BLOG

The Underground Economist: Volume 3, Issue 18

6 minute read

Welcome back to The Underground Economist: Volume 3, Issue 18, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of September 18th, 2023.

Actor Shares Method to Create Obfuscation Service

On September 2, 2023, the well-regarded threat actor “TOP G” shared a method that other threat actors can use to create their own obfuscation services on the predominantly Russian language Deep Web forum “XSS.” The method details how threat actors can build their own web application with a graphical user interface (GUI) to encrypt malicious Cobalt Strike payloads. The generated files would not be detected as malicious by most antivirus products’ dynamic scans, including:

  • Windows Defender
  • Avast
  • AVG
  • Avira
  • Bitdefender
  • Kaspersky

ZeroFox researchers assess this method will likely lead to an increase in the number of obfuscation services available on the deep and dark web because it lowers the barrier to entry for threat actors looking to start up their own services. It is highly likely these obfuscation services will help facilitate the spread of malware campaigns worldwide.

Service Monetizes Compromised Account Credentials of Chinese Targets

On September 2, 2023, the well-regarded and established threat actor “Intellect” advertised a service that monetizes the compromised account credentials of Chinese targets on the predominantly Russian language Deep Web forum “Black Hat Forum.” This is significant because most Russian-speaking threat actors typically prioritize the compromised accounts of users based in English-speaking countries, such as the U.S., U.K., and Canada. 

The actor specified they were looking for the email/password or phone number/password combinations of Chinese account holders to perform credential stuffing attacks. They offered to split the profits equally from any successful account takeovers, indicating the actor likely plans to drain the funds from the compromised accounts.      

ZeroFox researchers assess this service likely indicates an emerging attack surface for Russian-speaking threat actors, since there are many high value Chinese targets that have remained largely unaffected by cyber crime until now.

Custom Web Scraping Tool Advertised

On September 12, 2023, the well-regarded and established threat actor “tonny_gram” advertised a custom web scraping tool on the predominantly Russian language Deep Web forum “Black Hat Forum.” The actor claims the tool can automatically extract website data without being detected as a scraper by most anti-bot solutions, including:

  • Akamai
  • CloudFlare
  • DataDome
  • Imperva
  • PerimeterX

Additional features of the tool include:

  • Does not require web proxies
  • Collects browser cookies and local storage data from target websites
  • Takes screenshots of website pages

The starting price for the tool was $1,000 USD. There were additional costs for customizations, depending on the target website. 

ZeroFox researchers assess this tool will likely gain momentum on the criminal underground because of its capabilities to bypass most anti-bot solutions. This functionality is essential for threat actors looking to automate various cyber-attacks.

Multiple Threat Actors Targeting U.S.-Based Wireless Resellers

Since late August 2023, ZeroFox researchers have observed multiple threat actors targeting U.S.-based wireless resellers (also known as mobile virtual network operators, or MVNOs) on the predominantly Russian language Deep Web forum “Exploit.” 

The first occurred on August 30, 2023, when the well-regarded threat actor “opal” advertised RDP TeamViewer access to the web panel of an unnamed MVNO. A buyer would have access to various payroll and point-of-sale systems, such as Paymaster, ePay, and WebPOS. They would also have capabilities to:

  • Activate various prepaid services, including Verizon, T-Mobile, and TracFone
  • Lookup Verizon account details
  • Refill T-Mobile prepaid accounts 


The second instance came on September 2, 2023, when the untested threat actor “soflyaway” advertised web panel access to another unnamed MVNO. The actor said this access would allow a threat actor to steal the phone numbers of Lyca Mobile users by performing SIM swaps. The buyer would also be able to:

  • Activate various prepaid services, including Lyca Mobile, H20 Wireless, and FreeUP Mobile
  • Refill prepaid accounts worldwide

ZeroFox researchers assess that threat actors will likely continue to target wireless resellers because they have a higher probability of successfully compromising an MVNO than one of the major wireless carriers, such as AT&T, T-Mobile, or Verizon. 
Additionally, this level of access would allow threat actors to establish their own businesses, where they could charge other threat actors on the deep and dark web for the individual services provided via the web panels.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.

CTA for Hitchhiker's Guide to the Dark Web

See ZeroFox in action