The IT Nerd

The SOCRadar threat research team will publish its Annual Dark Web Report, a structured view of illicit activity observed across major underground markets during 2025.

This includes the most impacted industries, U.S. targeting trends, the economy behind the dark web, the scale of stealer impacts, as well as AI democratization. 

Some key findings include: 

• The U.S. is the primary target across multiple threat types, accounting for 41.42% of ransomware attacks which is a drop from 53.30% in 2024.

• Public Administration is the most exposed industry on the Dark Web, indicating sustained pressure on government institutions through data leaks.

• In 2025, Akira took the first place in terms of activity with 8.35% of ransomware attacks.

• Deepfake, voice manipulation, and pentesting tools now openly available without dark web access, eliminating vetting barriers previously limiting access to well-resourced actors.

Furthermore, this research breaks down the value of regional credit cards, the market behind vulnerability exploits (the costs for low-end and mid-tier vulns increased, but high-end ones decreased), as well as the impact of stolen data (Facebook seeing 93.2M accounts among stolen logs). 

The report is here: SOCRadar Annual Dark Web Report 2025

According to a just-released report by threat intelligence company SOCRadar, 2025 saw:

• New highs for credential theft with a total of 388 million credentials were stolen from the ten most affected platforms. Facebook accounted for 93 million records, followed by Google with 67 million and Roblox with 66 million.
  • Gaming platforms were hit especially hard. Roblox, Twitch, and Epic Games together accounted for around 100 million accounts.
• Dark Web activity centered on commercial exchange with sales accounting for 59% of observed activity, while 33% involved sharing stolen data and Hack announcements are around 5%.
  • The US appeared in nearly 20% of all forum discussions, making it the most referenced country. Public Administration led sector discussions at 13%, followed by Information and Finance at around 10% each.
• Ransomware Activity Spread Across Groups – Akira led with 8.4% of incidents, followed by Qilin at 7.3% and Cl0p at 5.8%. No group controlled a large share of the landscape.
  • The US saw 41% of all ransomware attacks, while the United Kingdom followed with 18%. Australia, Japan, and Canada completed the top five. English-speaking countries together accounted for more than 60% of reported cases.

What Do These Numbers Mean?

These developments form a connected chain. Credentials are stolen through malware. That access is sold on Dark Web forums. Ransomware groups purchase it and use it to launch attacks. This process creates various risks for organizations on multiple fronts. Employees are targeted first through personal or work accounts. Compromised credentials then become gateways to larger incidents.

The 388 million stolen credentials represent more than isolated breaches. They serve as entry points that enable broader and more damaging attacks.

The full report covers:

The 2025 End of Year Report expands on these findings, including:

• Stealer log distribution
• Dark Web activity
• Ransomware threats
• Global phishing activity
• And a summary of the threat landscape in 2025

To view the full report, see this link End of The Year 2025 Cyber Analysis

In a fresh dark web sweep, SOCRadar researchers have discovered three new issues worth immediate attention:

First, there’s a major auction of roughly 413,000 stolen credit cards, mainly from the U.S. and Canada. The seller is bundling cards from multiple leaks and offering a validity-checking service, indicating an organized marketplace rather than a simple dump.

Second, analysts identified a new malware framework called Weapon Bot. It’s delivered via MSI installers, built on Node.js/Rust/PowerShell, and designed to evade detection. It steals browser data, wallet seeds and session tokens, while also functioning as a botnet platform.

Lastly, threat actors are actively seeking a working exploit for CVE-2024-38077 (“MadLicense”), a critical remote code execution vulnerability in Windows Remote Desktop Licensing Service. The demand suggests potential weaponization and real-world attacks.

For full details, the analysis can be found here: https://socradar.io/blog/weapon-bot-toolkit-madlicense-413k-credit-cards/

SOCRadar.io has published a new report that examines how the dark web economy shifts toward holiday shopper data, and how sectors are exposed through identity leaks, credential dumps, and access sales.

The report also explores the industrialization of gift card fraud, the scale of holiday-themed phishing, and changes in threat actor behavior, including ransomware groups and access brokers.

Key statistics include:

• 311 million stolen accounts listed on dark-web markets in Jan-Oct 2025, 63% tied to retail brands.
• SOCRadar Dark Web Monitoring: 64.9% of retail/e-commerce/delivery posts are selling data or access; 51.2% of all posts involve data or database leaks.
• 8.9 million stolen retail gift cards and 7.5 million QSR gift cards observed for sale on underground markets.
• 692% surge in Black Friday-themed phishing during Thanksgiving week 2024; 327% increase in Christmas-themed phishing in the same period.
• 520% rise in AI-driven automated traffic to retail sites expected before Thanksgiving 2025. Also, an estimated 35.7% of Black Friday shoppers are bots or fake users.

You can read more here: https://socradar.io/resources/whitepapers/holiday-shopping-cyber-threats-2025/

Hacktivism has grown from small online protests into a regular part of the cyber world. What started as activism through hacking now often connects to larger political or strategic goals. 

In 2025, this has been truer than ever. Hacktivist activity is frequent and fast. Many attacks aim for attention more than damage. Leaks, DDoS, defacements, and ransomware now appear together. Telegram and X (Twitter) are key hubs for planning and spreading claims.

SOCRadar researchers have published an analysis on this very subject, diving into hacktivism in 2025, including the types of attacks most prevalent, the regions to watch going forward, and what to expect in 2026. 

You can read their analysis here: https://socradar.io/resources/whitepapers/hacktivism-in-2025-where-politics-meets-cyberspace/

Bulwark is a new tool being marketed on the dark web as being capable of bypassing modern antivirus and EDR solutions, which constitute one of the main lines of defense for most organizations.

In a new in-depth whitepaper, SOCRadar researchers have dived into this tool, including how it came to be, what its capabilities are — such as advanced obfuscation, real-time evasion — and more. 

Bulwark began appearing in Telegram channels in July, showcasing its capabilities and promising an effective bypass for any EDR or antivirus solution. During continuous hunting activities, SOCRadar’s research team detected an announcement referencing a platform called Database.forum, where this tool was listed. At the time, that database was not indexed by mainstream search engines and formed part of the Deep Web, and has recently been added to the Dark Web as well; over the following days, its popularity grew, and it later became discoverable via traditional search engines.

To understand how Bulwark came to be, it is necessary to go through Database.forum which is a portal run by affiliates and developers where various tools of different kinds are advertised and indexed. Many of these tools are related to threat actors or capabilities that can be used by them.

For full details, the whitepaper can be downloaded at this landing page, or viewed in full at this link: https://socradar.io/wp-content/uploads/2025/10/Bulwark-Whitepaper.pdf

Deepfake technology is increasingly being used in sophisticated fraud schemes, making it harder for individuals and businesses to distinguish real from fake. Scammers have used AI-generated voices to impersonate executives, leading to financial losses, while cybercriminals exploit deepfakes for identity theft and phishing attacks. Manipulated videos and AI-generated speeches can also be used to spread false information, particularly during elections or political events. With social media accelerating the spread of digital content, ensuring that news organizations and platforms can verify the authenticity of videos and images is more important than ever.

Businesses that rely on voice authentication and digital verification must now implement detection tools to protect sensitive data and prevent fraud. In industries such as banking, law enforcement, and cybersecurity, deepfake detection is crucial for preventing unauthorized access and maintaining secure authentication systems.

As a result, many organizations now use AI-powered tools to analyze biometric data, verify identities, and detect synthetic media before it can cause harm. As deepfake technology advances, having reliable detection solutions will be essential for maintaining trust and security in an increasingly AI-driven world.

Researchers at threat intelligence cybersecurity company SOCRadar have published a list of Top 10 AI Deepfake Detection Tools to Combat Digital Deception in 2025. This is worth your time to read.

Today, SOCRadar published an analysis on the Oracle E-Business Suite vulnerability. The flaw, already exploited in the wild, has been used in data theft and extortion attacks attributed to the Cl0p ransomware gang. As Oracle rushed out an emergency fix, the situation revealed a wider ecosystem of threat actors and exploit leaks that organizations must urgently address.

The analysis dives into what exactly this vulnerability is, who is impacted and how severe the risk is, who is behind the exploit — Cl0p — and what indicators of comprise organizations should look for. 

For full details, the analysis can be found here: https://socradar.io/cve-2025-61882-oracle-e-business-suite-exploited/

Today, SOCRadar researchers published an analysis looking at a recently revealed flaw in Fortra’s GoAnywhere MFT. 

This critical vulnerability in the platform’s License Servlet, tracked as CVE-2025-10035, could open the door to severe exploitation if left unpatched. With a maximum severity score, this issue demands immediate attention from administrators.

While at this time, there is no confirmed evidence of exploitation, history suggests that this risk is very real. GoAnywhere MFT was previously exploited through CVE-2023-0669; in these attacks, the Clop ransomware group claimed responsibility for breaching numerous organizations. That earlier flaw triggered a surge in ransomware incidents, making this newly disclosed CVE a prime candidate for future attacks.

The analysis reveals what exactly this CVE is, as well as its impact, and ideal mitigation steps for organizations at risk. 

For full details, the analysis can be found at this link: https://socradar.io/cve-2025-10035-goanywhere-mft-flaw-command-injection/

More than 700 organizations were affected by the recent Salesloft Drift Breach, one of the largest SaaS supply-chain breaches to date, including high-profile technology and security vendors such as Cloudflare, Zscaler, Palo Alto Networks, and PagerDuty. Investigators describe the incident as a “widespread supply-chain attack spree” targeting one of the most widely used SaaS integrations. Drift, acquired by Salesloft in 2024, integrates with customer systems such as Salesforce, Slack, and Google Workspace via OAuth tokens. Threat actors exploited this integration to steal authentication tokens and gain access to customer environments.

In a just-published blog post, threat intelligence company SOCRadar analyzes:

• How attackers got in/threat actor behind it
• Technical reasons behind it
• Type of info exposed/number of organizations affected
• How to determine if your company was affected
• How it compares to other supply chain attacks
• Steps should CISOs take to mitigate risks from this incident
• Indicators of Compromise (IOCs) related to Salesloft Drift breach

If you use Salesloft, this should be required reading: Salesloft Drift Breach: Everything You Need to Know