The IT Nerd

According to new analysis by the SOCRadar threat intelligence team, B1ack’s Stash, one of the most active illicit card shops on the Dark Web, has announced the free release of approximately 4.6 million stolen credit card records, this time framing it as a response to seller misconduct on its own platform.

Through a forum post targeting the criminal underground, B1ack Stash recently declared the suspension of approximately 8 million stolen CVV2 records from its active inventory. The stated reason: sellers on the platform had been reselling cards purchased from B1ack’s Stash in competing shops, violating the marketplace’s internal rules. Rather than simply removing the affected cards, the operator/s behind the marketplace chose to release approximately 4.6 million of them as a free download, directing users to the marketplace’s Freebies section.

The leaked data, appearing to be sourced from e-commerce skimming or phishing operations, includes: 

1. Full credit/debit card numbers
2. Expiration dates
3. CVV2 code
4. Cardholder’s full name
5. Billing address
6. Email address
7. Phone number
8. IP address

SOCRadar’s analysis found the records consistent with genuine compromise data, passing BIN and algorithm checks. After filtering duplicates, expired cards, and previously known entries, an estimated 4.3 million cards appear to be net new and potentially actionable. SOCRadar’s validation of the dataset is ongoing.

For full details on this leak, including geographical breakdown, and threat actor breakdown, the analysis can be read here: https://socradar.io/blog/b1acks-stash-4-6-million-stolen-credit-cards-free/

SOCRadar, a global leader in extended threat intelligence and cybersecurity, today announced it has been named a Visionary in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies, which helps leaders evaluate the right CTI technologies against the most impactful threats. This is the first time SOCRadar has been evaluated and ranked by Gartner.

According to Gartner, SOCRadar’s agentic Extended Threat Intelligence Platform is a unified system that brings together digital risk protection, threat intelligence, and attack surface monitoring. The platform serves enterprises, MSSPs, and government organizations that need visibility across surface, deep, and dark web, enriched with identity, brand, infrastructure, and vulnerability intelligence. As well, the Gartner report highlights the SOCRadar MCP Server and SOCRadar Copilot for AI-driven insights, adversary attribution, alert prioritization, supply chain risk analysis, and phishing detection through modular agent-based logic.

To gain free access to the full Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies report, please see this link. 

TeamPCP has been found backdooring Checkmarx Jenkins plugin in a new supply chain attack.

SOCRadar security researchers have been tracking this activity and have included their analysis in a new post Checkmarx Jenkins Plugin Backdoored in New TeamPCP Supply Chain Attack:

• They’re seeing Checkmarx hit twice in weeks, and the attacker confirmed why in their own defacement note: incomplete secret rotation after March. This isn’t bad luck, it’s an unfinished remediation.
• The researchers broader concern is CI/CD pipelines as a category. Build environments are routinely underprotected despite holding credentials that unlock everything in production. A backdoored security scanner is the worst-case version of that blind spot.
• SOCRadar researchers are also reading TeamPCP’s activity across PyPI, npm, GitHub Actions, and now Jenkins as a coordinated sweep, not isolated incidents. And if you’re hunting right now, the Dune-themed repository names across their infrastructure are a concrete detection signal worth chasing.

According to SOCRadar researchers:

“What makes this particularly dangerous for Jenkins users is the trust model at play. The Checkmarx Jenkins plugin is a tool people install specifically to improve the security of their pipelines. A backdoored version doesn’t just compromise one project; it rides trusted infrastructure into every build pipeline it touches, with

The report can be found here: Checkmarx Jenkins Plugin Backdoored in New TeamPCP Supply Chain Attack

Researchers have uncovered a new attack campaign using a previous malware loader to deliver a different threat: Needle Stealer, a data-stealing malware designed to quietly harvest sensitive information from infected devices, including browser data, login sessions, and cryptocurrency wallets. This time, attackers use a website promoting a tool called TradingClaw (tradingclaw[.]pro), which claims to be an AI-powered assistant for TradingView, a legitimate platform used by traders to analyze financial markets. The fake TradingClaw site is not part of TradingView, nor is it related to the legitimate startup tradingclaw[.]chat. Instead, it’s being used here as a lure to trick people into downloading malware.

More details can be found here: https://www.malwarebytes.com/blog/threat-intel/2026/04/malicious-trading-website-drop-malware-that-hands-over-your-browser-to-attackers  

Ensar Seker, CISO at SOCRadar, commented:

“This campaign reflects a growing shift where threat actors weaponize trust in legitimate platforms like TradingView by building highly convincing AI-themed lures around them. The use of “AI trading assistants” is particularly effective because it targets both curiosity and financial motivation, lowering user skepticism. What stands out here is the reuse of a known loader to deploy a different payload, which shows how modular and scalable modern malware operations have become.

More importantly, the focus on harvesting browser sessions and crypto wallets signals that attackers are prioritizing immediate monetization over persistence. Once session tokens are stolen, MFA becomes irrelevant, and accounts can be hijacked in real time. Organizations and individuals need to treat any third-party tool claiming integration with financial platforms as high risk unless it is directly verified.

This is not just malware delivery, it is identity compromise at scale disguised as innovation.”

This is scary as this is a big jump in terms of what threat actors can do. Thus you really need to by hyper aware to threats as they can come from anywhere and pop up in the most unexpected places.

Since the Iran War began on February 28th, the SOCRadar threat team has tracked 1,357 incidents prominent in the first month that spanned 25+ countries, 15+ sectors, and 40+ distinct attack groups.

In a threat outlook published this morning, SOCRadar’s up-to-date assessment of the conflict reveals a significant pattern: the cyber dimension of this conflict has moved through distinct, recognizable phases, each with a different threat profile for organizations operating in targeted regions and sectors.

According to the analysis, the phases of the Iran war have so far included: 

1. Kinetic Shock & Cyber Reflection (Feb 28-Mar 6)
2. Coalition Building & Geographic Expansion (Mar 7-16)
3. Persistent Operations & Recon (Mar 16-31)
4. Entrenchment & Escalation (Ongoing)

The analysis also covers a statistical breakdown of the most common attack types (DDoS by far the most prevalent), top targeted countries (Israel), and the top targeted sectors. 

For a full breakdown on how the cyber aspect of this war has unfolded since its onset, including an in-depth analysis of each phase, you can find the analysis here: https://socradar.io/blog/iran-war-cyber-threat-outlook-conflict-phases/

The stealer ecosystem has matured into a professionalized criminal economy that most organizations are simply not monitoring closely enough.

While the industry fixates on household names like Lumma and RedLine, a growing class of lesser-known, actively deployed stealers, Void, a C++ infostealer that emerged in late 2025, Datura, Misericorde, Saturn, and others, are quietly collecting credentials, session cookies, and crypto wallet data from victims worldwide, feeding logs into underground markets that fuel ransomware, account takeovers, and business email compromise.

In a just-released research report The Unknown Stealers: From Dark Web to Log Markets, SOCRadar researchers identify up to six simultaneous active campaigns running on the Void infrastructure. Each campaign used slightly modified binaries, a natural artifact of different affiliates configuring their own builds, but all shared the same underlying C2 relay architecture and Steam-based resolution mechanism. Some Steam accounts used in earlier campaigns had already been deleted, indicating active infrastructure rotation. Void is a textbook example of how low-profile, under monitored stealers can operate at scale before anyone is paying attention.

You can read the research report here: https://socradar.io/resources/whitepapers/stealer-dark-web-log-markets

Today at RSA Conference 2026, SOCRadar launched its new AI Agent Marketplace, an integrated hub where organizations can browse, purchase, and deploy specialized autonomous AI agents tailored for specific cybersecurity tasks and use cases in the SOCRadar XTI Platform. This includes phishing detection, brand abuse protection, and dark web monitoring. By unbundling the traditional ‘all-in-one’ platform, this modular ecosystem liberates security teams from rigid, legacy software in favor of a precision-led approach. Organizations can easily select and deploy only the specific agents required for their unique use cases, with the granular controls and customization to perfectly fit high-precision workflows.

SOCRadar also introduced Identity and Access Intelligence capabilities to its Extended Threat Intelligence Platform to bridge the gap between internal identity security and external exposure. The new capabilities are designed to secure identity “blind spots” such as credential exposures detected in third-party SaaS environments, dark web marketplaces, and collaboration platforms.

Credentials are a hot commodity for opportunistic threat actors looking to launch identity-based attacks. According to IBM, approximately 388 million credentials were stolen in 2025 from just 10 top online platforms including Meta and Google. Additionally, data breaches have surged 475% over the past decade with adversaries moving faster and hitting harder. This has culminated in the 2025 global average cost of a data breach hitting $4.4 million.

SOCRadar is also launching a new Identity & Access Threat Intelligence AI Agent, which can analyze the data files associated with a compromised machine (e.g. session cookies, credentials, etc.) to help analysts quickly determine the source of a leak and generate a risk analysis report. This is the first of many AI Agents to be released as part of the new AI Agent Marketplace.

Key Features of SOCRadar’s Identity and Access Intelligence Capabilities

SOCRadar’s Identity and Access Intelligence capabilitiesleverage Identity-Related Risk Clarification to understand risk and makefaster decisions.

Clear Security Narratives allow analysts to easilyvisualize attack steps and system-level artifacts to translate raw data into clear, actionable security narratives for analysts. This includes:

Company Insights: Delivers contextualized visibility into an organization’s digital footprint and compromised users so customers learn which function, asset, and risk chain was exposed.

• Enterprise Attack Surface Risk Profile: Maps externally exposed enterprise services and domains into categorized risk profiles so customers can associate risks and prioritize by potential blast radius.
• Third-Party Service Credential Exposure: Reveals external SaaS providers where leaked or reused credentials are associated with your domain.
• Customers can now understand not just that credentials were leaked, but which systems they unlock and how they could enable lateral movement

File Insights: Presents an interactive snapshot of a compromised endpoint and lets users review how credentials were exfiltrated and stored on disk by the stealer.

Tag Insights: Exposed artifacts are classified using descriptive tags to indicate their type and context.  Sensitive data can be viewed at a glance within the attack flow and endpoint view.

The Cookie Analysis section filters and displays browser-stored cookies and allows sorting by domain, cookie name, or filter.  Customers can also assess potential for abuse by analyzing secure flag indicators and cookie entropy surfaced by the platform.

Attack Flow Visualization: Reconstructs the end-to-end infection path, starting from the internet entry point and progressing through malware execution, system interaction, and endpoint compromise.

• Customers can view the complete infection chain, including the stealer involved, its origin, where it executed on the victim machine, and what data was exfiltrated.

AI-Powered Analysis: Provides natural language driven risk analysis that summarizes exposure, highlights prioritized threats, and provides remediation guidance for compromised identities Customers can see auto-summarization of the infection severity such as device context, critical risks, and exposed identities. They can get recommended remediation actions.

he SOCRadar threat intelligence team over the weekend identified a publicly accessible Elasticsearch instance containing over 676 million indexed U.S. identity records, including full SSNs, and complete identity profiles. 

The dataset was exposed to the internet without authentication, enabling unrestricted access to full identity attributes, including SSNs, dates of birth, historical address records, and phone numbers.

The exposed instance contained highly sensitive personal data at a scale exceeding the current U.S. population. This finding represents an extreme-scale identity risk.

Even if duplicate or historical entries exist, the presence of searchable government-issued identifiers in an unauthenticated database places this case in the Critical severity category.

More details can be found here: https://socradar.io/blog/us-elasticsearch-leak-676m-identity-records-ssn-exposure

According to new SOCRadar threat intel, the U.S. financial sector now stands squarely at the center of the global cybercrime economy, enduring roughly half of all financial phishing attacks and nearly a quarter of all dark web threat activity.

Adversaries are now pivoting from basic software exploits to highly sophisticated, AI-driven crime waves, relentless BEC campaigns, and stealthy third-party supply chain infiltrations. 

In an analysis that can be read here, the SOCRadar research team has broken down how the U.S. financial sector is uniquely in the crosshairs for cyber criminals, what the dominate attack vectors are, and some key steps that financial leaders should use to fortify their defenses. 

Key findings include: 

1. The U.S. financial sector accounts for 23.52% of all finance-related dark web threat activity and 48.02% of global phishing activity. 
2. Over 80% of dark web threat types are centered on exposing data and databases, with 74.49% of dark web posts involving selling these assets. 
3. Dominant attack vectors targeting U.S. financial institutions include social engineering, BE, and more increasingly AI-powered exploits. 
4. Third-party vendors remain critical vectors for systemic risk.

For full details, here is the analysis: https://socradar.io/blog/finance-industry-us-institutions-2026/

SOCRadar researchers announced the identification of three publicly accessible and misconfigured Elasticsearch instances leaking highly sensitive data, including infostealer logs, credit card information, and millions of personal identity records.

The exposed databases contained more than 43 million records, including over 5 million valid credentials, thousands of credit cards, and large-scale PII and commercial transaction data. All three cases demonstrate how misconfigured Elasticsearch services continue to create immediate and exploitation-ready risks for organizations and individuals.

Key findings include: 

1. Incident 1: 7.2 million infostealer logs and 24, 000 credit cards exposed
2. Incident 2: 35 million Italian PII records publicly accessible
3. Incident 3: 1.5 million customer records and commercial data exposed

The security team analyzed the exposed instances, notified relevant parties, and assessed the potential impact. The full details of this can be read here: https://socradar.io/blog/elasticsearch-instances-43m-records-data/