The IT Nerd

SOCRadar threat researchers have publishing an in-depth analysis of an ongoing cyber campaign against Fortune 500 companies including names such as Wells Fargo and USAA, by the threat actor known as GS7. 

GS7 has been active for years, rotating its infrastructure and impersonating legitimate portals, and has amassed hundreds of malicious domains tied to its modus operandi. Its campaigns include operations targeting banking institutions, technology companies, payment platforms, and other entities.

The elements that distinguish this actor and its campaigns are the creation of highly similar portals used in phishing operations to redirect victims toward credential theft.

The research dives into: 

How GS7 has quietly operated for years by rotating infrastructure and impersonating trusted Fortune 500 brands

Hundreds of malicious domains tied to GS7’s phishing ecosystem and how they’re deployed at scale

The use of near-identical, brand-spoofed portals designed to convincingly harvest credentials

Active campaigns targeting banks, financial institutions, technology companies, and payment platforms

The actor’s infrastructure rotation tactics and evasion techniques

Which industries, regions, and countries are being targeted most heavily

What makes this campaign distinct from typical phishing operations — and why it continues to succeed

You can read the research here: https://socradar.io/resources/whitepapers/operation-doppelbrand-fortune-500-access

In a threat landscape where 60% of underground discussions directly reference security vendors and their products, the question is no longer whether a company’s defenses are good enough; it’s whether they’re being actively monitored, adapted, and evolved.

A just-published MSSP Threat Landscape Report by threat intel company SOCRadar examines how threat actors systematically study, test, and bypass widely deployed security products, and why partnering with a Managed Security Service Provider is essential for true operational resilience. Have a look and consider what adjustments you need to do as an organization to keep yourself safe.

SOCRadar’s just released its U.S. Threat Landscape Report 2026 which highlights the most targeted industries, how threat actors monetize stolen data and access, and how ransomware, phishing, and DDoS attacks continue to pressure U.S. organizations.

Key highlights include: 

• Top Targeted Sectors: Finance and Insurance leads dark web targeting at 14.39%, followed by Information Services (10.19%) and Public Administration (9.79%), showing sustained focus on high-trust and high-value data sectors.
• U.S.-Only Targeting Dominates: 88.3% of threats focus exclusively on U.S. entities, while cross-border campaigns remain limited.
• Monetization Drives Underground Activity: Selling accounts for 70.76% of posts and sharing adds 23.56%, confirming a strong underground market dynamic.
• Data and Access Are the Main Commodities: Data-related threats represent 61.53%, while access sales reach 29.31%, reinforcing the role of initial access brokers.
• Ransomware Remains Fragmented: Qilin, Akira, and PLAY together represent 33% of ransomware activity, while smaller groups make up the majority.
• Phishing Hits High-Trust Targets: Public Administration accounts for 24.08% of phishing attacks, followed by Information Services at 19.45%.
• HTTPS Makes Phishing Harder to Spot: 77.9% of phishing pages use HTTPS, reducing users’ ability to identify malicious sites.
• DDoS Volume and Scale Are Severe: 1,036,378 DDoS attacks were recorded, with peak bandwidth reaching 1,475.67 Gbps and average attack duration around 59 minutes.

You can read the report here: https://socradar.io/resources/report/u-s-threat-landscape-report-2026/?utm_campaign=16185902-GatedContent_Country-Reports_Global_0725&utm_source=website&utm_medium=reportspage&utm_term=countryreports&utm_content=US26

Today, SOCRadar threat researchers published their findings on the identification of an intensive coordinated DDoS campaign conducted by pro-Russian threat actor, NoName057(16). Between the period of January 19 to 25, there were 5,095 recorded attack entries, overwhelmingly against Czech infrastructure. 

During the seven-day analysis period, the campaign demonstrated unprecedented scale and operational intensity, with daily target list updates distributed through Telegram channels. The campaign’s primary geographic focus on Czechia represents an escalation in NoName057(16)’s strategy of applying sustained pressure on NATO’s eastern flank members and key supporters of Ukraine.

Key findings include: 

1. More than half of the attacks hit government services (53%).
2. Critical infrastructure targeted included aviation, railways, and public transport (19.7% of attacks).
3. Czechia saw 3,803 of the 5,095 attacks. 
4. NoName057(16) deployed a sophisticated multi-vector attack strategy, combining transport-layer and application-layer attacks. 
5. The findings indicate that there was a deliberate targeting of encrypted web services including government citizen portals. 
6. The most targeted host domain was for the Czech National Police. 

For full details, the analysis can be found here: https://socradar.io/blog/ddos-threat-intelligence-czechia-26-jan26/

The SOCRadar threat research team will publish its Annual Dark Web Report, a structured view of illicit activity observed across major underground markets during 2025.

This includes the most impacted industries, U.S. targeting trends, the economy behind the dark web, the scale of stealer impacts, as well as AI democratization. 

Some key findings include: 

• The U.S. is the primary target across multiple threat types, accounting for 41.42% of ransomware attacks which is a drop from 53.30% in 2024.

• Public Administration is the most exposed industry on the Dark Web, indicating sustained pressure on government institutions through data leaks.

• In 2025, Akira took the first place in terms of activity with 8.35% of ransomware attacks.

• Deepfake, voice manipulation, and pentesting tools now openly available without dark web access, eliminating vetting barriers previously limiting access to well-resourced actors.

Furthermore, this research breaks down the value of regional credit cards, the market behind vulnerability exploits (the costs for low-end and mid-tier vulns increased, but high-end ones decreased), as well as the impact of stolen data (Facebook seeing 93.2M accounts among stolen logs). 

The report is here: SOCRadar Annual Dark Web Report 2025

According to a just-released report by threat intelligence company SOCRadar, 2025 saw:

• New highs for credential theft with a total of 388 million credentials were stolen from the ten most affected platforms. Facebook accounted for 93 million records, followed by Google with 67 million and Roblox with 66 million.
  • Gaming platforms were hit especially hard. Roblox, Twitch, and Epic Games together accounted for around 100 million accounts.
• Dark Web activity centered on commercial exchange with sales accounting for 59% of observed activity, while 33% involved sharing stolen data and Hack announcements are around 5%.
  • The US appeared in nearly 20% of all forum discussions, making it the most referenced country. Public Administration led sector discussions at 13%, followed by Information and Finance at around 10% each.
• Ransomware Activity Spread Across Groups – Akira led with 8.4% of incidents, followed by Qilin at 7.3% and Cl0p at 5.8%. No group controlled a large share of the landscape.
  • The US saw 41% of all ransomware attacks, while the United Kingdom followed with 18%. Australia, Japan, and Canada completed the top five. English-speaking countries together accounted for more than 60% of reported cases.

What Do These Numbers Mean?

These developments form a connected chain. Credentials are stolen through malware. That access is sold on Dark Web forums. Ransomware groups purchase it and use it to launch attacks. This process creates various risks for organizations on multiple fronts. Employees are targeted first through personal or work accounts. Compromised credentials then become gateways to larger incidents.

The 388 million stolen credentials represent more than isolated breaches. They serve as entry points that enable broader and more damaging attacks.

The full report covers:

The 2025 End of Year Report expands on these findings, including:

• Stealer log distribution
• Dark Web activity
• Ransomware threats
• Global phishing activity
• And a summary of the threat landscape in 2025

To view the full report, see this link End of The Year 2025 Cyber Analysis

In a fresh dark web sweep, SOCRadar researchers have discovered three new issues worth immediate attention:

First, there’s a major auction of roughly 413,000 stolen credit cards, mainly from the U.S. and Canada. The seller is bundling cards from multiple leaks and offering a validity-checking service, indicating an organized marketplace rather than a simple dump.

Second, analysts identified a new malware framework called Weapon Bot. It’s delivered via MSI installers, built on Node.js/Rust/PowerShell, and designed to evade detection. It steals browser data, wallet seeds and session tokens, while also functioning as a botnet platform.

Lastly, threat actors are actively seeking a working exploit for CVE-2024-38077 (“MadLicense”), a critical remote code execution vulnerability in Windows Remote Desktop Licensing Service. The demand suggests potential weaponization and real-world attacks.

For full details, the analysis can be found here: https://socradar.io/blog/weapon-bot-toolkit-madlicense-413k-credit-cards/

SOCRadar.io has published a new report that examines how the dark web economy shifts toward holiday shopper data, and how sectors are exposed through identity leaks, credential dumps, and access sales.

The report also explores the industrialization of gift card fraud, the scale of holiday-themed phishing, and changes in threat actor behavior, including ransomware groups and access brokers.

Key statistics include:

• 311 million stolen accounts listed on dark-web markets in Jan-Oct 2025, 63% tied to retail brands.
• SOCRadar Dark Web Monitoring: 64.9% of retail/e-commerce/delivery posts are selling data or access; 51.2% of all posts involve data or database leaks.
• 8.9 million stolen retail gift cards and 7.5 million QSR gift cards observed for sale on underground markets.
• 692% surge in Black Friday-themed phishing during Thanksgiving week 2024; 327% increase in Christmas-themed phishing in the same period.
• 520% rise in AI-driven automated traffic to retail sites expected before Thanksgiving 2025. Also, an estimated 35.7% of Black Friday shoppers are bots or fake users.

You can read more here: https://socradar.io/resources/whitepapers/holiday-shopping-cyber-threats-2025/

Hacktivism has grown from small online protests into a regular part of the cyber world. What started as activism through hacking now often connects to larger political or strategic goals. 

In 2025, this has been truer than ever. Hacktivist activity is frequent and fast. Many attacks aim for attention more than damage. Leaks, DDoS, defacements, and ransomware now appear together. Telegram and X (Twitter) are key hubs for planning and spreading claims.

SOCRadar researchers have published an analysis on this very subject, diving into hacktivism in 2025, including the types of attacks most prevalent, the regions to watch going forward, and what to expect in 2026. 

You can read their analysis here: https://socradar.io/resources/whitepapers/hacktivism-in-2025-where-politics-meets-cyberspace/

Bulwark is a new tool being marketed on the dark web as being capable of bypassing modern antivirus and EDR solutions, which constitute one of the main lines of defense for most organizations.

In a new in-depth whitepaper, SOCRadar researchers have dived into this tool, including how it came to be, what its capabilities are — such as advanced obfuscation, real-time evasion — and more. 

Bulwark began appearing in Telegram channels in July, showcasing its capabilities and promising an effective bypass for any EDR or antivirus solution. During continuous hunting activities, SOCRadar’s research team detected an announcement referencing a platform called Database.forum, where this tool was listed. At the time, that database was not indexed by mainstream search engines and formed part of the Deep Web, and has recently been added to the Dark Web as well; over the following days, its popularity grew, and it later became discoverable via traditional search engines.

To understand how Bulwark came to be, it is necessary to go through Database.forum which is a portal run by affiliates and developers where various tools of different kinds are advertised and indexed. Many of these tools are related to threat actors or capabilities that can be used by them.

For full details, the whitepaper can be downloaded at this landing page, or viewed in full at this link: https://socradar.io/wp-content/uploads/2025/10/Bulwark-Whitepaper.pdf