The IT Nerd

In a fresh dark web sweep, SOCRadar researchers have discovered three new issues worth immediate attention:

First, there’s a major auction of roughly 413,000 stolen credit cards, mainly from the U.S. and Canada. The seller is bundling cards from multiple leaks and offering a validity-checking service, indicating an organized marketplace rather than a simple dump.

Second, analysts identified a new malware framework called Weapon Bot. It’s delivered via MSI installers, built on Node.js/Rust/PowerShell, and designed to evade detection. It steals browser data, wallet seeds and session tokens, while also functioning as a botnet platform.

Lastly, threat actors are actively seeking a working exploit for CVE-2024-38077 (“MadLicense”), a critical remote code execution vulnerability in Windows Remote Desktop Licensing Service. The demand suggests potential weaponization and real-world attacks.

For full details, the analysis can be found here: https://socradar.io/blog/weapon-bot-toolkit-madlicense-413k-credit-cards/

SOCRadar.io has published a new report that examines how the dark web economy shifts toward holiday shopper data, and how sectors are exposed through identity leaks, credential dumps, and access sales.

The report also explores the industrialization of gift card fraud, the scale of holiday-themed phishing, and changes in threat actor behavior, including ransomware groups and access brokers.

Key statistics include:

• 311 million stolen accounts listed on dark-web markets in Jan-Oct 2025, 63% tied to retail brands.
• SOCRadar Dark Web Monitoring: 64.9% of retail/e-commerce/delivery posts are selling data or access; 51.2% of all posts involve data or database leaks.
• 8.9 million stolen retail gift cards and 7.5 million QSR gift cards observed for sale on underground markets.
• 692% surge in Black Friday-themed phishing during Thanksgiving week 2024; 327% increase in Christmas-themed phishing in the same period.
• 520% rise in AI-driven automated traffic to retail sites expected before Thanksgiving 2025. Also, an estimated 35.7% of Black Friday shoppers are bots or fake users.

You can read more here: https://socradar.io/resources/whitepapers/holiday-shopping-cyber-threats-2025/

Hacktivism has grown from small online protests into a regular part of the cyber world. What started as activism through hacking now often connects to larger political or strategic goals. 

In 2025, this has been truer than ever. Hacktivist activity is frequent and fast. Many attacks aim for attention more than damage. Leaks, DDoS, defacements, and ransomware now appear together. Telegram and X (Twitter) are key hubs for planning and spreading claims.

SOCRadar researchers have published an analysis on this very subject, diving into hacktivism in 2025, including the types of attacks most prevalent, the regions to watch going forward, and what to expect in 2026. 

You can read their analysis here: https://socradar.io/resources/whitepapers/hacktivism-in-2025-where-politics-meets-cyberspace/

Bulwark is a new tool being marketed on the dark web as being capable of bypassing modern antivirus and EDR solutions, which constitute one of the main lines of defense for most organizations.

In a new in-depth whitepaper, SOCRadar researchers have dived into this tool, including how it came to be, what its capabilities are — such as advanced obfuscation, real-time evasion — and more. 

Bulwark began appearing in Telegram channels in July, showcasing its capabilities and promising an effective bypass for any EDR or antivirus solution. During continuous hunting activities, SOCRadar’s research team detected an announcement referencing a platform called Database.forum, where this tool was listed. At the time, that database was not indexed by mainstream search engines and formed part of the Deep Web, and has recently been added to the Dark Web as well; over the following days, its popularity grew, and it later became discoverable via traditional search engines.

To understand how Bulwark came to be, it is necessary to go through Database.forum which is a portal run by affiliates and developers where various tools of different kinds are advertised and indexed. Many of these tools are related to threat actors or capabilities that can be used by them.

For full details, the whitepaper can be downloaded at this landing page, or viewed in full at this link: https://socradar.io/wp-content/uploads/2025/10/Bulwark-Whitepaper.pdf

Deepfake technology is increasingly being used in sophisticated fraud schemes, making it harder for individuals and businesses to distinguish real from fake. Scammers have used AI-generated voices to impersonate executives, leading to financial losses, while cybercriminals exploit deepfakes for identity theft and phishing attacks. Manipulated videos and AI-generated speeches can also be used to spread false information, particularly during elections or political events. With social media accelerating the spread of digital content, ensuring that news organizations and platforms can verify the authenticity of videos and images is more important than ever.

Businesses that rely on voice authentication and digital verification must now implement detection tools to protect sensitive data and prevent fraud. In industries such as banking, law enforcement, and cybersecurity, deepfake detection is crucial for preventing unauthorized access and maintaining secure authentication systems.

As a result, many organizations now use AI-powered tools to analyze biometric data, verify identities, and detect synthetic media before it can cause harm. As deepfake technology advances, having reliable detection solutions will be essential for maintaining trust and security in an increasingly AI-driven world.

Researchers at threat intelligence cybersecurity company SOCRadar have published a list of Top 10 AI Deepfake Detection Tools to Combat Digital Deception in 2025. This is worth your time to read.

Today, SOCRadar published an analysis on the Oracle E-Business Suite vulnerability. The flaw, already exploited in the wild, has been used in data theft and extortion attacks attributed to the Cl0p ransomware gang. As Oracle rushed out an emergency fix, the situation revealed a wider ecosystem of threat actors and exploit leaks that organizations must urgently address.

The analysis dives into what exactly this vulnerability is, who is impacted and how severe the risk is, who is behind the exploit — Cl0p — and what indicators of comprise organizations should look for. 

For full details, the analysis can be found here: https://socradar.io/cve-2025-61882-oracle-e-business-suite-exploited/

Today, SOCRadar researchers published an analysis looking at a recently revealed flaw in Fortra’s GoAnywhere MFT. 

This critical vulnerability in the platform’s License Servlet, tracked as CVE-2025-10035, could open the door to severe exploitation if left unpatched. With a maximum severity score, this issue demands immediate attention from administrators.

While at this time, there is no confirmed evidence of exploitation, history suggests that this risk is very real. GoAnywhere MFT was previously exploited through CVE-2023-0669; in these attacks, the Clop ransomware group claimed responsibility for breaching numerous organizations. That earlier flaw triggered a surge in ransomware incidents, making this newly disclosed CVE a prime candidate for future attacks.

The analysis reveals what exactly this CVE is, as well as its impact, and ideal mitigation steps for organizations at risk. 

For full details, the analysis can be found at this link: https://socradar.io/cve-2025-10035-goanywhere-mft-flaw-command-injection/

More than 700 organizations were affected by the recent Salesloft Drift Breach, one of the largest SaaS supply-chain breaches to date, including high-profile technology and security vendors such as Cloudflare, Zscaler, Palo Alto Networks, and PagerDuty. Investigators describe the incident as a “widespread supply-chain attack spree” targeting one of the most widely used SaaS integrations. Drift, acquired by Salesloft in 2024, integrates with customer systems such as Salesforce, Slack, and Google Workspace via OAuth tokens. Threat actors exploited this integration to steal authentication tokens and gain access to customer environments.

In a just-published blog post, threat intelligence company SOCRadar analyzes:

• How attackers got in/threat actor behind it
• Technical reasons behind it
• Type of info exposed/number of organizations affected
• How to determine if your company was affected
• How it compares to other supply chain attacks
• Steps should CISOs take to mitigate risks from this incident
• Indicators of Compromise (IOCs) related to Salesloft Drift breach

If you use Salesloft, this should be required reading: Salesloft Drift Breach: Everything You Need to Know 

Today, SOCRadar published its Europe Regional Threat Landscape Report. This research breaks down what exactly is happening since August 2024 when it comes to dark web, ransomware, and phishing. 

Key Takeaways Include:

• Finance and Insurance is the top exposed sector on the dark web with 14,08%, and when Commercial Banking and Crypto are added, total financial exposure reaches 22,8%. 

• Retail and e-commerce follow closely with 19,5%, confirming criminals’ focus on quick monetization. Selling dominates threat categories at 61,93%, while sharing stands at 24,34%, showing that over 70% of activity is trade-driven. 

• Data leaks remain the most common threat type at 58,23%, with access sales at 21,90%, meaning more than 80% of threats revolve around stolen information and entry points. 

• At the country level, France (5,62%), the UK (4,89%), and Germany (4,68%) lead in dark web targeting, while ransomware strikes are highest in the UK (22,94%), Germany (16,47%), and France (10,10%). 

• Ransomware activity is fragmented: Akira (8,7%), Qilin (8,1%), and RansomHub (6,8%) are visible, but smaller groups make up 76,4%. 

• Phishing shows a different pattern, with Bulgaria (24,26%) and Russia (21,06%) leading. 

• Information Services (19,77%), National Security & International Affairs (13,31%), and Banking (11,45%) are the main phishing targets.

• 73,44% of phishing sites use HTTPS, showing how attackers exploit encryption to build trust.

For full details, the Europe Regional Threat Landscape Report can be found at this link: https://socradar.io/wp-content/uploads/2025/08/Europe-Threat-Report.pdf

SOCRadar has released a new whitepaper diving deep into MCP (Model Context Protocol) Servers. MCP Servers are the new standard letting AI agents directly talk to security tools in one universal language.

The paper goes beyond the hype, covering:

• What MCP really is and why it’s a game-changer for SOCs, CISOs, and red/blue teams
• Real-world use cases including instant CVE lookups to complex incident response
• Security pitfalls like fake MCP servers, tool-poisoning, and supply chain risks
• Practical guidance with ready-to-deploy sample chains and code snippets

The full analysis can be found here: https://socradar.io/wp-content/uploads/2025/07/MCP-Servers-Everything-You-Need-to-Know.pdf