaked or reused credentials are associated with your domain.
• Customers can now understand not just that credentials were leaked, but which systems they unlock and how they could enable lateral movement

File Insights: Presents an interactive snapshot of a compromised endpoint and lets users review how credentials were exfiltrated and stored on disk by the stealer.

Tag Insights: Exposed artifacts are classified using descriptive tags to indicate their type and context.  Sensitive data can be viewed at a glance within the attack flow and endpoint view.

The Cookie Analysis section filters and displays browser-stored cookies and allows sorting by domain, cookie name, or filter.  Customers can also assess potential for abuse by analyzing secure flag indicators and cookie entropy surfaced by the platform.

Attack Flow Visualization: Reconstructs the end-to-end infection path, starting from the internet entry point and progressing through malware execution, system interaction, and endpoint compromise.

• Customers can view the complete infection chain, including the stealer involved, its origin, where it executed on the victim machine, and what data was exfiltrated.

AI-Powered Analysis: Provides natural language driven risk analysis that summarizes exposure, highlights prioritized threats, and provides remediation guidance for compromised identities Customers can see auto-summarization of the infection severity such as device context, critical risks, and exposed identities. They can get recommended remediation actions.

he SOCRadar threat intelligence team over the weekend identified a publicly accessible Elasticsearch instance containing over 676 million indexed U.S. identity records, including full SSNs, and complete identity profiles. 

The dataset was exposed to the internet without authentication, enabling unrestricted access to full identity attributes, including SSNs, dates of birth, historical address records, and phone numbers.

The exposed instance contained highly sensitive personal data at a scale exceeding the current U.S. population. This finding represents an extreme-scale identity risk.

Even if duplicate or historical entries exist, the presence of searchable government-issued identifiers in an unauthenticated database places this case in the Critical severity category.

More details can be found here: https://socradar.io/blog/us-elasticsearch-leak-676m-identity-records-ssn-exposure

According to new SOCRadar threat intel, the U.S. financial sector now stands squarely at the center of the global cybercrime economy, enduring roughly half of all financial phishing attacks and nearly a quarter of all dark web threat activity.

Adversaries are now pivoting from basic software exploits to highly sophisticated, AI-driven crime waves, relentless BEC campaigns, and stealthy third-party supply chain infiltrations. 

In an analysis that can be read here, the SOCRadar research team has broken down how the U.S. financial sector is uniquely in the crosshairs for cyber criminals, what the dominate attack vectors are, and some key steps that financial leaders should use to fortify their defenses. 

Key findings include: 

1. The U.S. financial sector accounts for 23.52% of all finance-related dark web threat activity and 48.02% of global phishing activity. 
2. Over 80% of dark web threat types are centered on exposing data and databases, with 74.49% of dark web posts involving selling these assets. 
3. Dominant attack vectors targeting U.S. financial institutions include social engineering, BE, and more increasingly AI-powered exploits. 
4. Third-party vendors remain critical vectors for systemic risk.

For full details, here is the analysis: https://socradar.io/blog/finance-industry-us-institutions-2026/

SOCRadar researchers announced the identification of three publicly accessible and misconfigured Elasticsearch instances leaking highly sensitive data, including infostealer logs, credit card information, and millions of personal identity records.

The exposed databases contained more than 43 million records, including over 5 million valid credentials, thousands of credit cards, and large-scale PII and commercial transaction data. All three cases demonstrate how misconfigured Elasticsearch services continue to create immediate and exploitation-ready risks for organizations and individuals.

Key findings include: 

1. Incident 1: 7.2 million infostealer logs and 24, 000 credit cards exposed
2. Incident 2: 35 million Italian PII records publicly accessible
3. Incident 3: 1.5 million customer records and commercial data exposed

The security team analyzed the exposed instances, notified relevant parties, and assessed the potential impact. The full details of this can be read here: https://socradar.io/blog/elasticsearch-instances-43m-records-data/

SOCRadar threat researchers have publishing an in-depth analysis of an ongoing cyber campaign against Fortune 500 companies including names such as Wells Fargo and USAA, by the threat actor known as GS7. 

GS7 has been active for years, rotating its infrastructure and impersonating legitimate portals, and has amassed hundreds of malicious domains tied to its modus operandi. Its campaigns include operations targeting banking institutions, technology companies, payment platforms, and other entities.

The elements that distinguish this actor and its campaigns are the creation of highly similar portals used in phishing operations to redirect victims toward credential theft.

The research dives into: 

How GS7 has quietly operated for years by rotating infrastructure and impersonating trusted Fortune 500 brands

Hundreds of malicious domains tied to GS7’s phishing ecosystem and how they’re deployed at scale

The use of near-identical, brand-spoofed portals designed to convincingly harvest credentials

Active campaigns targeting banks, financial institutions, technology companies, and payment platforms

The actor’s infrastructure rotation tactics and evasion techniques

Which industries, regions, and countries are being targeted most heavily

What makes this campaign distinct from typical phishing operations — and why it continues to succeed

You can read the research here: https://socradar.io/resources/whitepapers/operation-doppelbrand-fortune-500-access

In a threat landscape where 60% of underground discussions directly reference security vendors and their products, the question is no longer whether a company’s defenses are good enough; it’s whether they’re being actively monitored, adapted, and evolved.

A just-published MSSP Threat Landscape Report by threat intel company SOCRadar examines how threat actors systematically study, test, and bypass widely deployed security products, and why partnering with a Managed Security Service Provider is essential for true operational resilience. Have a look and consider what adjustments you need to do as an organization to keep yourself safe.

SOCRadar’s just released its U.S. Threat Landscape Report 2026 which highlights the most targeted industries, how threat actors monetize stolen data and access, and how ransomware, phishing, and DDoS attacks continue to pressure U.S. organizations.

Key highlights include: 

• Top Targeted Sectors: Finance and Insurance leads dark web targeting at 14.39%, followed by Information Services (10.19%) and Public Administration (9.79%), showing sustained focus on high-trust and high-value data sectors.
• U.S.-Only Targeting Dominates: 88.3% of threats focus exclusively on U.S. entities, while cross-border campaigns remain limited.
• Monetization Drives Underground Activity: Selling accounts for 70.76% of posts and sharing adds 23.56%, confirming a strong underground market dynamic.
• Data and Access Are the Main Commodities: Data-related threats represent 61.53%, while access sales reach 29.31%, reinforcing the role of initial access brokers.
• Ransomware Remains Fragmented: Qilin, Akira, and PLAY together represent 33% of ransomware activity, while smaller groups make up the majority.
• Phishing Hits High-Trust Targets: Public Administration accounts for 24.08% of phishing attacks, followed by Information Services at 19.45%.
• HTTPS Makes Phishing Harder to Spot: 77.9% of phishing pages use HTTPS, reducing users’ ability to identify malicious sites.
• DDoS Volume and Scale Are Severe: 1,036,378 DDoS attacks were recorded, with peak bandwidth reaching 1,475.67 Gbps and average attack duration around 59 minutes.

You can read the report here: https://socradar.io/resources/report/u-s-threat-landscape-report-2026/?utm_campaign=16185902-GatedContent_Country-Reports_Global_0725&utm_source=website&utm_medium=reportspage&utm_term=countryreports&utm_content=US26

Today, SOCRadar threat researchers published their findings on the identification of an intensive coordinated DDoS campaign conducted by pro-Russian threat actor, NoName057(16). Between the period of January 19 to 25, there were 5,095 recorded attack entries, overwhelmingly against Czech infrastructure. 

During the seven-day analysis period, the campaign demonstrated unprecedented scale and operational intensity, with daily target list updates distributed through Telegram channels. The campaign’s primary geographic focus on Czechia represents an escalation in NoName057(16)’s strategy of applying sustained pressure on NATO’s eastern flank members and key supporters of Ukraine.

Key findings include: 

1. More than half of the attacks hit government services (53%).
2. Critical infrastructure targeted included aviation, railways, and public transport (19.7% of attacks).
3. Czechia saw 3,803 of the 5,095 attacks. 
4. NoName057(16) deployed a sophisticated multi-vector attack strategy, combining transport-layer and application-layer attacks. 
5. The findings indicate that there was a deliberate targeting of encrypted web services including government citizen portals. 
6. The most targeted host domain was for the Czech National Police. 

For full details, the analysis can be found here: https://socradar.io/blog/ddos-threat-intelligence-czechia-26-jan26/

The SOCRadar threat research team will publish its Annual Dark Web Report, a structured view of illicit activity observed across major underground markets during 2025.

This includes the most impacted industries, U.S. targeting trends, the economy behind the dark web, the scale of stealer impacts, as well as AI democratization. 

Some key findings include: 

• The U.S. is the primary target across multiple threat types, accounting for 41.42% of ransomware attacks which is a drop from 53.30% in 2024.

• Public Administration is the most exposed industry on the Dark Web, indicating sustained pressure on government institutions through data leaks.

• In 2025, Akira took the first place in terms of activity with 8.35% of ransomware attacks.

• Deepfake, voice manipulation, and pentesting tools now openly available without dark web access, eliminating vetting barriers previously limiting access to well-resourced actors.

Furthermore, this research breaks down the value of regional credit cards, the market behind vulnerability exploits (the costs for low-end and mid-tier vulns increased, but high-end ones decreased), as well as the impact of stolen data (Facebook seeing 93.2M accounts among stolen logs). 

The report is here: SOCRadar Annual Dark Web Report 2025

According to a just-released report by threat intelligence company SOCRadar, 2025 saw:

• New highs for credential theft with a total of 388 million credentials were stolen from the ten most affected platforms. Facebook accounted for 93 million records, followed by Google with 67 million and Roblox with 66 million.
  • Gaming platforms were hit especially hard. Roblox, Twitch, and Epic Games together accounted for around 100 million accounts.
• Dark Web activity centered on commercial exchange with sales accounting for 59% of observed activity, while 33% involved sharing stolen data and Hack announcements are around 5%.
  • The US appeared in nearly 20% of all forum discussions, making it the most referenced country. Public Administration led sector discussions at 13%, followed by Information and Finance at around 10% each.
• Ransomware Activity Spread Across Groups – Akira led with 8.4% of incidents, followed by Qilin at 7.3% and Cl0p at 5.8%. No group controlled a large share of the landscape.
  • The US saw 41% of all ransomware attacks, while the United Kingdom followed with 18%. Australia, Japan, and Canada completed the top five. English-speaking countries together accounted for more than 60% of reported cases.

What Do These Numbers Mean?

These developments form a connected chain. Credentials are stolen through malware. That access is sold on Dark Web forums. Ransomware groups purchase it and use it to launch attacks. This process creates various risks for organizations on multiple fronts. Employees are targeted first through personal or work accounts. Compromised credentials then become gateways to larger incidents.

The 388 million stolen credentials represent more than isolated breaches. They serve as entry points that enable broader and more damaging attacks.

The full report covers:

The 2025 End of Year Report expands on these findings, including:

• Stealer log distribution
• Dark Web activity
• Ransomware threats
• Global phishing activity
• And a summary of the threat landscape in 2025

To view the full report, see this link End of The Year 2025 Cyber Analysis