END OF YEAR

REPORT : 2023
Table of Contents
Executive Insight 3

2024 Cybersecurity Predictions 6

SOCRadar with Numbers 8

Dark Web with Numbers 9

Top Data Breaches in 2023 10

The Most Dangerous Vulnerabilities of 2023 15

Dark Web Radar Threat Intelligence: Overview of 2023 18

Ransomware Chronicles: Unveiling the Dark Side of the Web in 2023 22

The Best Posts of Dark Peep in 2023 26

US Stealer Malware Landscape in 2023: Corporate Risks and Key Variants 33

Most Dangerous Threat Actors in 2023 38

socradar.io
Executive Insight:
SOCRadar 2023 Year-End Cyber Odyssey

“In a year of rogue cyber waves, SOCRadar's Extended Threat

Intelligence (XTI) emerged as a bright beacon for cybersecurity
leaders, enabling SOC teams with a navigational sonar of
actionable, context-rich threat intelligence. Today's cyber captains
can no longer navigate the buoys of false positives; the path to safe
cyber shores requires precise coordinates.

XTI proved more than just a lone vessel; it was a naval force of
advanced protection. Integrated Attack Surface Management
elevated visibility in the storm with a bright spotlight on dangerous
vulnerabilities lurking in the sea of cyber risks. Brand Protection
created a safe harbor in the treacherous waters of the Dark Web,
and Cyber Threat Intelligence proved to be a spinnaker of
intelligence, propelling SOC cyber intelligence to record-breaking
speeds.

As we stand on the precipice of 2024, the cyber storm shows no

signs of calming. Ransomware, the relentless pirate of the digital
seas, looks to increase its strikes on unsuspecting organizational
ships, amplifying dangers. The Dark Web will continue to be a
challenging yet vital sea of risk signals lurking below the visible
surface. In 2024, we'll increase our reliance on AI, our digital-first
mate in navigating social engineering and malware mines. In the
vast expanse of threats, we're commanded to point our bows at
thwarting attacks before they can disrupt our smooth sailing to
calm and productive waters.

LastPass, Reddit, and Dole Food aren't just names; they're chapters
in the epic saga of cybersecurity sea battles. The report reads like a
maritime novel, chronicling the skirmishes of the digital seas. Supply
chain attacks, the submarine of cyber threats, continue to haunt
unsuspecting global companies.

CVEs are technicalities and leaks waiting to spring in the cyber

bulkhead. The MOVEit Transfer Injection Vulnerability and the
whirlpool of code execution threaten to capsize unsuspecting
vessels.”

socradar.io 3
Our New "Dark Web Radar" in 2024:
The Shadowy Opera of Data and Deals

The Dark Web—a stage for cyber operas. Countries

dance in unique cadence; the United States is a cyber
orchestra soloist. The subjects—sharing data and
selling secrets—form a dark sonnet. Industries play
their roles, with Information Tech taking the lead. It's
not just data; it's a dark symphony of shadows and
secrets. Ransomware, the pirate of the digital seas,
tells tales of plunder and exploits. LockBit 3.0, Cl0p,
AlphVM Blackcat—the rogues of the cyber seas.
Geographies echo the cries of the United States, the
United Kingdom, and Germany. Industries, from
manufacturing to tech, bear the brunt. It's not just
attacks; it's a cyber pirate's tale.

To better deal with all these dangers on the Dark

Web, we will happily introduce you to SOCRadar's
new product in 2024: Dark Web Radar. Protect your
business from the dangers lurking in the hidden
corners of the internet. Dark Web Radar equips your
enterprise with three extraordinary superpowers: Dark
Web Monitoring, Fraud Protection, and Dark Web
Search Engine. So that you will gain proactive
capabilities against Dark Web Threats.

In closing, the SOCRadar 2023 Year-End Report isn't

just a document; it's a cyber odyssey. It's a symphony,
an opera, a chronicle, and a tale—a voyage through
the cyber cosmos. So, as we set sail into the
uncharted waters of 2024, let's remember: it's not just
cybersecurity; it's a journey through the cyber soul.

socradar.io 4
 NEW

Dark Web Radar

Illuminate Dark Web Threats
for Proactive Protection

Protect your business from the dangers

lurking in the hidden corners of the
internet.

Dark Web Radar equips your

enterprise with three
extraordinary superpowers:
Dark Web Monitoring, Fraud
Protection, and Dark web
Search Engine. So that you
will gain proactive capabilities
against Dark Web Threats.

Try for Free

 2024 CYBERSECURITY
PREDICTIONS

Ransomware attacks will increase

exponentially, and ransomware
groups will continue to target
organizations with 0-day attacks, as
in the MOVEit case.

The use of deep fake technologies,

which we gradually see in social
engineering attacks, is increasing. will
also accelerate, and the use of audio
deepfakes will increase accordingly.
The number of fraud attempts and the
damages they cause will also increase
accordingly.

The number of defacements

resulting from the Russia - Ukraine
war and Israel - Hamas conflicts is
higher due to the countries that
support these countries. It will spread
over a vast geography. As in the Okta
case, supply chain attacks will
continue to increase and affect global
companies.

socradar.io 6
 The number of AI-based tools such
as WormGPT will increase even
more, and they will be especially
useful in implementing convincing
social engineering scenarios and
developing malware easily and
quickly. This will make it easier for
them to convince and infect their
victims.

The number of malicious

A-services will increase, especially
RaaS (Ramsonware-as-a-Service),
and the work of malicious people
who want to enter the cybercrime
world will become more complex.
Therefore, the importance of closely
following what is happening
underground and in the Dark Web
world and cyber threat intelligence
will increase even more for
institutions.

socradar.io 7
 SOCRADAR WITH NUMBERS

21K+ Users 200M+ IP Search 60B+ Port Search

1.747.580 We Shared
Domains Discovered

824
1.747.580 Regional
IP Addresses 433.977 News
Web Sites

1.434.998
Ports
709
23.279 Threat
Login Pages Actors

25.702
Rogue Mobile Apps
695.278
SSL Certificates
4.349
Ransomware
News

1M+ Contextualized
Phishing Alarms
4.349
Malware
Analyzed

5.531.315 64.488 4.349

Alarms Generated Credit Cards Detected
YARA and
Sigma Rules

178.063 5.996.216
Detected Impersonating
Accounts
Discovered PII
Exposures
4.349
Unique IOCs

socradar.io 8
 DARK WEB WITH NUMBERS

See behind the shadows:

Wherever threat actors are, so are we.
SOCRadar XTI continuously monitors Telegram Channels, Discord
Servers, Hacker Forums, ICQ Channels along with numerous
TOR sites and paste sites ;

3477 175 220 335

Telegram Channels Discord Servers Hacker Forums ICQ Channels

7B+ 5B+ 20M+ 30K+ 7B+

Breached Databases Leaked Accounts Telegram Posts Paste Files Stealer Log Content

socradar.io 9
TOP DATA BREACHES
IN 2023
This compilation highlights some of the most significant cybersecurity incidents of
the year. These breaches reflect the evolving challenges and tactics in the
cybersecurity landscape, underscoring the need for vigilant and advanced
protective measures.

LastPass Breach:
An alarming encrypted password leak has
occurred due to unauthorized access to
archived data in a third-party cloud region.

Reddit:
A cyberattack by BlackCat Ransomware
resulted in the theft of 80 GB of data,
including internal documents, source code,
and information about employees and
advertisers.

Dole Food Company Breach:

A ransomware threat actor compromised an
undisclosed number of employee records and
led to temporary shutdowns of production
plants in North America.

United States Marshals Service (USMS)

Breach:
A ransomware threat actor compromised
sensitive law enforcement data, including
personally identifiable information in USMS
investigations.

socradar.io 10
 City of Oregon:
The City of Oregon has suffered a Royal
ransomware attack, causing it to shut down
some of its IT systems to prevent the attack's
spread.

Enzo Biochem Breach:

A ransomware attack compromised test data
and personal information of about 2.5 million
individuals, including social security numbers.

UK Electoral Commission Cyber Attack:

Unauthorized access to the UK’s electoral
registers, compromising the personal
information of an estimated 40 million people.

Capita Cyberattack:
A breach in Capita’s systems impacted the
personal data of pension fund members and
employees from up to 90 companies.

ChatGPT Incident:
A security issue exposed some ChatGPT
subscribers' payment-related data.

ABB Cyberattack:
The Black Basta group conducted a
cyberattack on ABB, compromising company
devices and private information.

Introducing SOCRadar Free Edition

We launched SOCRadar Free Edition to equip growing
Get Access for Free
startups with the same cyber security perspective and tools
that only large organizations such as banks can afford.

socradar.io 11
TOP 9 CYBER SECURITY INCIDENTS
OF 2023
The year 2023 has seen many cyber incidents, each
highlighting different vulnerabilities and attack methods in
our increasingly digital world. These incidents, from
sophisticated ransomware attacks to vulnerabilities in major
cloud services, underscore the ever-present need for robust
cybersecurity measures across various sectors. This
compilation presents some of the year's most notable and
impactful cyber events, shedding light on the diverse nature
of cyber threats and the importance of being vigilant and
proactive in digital defense.

Automated Libra Campaign

(PurpleUrchin):

1.
Originating from South Africa, this campaign created over 130,000
accounts on various cloud providers through automated techniques,
including exploiting Captcha systems. The coin-mining activity via
free trial accounts cost GitHub $100,000 in lost revenue per user
account. The key takeaway of this incident for enterprise
organizations is that threat actors will increasingly use containers for
malicious infrastructure deployment in the coming years.

Microsoft Exchange Online & Azure AD

Vulnerability Attacks:

2.
Orchestrated by STORM-0558, a China-aligned espionage-motivated
actor, these attacks exploited Microsoft permissions components,
utilizing broad application scopes and a stolen signing key. The
attacks impacted Exchange Online and other Azure Active Directory
applications. Microsoft has identified several multi-tenant applications
with users that use an email address with an unverified domain owner.
Exposed organisations included a “leading multi-cloud consulting
provider” and a “publicly traded customer experience company."
Researchers found no shortage of vulnerable organisations.

socradar.io 12
 3.
Royal Mail Ransomware
Attack:
Royal Mail fell victim to a ransomware attack by
LockBit Ransomware-as-a-Service (RaaS). This
attack disrupted international deliveries and
compromised some employee data.

3CX Supply Chain Attack

4.
(SmoothOperator):
North Korean actors compromised the
infrastructure of the 3CX Private Automatic
Branch Exchange (PABX) platform in March,
affecting numerous organizations across
various industries.

ESXi & Linux Ransomware

Attacks:

5.
Various ransomware groups, including
AvosLocker, Black Basta, and others, targeted
VMware ESXi servers throughout 2023. The
diminished time gaps between the development
of malicious Windows-targeted payloads and
Linux or ESXi payloads underscore the
advantage ransomware operators are gaining
by shifting to these languages.

23andMe Data Leak:

Genetic testing company "23andMe"
announced that hackers accessed the personal

6.
data of 0.1% of customers, about 14,000
individuals. Hackers gained initial access
through credential stuffing attacks. 23andMe
also said that by accessing those individuals
accounts, hackers were also able to access “a
significant number of files containing profile
information about other users" ancestry. It turns
out, 6.9 million people affected in total of this
data breach.

socradar.io 13
 7.
DarkBeam Security Hole:
A cyber risk protection company, DarkBeam,
experienced a security breach where an
Elasticsearch and Kibana interface was left
open, exposing billions of records, including
user e-mail and password pairs.

8.
Lacroix Cyberattack:
In May, a cyberattack against Lacroix Group, a
French electronics manufacturer, encrypted the
company’s virtual infrastructure and forced the
closure of several global sites, significantly
impacting the company’s sales and operations.

Caesars Scattered Spider

9.
Attack:
Caesars Entertainment experienced a data
breach where its database of loyalty customers
was stolen, prompting immediate action and
official reporting to the US Securities and
Exchange Commission.

Free Cyber Threat Intelligence

for SOC Analysts
• Contextualized Threat Intelligence is a game changer.
• Benefit customized search engine in threat hunting. Get Access for Free
• Learn what hackers talk about your organization.

socradar.io 14
 THE MOST DANGEROUS
VULNERABILITIES OF 2023
In 2023, the cybersecurity landscape witnessed a series
of critical vulnerabilities that posed significant threats
across various platforms and technologies. From remote
code execution vulnerabilities in file transfer and print
management tools to authentication bypasses in
well-known software like Microsoft Outlook and Android
based operating system, these vulnerabilities
highlighted the diverse and potent dangers in the digital
world. This year also saw significant problems with
open-source web browser engines such as Apple's
WebKit. Such issues underlined the need to always be
vigilant and have robust security measures to protect
against similar cyber risks.

CVE-2023-34362
(MOVEit Transfer Injection Vulnerability):
SQL injection vulnerability has been found in the MOVEit
Transfer web application that could allow an unauthenticated
attacker to gain access to MOVEit Transfer's database.

CVE-2023-0669
(Fortra GoAnywhere MFT Remote Code Execution):
This was a critical vulnerability in Fortra’s GoAnywhere
Managed File Transfer tool, allowing remote code execution
on unpatched versions.

socradar.io 15
 CVE-2023-27350
(PaperCut NG/MF Multiple Security Vulnerabilities):
This vulnerability in PaperCut print management software allows
remote attackers to bypass authentication and is considered a
significant risk to network security across many organizations.

CVE-2023-24880
(Windows SmartScreen Security Feature Bypass Vulnerability):
This flaw allowed attackers to bypass SmartScreen and Microsoft
Office’s Protected View, aiding the malware infection.

CVE-2023-23397
(Microsoft Outlook Elevation of Privilege Vulnerability):
A flaw in Microsoft Outlook that allowed attackers to bypass
authentication and access confidential data without user interaction.

CVE-2023-26359 & CVE-2023-26360

(Adobe ColdFusion):
Related to the deserialization of untrusted data, allowing attackers to
execute arbitrary code.

CVE-2023-20963
(Android Privilege Escalation Vulnerability):
This vulnerability in Android allowed malicious applications to gain
elevated permissions.

CVE-2023-24489
(Citrix Content Collaboration):
A vulnerability in Citrix Content Collaboration (ShareFile) related to
improper access control. If exploited, it could allow an unauthenticated
attacker to remotely compromise the customer-managed ShareFile
storage zones controller.

socradar.io 16
 CVE-2023-20867
(VMware Tools Authentication Issue):
A vulnerability in VMware Tools affecting host-to-guest operations. A
fully compromised ESXi host can force VMware Tools to fail to
authenticate host-to-guest operations, impacting the confidentiality
and integrity of the guest virtual machine.

Various CVEs related to Apple’s WebKit engine:

These included issues like type confusion, out-of-bounds read,
use-after-free, and out-of-bounds write, leading to potential remote
code execution.

SOCRadar’s Vulnerability Intelligence offers insights into hacker

trends and detailed information on vulnerabilities, providing the
latest updates, mentions, exploitation activity, and available exploits.
Get Access for Free
You can easily access updates about specific vulnerabilities and
receive alerts by subscribing to CVEs through the module.

socradar.io 17
 DARK WEB RADAR
THREAT INTELLIGENCE:
OVERVIEW OF 2023
This section provides insights into the data gathered by SOCRadar during the first
eleven months of 2023. This data was collected through the SOCRadar XTI
Platform, which utilizes Machine Learning, Artificial Intelligence, and expert
analysts to monitor threat actor activities across various sources, including Dark
Web forums and markets, Telegram groups, and ransomware group blog pages.
The total number of posts published on the platform's Dark Web News channel
during this period was 13,081, with a daily average of 39.2 posts.

Monthly Dark Web Threat Trends

(January - November 2023)

The graph illustrates the monthly trends in threat mentions on the Dark Web and associated
sources for the first eleven months 2023. (Source:SOCRadar XTI Platform)

The graph highlights the fluctuating volumes of threat-related posts during

this period. Notably, November 2023 shows a significant spike in activity
with 1,717 mentions, indicating a potential increase in threats or discussions
within this sector.

socradar.io 18
 Country Mentions and Uniqueness Analysis

Mentioned Total Uniqueness

Countries Alone Mentions
United States 2,750 2,984 92.16%
India 782 875 89.37%
Russian Federation 486 518 93.82%
Indonesia 452 485 93.20%
United Kingdom 393 511 76.91%
China 375 420 89.29%
Brazil 360 424 84.91%
France 353 447 78.97%
Spain 274 338 81.07%
Germany 246 334 73.65%
Italy 240 321 74.77%
Australia 233 301 77.41%
Israel 226 240 94.17%
Canada 218 314 69.43%
Mexico 173 216 80.09%
Turkey 165 192 85.94%

An analysis of country mentions in global threat intelligence data highlights the total
number of mentions and the uniqueness of these mentions.
(Source:SOCRadar XTI Platform)

Uniqueness is the percentage of times a country is

mentioned alone without being mentioned alongside
other countries. For example, the United States has been
mentioned 2,984 times, with 2,750 being standalone
mentions, resulting in a uniqueness score of 92.16%. This
data offers insights into which countries are frequently
discussed in the context of global threats and the extent
to which these mentions occur in isolation or combination
with other countries.

socradar.io 19
 Dark Web Post Subjects Analysis

Selling Data

Hack Announcement

Partnership / Cooperation
Buying Data
Target Attack

Sharing Data

Analyzes the subjects of Dark Web posts, categorizing them into different themes.
(Source:SOCRadar XTI Platform)

The pie chart reveals the percentage distribution of these

subjects within the dataset. The data indicates that
"Sharing Data" is the most prevalent subject, accounting
for 54.99% of the posts, followed by "Selling Data" at
39.65%. Other subjects such as "Hack Announcement,"
"Partnership/Cooperation," "Buying Data," and "Target
Attack" make up smaller proportions of the Dark Web
posts.

socradar.io 20
 Dark Web Post Industry Mentions Analysis

Information and
Telecommunication
Finance, Insurance and Banking

Public Administration

E-commerce

Professional, Scientific, and

Technical Services
Other Services
(except Public Administration)

Educational Services

Arts, Entertainment, and Recreation

Manufacturing

Healthcare and Social Assistance

Illustration of the distribution of mentioned industries within Dark Web posts, providing insights into
the sectors most frequently discussed in this environment. (Source:SOCRadar XTI Platform)

The graph illustrates the distribution of mentioned

industries within Dark Web posts, providing insights into
the sectors most frequently discussed in this
environment. "Information and Telecommunication" is the
most prominently mentioned industry, representing
17.81% of the posts, followed closely by "Finance,
Insurance, and Banking" at 13.76% and "Public
Administration" at 13.52%. The data shows the varying
levels of attention each industry receives within the Dark
Web community, shedding light on potential areas of
concern or interest for threat intelligence and
cybersecurity professionals.

SOCRadar’s New "Dark Web Radar" Try For Free

How popular are you in Dark Web?

socradar.io 21
 RANSOMWARE CHRONICLES:
UNVEILING THE DARK SIDE
OF THE WEB IN 2023
The data is sourced from a comprehensive analysis
conducted by SOCRadar analysts during the first
eleven months of 2023. We've scoured ransomware
groups' blog sites, leak sites, and Telegram channels to
compile a trove of valuable information. Over this
period, we've gathered a staggering total of 4,082
posts related to ransomware attacks, equating to an
average of 371 posts per month or 12 posts per day.

Monthly Analysis of Ransomware Activity

Monthly distribution of ransomware-related posts published on the SOCRadar Platform

throughout the first eleven months of 2023. (Source:SOCRadar XTI Platform)

The graph above shows a notable fluctuation in

activity, with a distinct peak in July.

socradar.io 22
 Ransomware Group Activity Analysis

LockBit 3.0 23,10%

Cl0p 9,48%

AlphVM Blackcat 9,43%

Play 6,69%

8base 4,56%

Black Basta 4,56%

BianLian 4,24%

Akira 3,38%

Medusa Team 3,21%

NoEscape 2,84%

An overview of the activities of the Top 10 ransomware groups as recorded on the SOCRadars
Platform, highlighting contributions from 65 different groups. (Source:SOCRadar XTI Platform)

LockBit 3.0 leads with 23.10% of the posts, followed by Cl0p and AlphVM
Blackcat groups. The graph visually represents the proportion of posts
related to each group, offering a clear perspective on the dominance and
prevalence of these cyber threat entities in the digital landscape.

socradar.io 23
 Geographical Analysis of Ransomware-Related Organization
Mentions

Countries Mentiones

United States 47.62%

United Kingdom 6.76%

Germany 3.80%

Canada 3.70%

France 3.50%

Italy 3.11%

Australia 2.16%

Spain 2.03%

Brazil 1.62%

India 1.59%

Distribution of ransomware-related posts about organizations across the top 10 countries, as

mentioned on the SOCRadars Platform. (Source:SOCRadar XTI Platform)

This table showcases the distribution of

ransomware-related posts about organizations
across the top 10 countries, as mentioned on the
SOCRadars Platform. The United States leads
significantly with 47.62% of the mentions, followed
by the United Kingdom and Germany. This data
reflects the geographic focus of ransomware
threats and the countries where organizations are
most frequently discussed in the context of these
cyber risks.

socradar.io 24
 Industry-Wise Ransomware Post Analysis

Manufacturing

Professional, Scientific, and Technical Services

Information and Telecommunication

Healthcare and Social Assistance

Finance and Insurance

Construction

Educational Services

Transportation and Warehousing

Retail Trade

Public Administration

Real Estate and Rental and Leasing

0,00% 5,00% 10,00% 15,00% 20,00%

Top 10 industries targeted in ransomware-related posts on the SOCRadars Platform.

(Source:SOCRadar XTI Platform)

This graph presents the top 10 industries targeted in

ransomware-related posts on the SOCRadars Platform.
The manufacturing industry leads the chart, accounting
for 18.84% of the posts, followed by sectors like
Professional, Scientific, and Technical Services, and
Information and Telecommunication.

Brand Protection
Stay one step ahead of threat actors with actionable Request Free Access
intelligence alerts.

socradar.io 25
 THE BEST POSTS OF
Peep
DaINrk2023

dark peep
/dɑːrk piːp/ noun
SOCRadar's blog series that blends
cybersecurity with humor. Even in the Dark
Web, there's room for a chuckle or two.

socradar.io 26
You should only be SP CRYPTER sells its malware for $99 with a

scammed by real threat one-time purchase and warns against scams.

Remember, if you’re going to get scammed, get
actors, not fake ones! scammed by the originals, not the fake ones.

SP CRYPTER warns of scams

Sidelined ‘Soup’ serves It seems “soup” from SkidSec Leaks has

up sick leave, SkidSec been ladled a steaming bowl of the

leaks on low power sniffles.

SkidSec’s Telegram post

This keyboard warrior, usually cooking up cyber schemes, is now relegated to

bed rest, putting a noticeable pause on their usual online activity. With “soup”
out of the server room and under the weather, operations are running at a low
hum. For any dealings that can’t wait, “gov” is the go-to sous-chef. It’s an ironic
twist when a purveyor of digital exploits needs some old-fashioned TLC and
actual soup to get back in the game.

socradar.io 27
Similar leak sites are on the rise!
Some ransomware groups seem so focused on
their operations that they don’t think about
where to share their activity. On the leaked
page that the CryptBB group opened to share
their leaks, we can see that they directly used
8Base’s site source code:

SP CRYPTER warns of scams

Meow Bumped into an

Angry Victim
The ALPHV (Blackcat) ransomware group attempted to
strong-arm Advarra, a leading clinical research tech firm.
However, Advarra didn’t just hit back; they went code-to-code.
They sent a clear message to their virtual adversaries: "We do
not pay digital terrorists.” But that’s not all! When ALPHV tried
to slide into the DMs of one of Advarra’s top brass, her
response was crisp, “Go f* yourself.”

Messages to ALPHV

socradar.io 28
 Hacktivist Takes
a Day Off
Hacktivist Aceh, the founder of a renowned
hacking group, made a personal announcement
to the digital realm. Despite the often
depersonalized nature of cyber-activities, this
message brings a touch of everyday humanity
to the forefront. Citing a personal event at
home, the hacktivist made a candid request for
understanding, emphasizing the need for a
break from their usual activities. The
announcement serves as a quirky reminder that
behind every digital persona lies an individual
navigating the complexities of daily life.
Sometimes, even the most dedicated
hacktivists need a day off for family events.
Aceh’s Telegram post about Aceh’s day off

What is it with you guys having a

problem with security researchers ?
Team Insane Pakistan has posted a poll to define Security Researchers,
with some pretty disappointing choices.

socradar.io 29
 It is Possible
to Become a
Threat Actor
by Participating
in a Giveaway!
The threat actor Shad0de is known for
distributing RDP access via Telegram,
and his latest post is about RDP access
to a Turkish language operating system
server with an Intel Xeon processor.
Good luck to the participants of the
giveaway! Shad0de’s free RDP access giveaway post on
Telegram

Participate in the War, but If No One Sees It,

There’s No Point, Right?
The Islamic Cyber Team, a hacktivist group known for
executing DDoS attacks and leaking data targeting
Israel, has limited followers. Recognizing this shortfall,
the group is actively seeking more supporters to
ensure the impact of their activities isn’t wasted.

Islamic Cyber Team’s Telegram post seeking more supporters

socradar.io 30
 DDoSia is going professional-ish!
In its latest Telegram post, NoName announced
that the DDoSia Project is embarking on a new
journey and will create an army.

We’ve already mentioned the sense of humor

of the group’s leaders, and it’s clear that they
aim to transform the army from an overly
severe environment into an arcade system.

That army seems to blend the competitive

Aceh’s Telegram post about Aceh’s day off
spirit of online gaming with a structured
volunteer system. Fighters can earn their titles
(“ranks”) and military merits (“achievements”).
Also, ranks will be assigned according to the
length of time of participation. There is more!
NoName is planning to include an in-game
currency system called “dCoin.” Fighters can
earn these dCoins as a result of their
achievements. Russian youth may consider
taking a break from CS:GO and joining this
army of DDoSia. Rush B together for DDoSia(!)

In a consistently online world, even the most

Like Everyone Else, dedicated teams need a moment to disconnect

and reboot. Team Anon Force, known for their
Hacktivists Also Need hacktivist activities, recently dropped a status

a Digital Detox update on their Telegram group that’s less

binary and more human. They’re “powering
down” for a brief 4-day getaway.

socradar.io 31
 DON’T BE THE NEXT
RANSOMWARE VICTIM

It is crucial to follow ransomware

group activities and have a proactive
security stance. For this capability,
SOCRadar Dark Web Monitoring and
Dark Web News are example
solutions.

Get Ransomware-proof
 US STEALER MALWARE
LANDSCAPE:
CORPORATE RISKS AND KEY
VARIANTS
SOCRadar sampled the 2,000 stealer victim data and analyzed over 500 data
related to data leaks from 2023.

Stealer malware, notably spread through cracked software and game cheats, has a
marked presence in the U.S. This is attributed to the popularity of gaming, which
creates a fertile ground for these malware types. SOCRadar’s research shows how
users unknowingly download and install Stealer malware, highlighting the need for
greater awareness and caution in software and game downloads.

How Cracked Software Open

Doors to Stealer Malware
Stealer malware often infects computers through cracked software and game
cheats. The U.S.'s strong interest in video games contributes to its high ranking in
global participation, thereby increasing susceptibility to these attacks.

According to our findings, stealer malware threats remain a significant problem in

the United States. The occurrence of stealer malware instances continues to be
alarming. According to our findings, most machines infected with stealer malware
also have cracked software and game hacks. Our investigation revealed that
stealer malware is frequently shared with end users via videos posted on stolen
YouTube accounts.

The screenshot shows that the malicious links in a YouTube video's

description claim to be cracked software.

socradar.io 33
 Stealer Malware Coast to Coast
Examining the regional differences of victims living in the United States in 2023
using the data we chose as a sample, out of the 49 states, California has the
highest rate of stealer victimization at 10.42%. Users in this large state, famed for
its thriving computer industry and casinos, appear to have encountered numerous
leaks stealer-related.

Regional distribution of stealer malware threats across the United States.

Montana
New York
0.06% 7.39%
Ohio

7.07%

California

10.42%

Texas
Florida
8.14% 7.77%

socradar.io 34
 Corporate Credentials Crisis:
Stealer's Harvest in the Workplace

In our analysis of stealer malware data, we've uncovered approximately 500

records out of a larger dataset of 3 million Stealer data samples collected over
various years.

Firstly, it is alarming that we have encountered a significant volume of user data

within this selected dataset. Out of these 2,000 victim records, over 500
pertained to individuals residing in the United States, underscoring the unsettling
reach of Stealer malware into the lives of ordinary citizens.

Furthermore, in our analysis of the stealer malware data, we identified 14,550

unique usernames. This large number highlights how attackers can collect and use
sensitive user information for malicious purposes.

socradar.io 35
 Equally concerning is that within the same stealer data, we identified a matching
number of passwords 57,343 with 12,342 unique passwords.

Based on the analysis of the data, approximately 5.20% of the passwords are
eight characters or less, which can be considered weak in terms of security. The
remaining 94.80% consist of passwords with more than eight characters,
representing stronger password choices. Credentials are linked to an extensive
array of 19,358 unique URL addresses. These credentials can be leveraged to
compromise a wide range of online services, posing a substantial risk to individuals
and organizations.

Of particular concern is the discovery that employee account information from

some of America's prominent corporations, including dish.com, amfam.com,
corning.com, davita.com, and chipotle.com, has been compromised.

Moreover, we found evidence of critical web service

accounts being compromised, with certain firms'
IAM (Identity and Access Management) services,
such as Okta, featuring among the pilfered
credentials. Account information for vital services
like WebMail, API access, and Admin Panels has
also been exposed, emphasizing the broad scope of
potential damage that can result from Stealer
malware breaches.

socradar.io 36
 The Rising Menace of Redline and Meta Stealers

Redline Stealer maintains a more prominent presence in the landscape than Meta
Stealer, evidenced by its higher signature prevalence within the stealer data. This
observation underscores Redline's continued status as the most favored choice
among stealer operators.

Distribution of stealer variants according to the Stealer logs

Redline and Meta Stealers

55.5%

Other Stealers

44.5%

Redline Stealer excels in harvesting sensitive data such as

login credentials, browser history, and email account details
from compromised systems. It can also stealthily exfiltrate
cryptocurrency wallet information, personal documents, and
financial records, making it a multifaceted tool for
cybercriminals. Its evasion techniques include polymorphic
code, rootkit functionalities, and obfuscation tactics, which
enable it to bypass traditional defenses with relative ease.

In light of the alarming revelations regarding Stealer malware

and its potential threats, organizations can fortify their
defenses and proactively safeguard their valuable assets with
the SOCRadar solution. By leveraging this cutting-edge tool,
companies can monitor their brand's online presence, tracking
the exposure of employee account information from the Dark
Web to Telegram channels.

socradar.io 37
 MOST DANGEROUS THREAT
ACTORS IN 2023

Medusa
Ransomware

BlackByte

LockBit

Country of Origin: Unknown

Country of Origin: Russia Medusa is a RaaS group

operating since June 2021 and
known for its many variants.
BlackByte is a Ransomware The group is primarily
group that first observed in targeting North American and
July 2021, operating as a European organizations.
RaaS model and leveraging
double-extortion to force
their victims into payment.

Country of Origin: Russia

The most successful RaaS

group operating since 2019.
The group is continuously
evolving and is highly active
in deploying models such as
double-extortion and initial
access broker affiliates.

socradar.io 38
 -Ransomware Group-

Cl0p Motivation: Financial Gain

Target The US, Canada, The UK,

Countries: Australia, Colombia, Sweden,
Germany, India, Mexico, Turkey

Target IT, Healthcare, Finance,

Sectors: Professional Services, Retail,
Media, Telecommunication

Attack Type: Spearphishing, Zero-Day

Exploitation, Compromised RDP,
Country of Origin: Russia
Ransomware, Data exfiltration,
-TTPs- Double-extortion
A Ransomware group that has
been active since 2019 and Exploit Public-Facing Application: T1190
currently brings up its name
by exploiting zero-day Exploitation for Privilege
vulnerabilities that existed Escalation: T1068
in GoAnyWhere MFT and MOVEit
MFT software.
Exfiltration Over C2 Channel: T1041

-Ransomware Group-

LockBit Motivation: Financial Gain

Target United States, United Kingdom,

Countries: Canada, Europe, Thailand,
Taiwan

Target Manufacturing, Professional

Sectors: Services, IT, Healthcare,
Finance, Education, Legal
Services

Attack Type: Phishing, RDP and VPN access

Country of Origin: Russia
Exploitation, Ransomware, Data
-TTPs- Exfiltration, Double-extortion
The most successful RaaS
group operating since 2019. Exploit Public-Facing Application: T1190
The group is continuously
evolving and is highly active Remote Desktop Protocol: T1021.001
in deploying models such as
double-extortion and initial Data Encrypted for Impact: T1486
access broker affiliates.

-Ransomware Group-

BlackCat
Ransomware Motivation: Financial Gain

Target United States, United Kingdom,

Countries: Canada, Germany, Australia,
France, Italy, Spain

Target Professional Services,

Sectors: Manufacturing, Healthcare,
Finance, Information
Technology

Attack Type: Spearphishing, Stolen

Country of Origin: Russia
Credentials, RaaS, Ransomware,
-TTPs- Triple-Extortion
BlackCat, or ALPHV, is a
ransomware group known for User Execution: Malicious File: T1204.002
being the pioneer to use Rust
and the group first announced Defacement: T1491
its RaaS affiliate program in
a Dark Web forum in December Data Encrypted for Impact: T1486
2021.

socradar.io 39
 -Ransomware Group-

8Base Motivation: Financial Gain

Target United States, Brazil, UK,

Countries: Australia, Germany, Canada,
Spain, Italy, Belgium

Target Professional Services,

Sectors: Manufacturing, Construction,
Finance, Healthcare,
Transportation

Attack Type: RaaS, Ransomware, Double

Country of Origin: Unknown
Extortion
-TTPs-
8Base is a ransomware group
active since April 2022, Phishing: Spearphishing Attachment: T1566.001
targeting small and
medium-sized businesses
(SMBs) across various OS Credential Dumping: T1003
sectors, including business
services, finance, Exfiltration Over C2 Channel: T1041
manufacturing, and IT.

-Ransomware Group-

Play Ransomware Motivation: Financial Gain

Target Latin America, India, Hungary,

Countries: Spain, Netherlands, United
States

Target Manufacturing, Education, Real

Sectors: Estate, Technology,
Transportation, Healthcare

Attack Type: Compromised Valid Accounts,

LOLBins, Ransomware, Data
Country of Origin: Unknown
Exfiltration
-TTPs-
Play Ransomware (PlayCrypt)
is a ransomware group first Process Injection: T1055
observed in June 2022. The
group commonly targets Input Capture: T1068
organizations based in Latin
America but mainly focuses on Proxy: T1090
Brazil.

-Ransomware Group-

Rhysida Motivation: Financial Gain

Target United States, United Kingdom,

Countries: Italy, Spain, Austria, France,
Germany and Australia

Target Education, Manufacturing,

Sectors: Government, Technology,
Professional Services

Ransomware-as-a-service
Attack Type: (RaaS), Data Exfiltration,
Country of Origin: Unknown
Double Extortion
-TTPs-
Emerged onto the scene at the
end of May 2023 with a Phishing: T1566
high-profile attack against
the Chilean Army. The group Data Encrypted for Impact: T1486
is known for targeting Latin
American government
Exfiltration Over C2 Channel: T1041
institutions.

socradar.io 40
 -Ransomware Group-

Royal Ransomware Motivation: Financial Gain

Target United States, Canada, Brazil,

Countries: Germany, Italy, Australia,
Argentina

Target Manufacturing, Professional

Sectors: Services, Education, Finance,
Healthcare

Attack Type: Callback Phishing,

Country of Origin: Russia
Double-extortion, Ransomware
-TTPs-

The Royal Ransomware has Protocol Tunneling: T1572

first seen in November 2022.
The group mostly uses
Phishing: Spearphishing Link: T1566.002
callback phishing techniques
for initial access.
Data Encrypted for Impact: T1486

-Ransomware Group-

Medusa
Ransomware Motivation: Financial Gain

Target United States, United Kingdom,

Countries: Canada, India, Turkey,
Australia

Target Manufacturing, Education,

Sectors: Professional Services, Finance
and Insurance

RDP, Phishing, Ransomware,

Attack Type: Double Extortion, Exploiting
Country of Origin: Unknown
Google Chrome Vulnerabilities
-TTPs- (CVE-2022-2295)

Medusa is a RaaS group

operating since June 2021 and
External Remote Services: T1133
known for its many variants.
The group is primarily PowerShell: T1059.001
targeting North American and
European organizations. Exfiltration Over Alternative
Protocol: T1048

Access our unique designs featuring the 8 Most Dangerous

Threat Actors in 2023 and over 20 additional Threat Actors
by clicking here!
Share these designs as a thoughtful New Year's gift with
friends passionate about cybersecurity. Personalize your
room or desktop with these exclusive visuals!

socradar.io 41
 MAKE YOUR SOC TEAM FASTER
THAN THREAT ACTORS!

Threat actors and APT groups often

integrate a variety of tools and tactics to
achieve their objectives. Through
automated data collection, classification
and AI-powered analysis of hundreds of
sources across surface, Dark Web,
SOCRadar XTI Platform keeps you alerted
on threat actor's activities, helping you
define use cases to more effectively detect
and prevent malicious activities.

Try for Free

 Who is Your Eyes Beyond
?
SOCRadar provides Extended Threat Intelligence (XTI) that
combines: "Cyber Threat Intelligence, Brand Protection, External
Attack Surface Management, and Dark Web Radar Services." 21.000+
SOCRadar provides the actionable and timely intelligence context Free Users
you need to manage the risks in the transformation era.

Dark Web Monitoring: SOCRadar's fusion of
its unique Dark Web recon technology with the
human analyst eye further provides in-depth
insights into financially-targeted APT groups
and the threat landscape.
Protecting Customers’ PII: Scan millions of
data points on the surface, deep and Dark Web
to accurately identify the leakage of your
customers' Personally Identifiable Information
(PII) in compliance with regulations.

Credit Card Monitoring: Enhance your fraud
detection mechanisms with automation speed
by identifying stolen credit card data on
popular global black markets, carding forums,
social channels, and chatters.
360-Degree Visibility: Achieve digital
resilience by maintaining internet-facing digital
asset inventory. Significantly accelerate this
process by automated discovery, mapping,
and continuous asset monitoring.

GET ACCESS FOR FREE

MEET THE NEW MOBILE APP

Access threat intelligence, act on-the-go, and be instantly notified of new threats.View
alerts, breaking Dark Web news, and new ransomware attacks

4.9/5
 Your Eyes Beyond

SOCRadar HQ Call Email

HQ Office: 254 Chapman Rd, Ste +1 (571) 249-4598 info@socradar.io socradar.io
208 Newark, Delaware 19702 USA

Virtual Addresses
London, UK Dubai, UAE São Paulo, Brasil Bangalore, India
167 City Road Old Street, 8W building 5th Floor, 7th & 8th Floors Torre The Estate, 8th Floor
London EC1V 1AW DAFZA, Dubai Joao Salem, Av. Paulista Dickenson Road 560042
1079 São Paulo Bangalore Karnataka