The Underground Economist: Volume 5, Issue 15

MacOS LPE Zero-Day Vulnerability Advertised for Sale 

On July 22, 2025, untested threat actor “skart7” posted in the dark web forum Exploit, advertising the sale of a zero-day Local Privilege Escalation (LPE) vulnerability for Apple’s macOS for USD 130,000. Skart7 stated the alleged vulnerability is a logical flaw affecting macOS versions 13.0 to 15.5, including macOS beta releases, and asserted it has 100 percent reliability. The actors also specified that escrow payments would be accepted.

• Skart7 joined the Exploit forum in June 2025 and has yet to garner significant credibility within the forum. The actor has previously advertised various other zero-day vulnerabilities for sale on Exploit, with prices ranging from USD 30,000 to USD 130,000.
• While some forum members have displayed interest in skart7’s previous advertisements, negotiations reportedly broke down over disputes regarding who would cover the escrow fee on Exploit.

Such a vulnerability has the potential to enable broader attack chains, allowing threat actors to disable security controls, gain deeper access into targeted systems, and possibly turn a single compromised endpoint into a foothold for long-term exploitation.

• Although LPE flaws require local access, they remain valuable in multi-stage attacks where initial access has already been gained, enabling privilege escalation, persistence, or lateral movement within macOS environments.
• The decision to list the macOS LPE vulnerability on a public forum like Exploit, rather than through vetted private brokers, is likely due to an urgency to monetize before the vulnerability is patched.
• Given that the vulnerability reportedly impacts beta versions too, it could pose a risk to software hobbyists—particularly Apple enthusiasts.

As of the writing of this report, the advertisement has been removed for unknown reasons; it is likely that potential buyers have privately reached out via Tox and Session as directed by skart7. The post likely generated interest from financially motivated threat actors seeking reliable LPE vulnerabilities to deploy information stealers or maintain persistence on high-value macOS systems. Such exploits can enable them to bypass user-level restrictions, escalate privileges, and monetize access through extortion, data theft, or resale on underground markets.

Stripe Exploit Advertised for Sale on Dark Web Forum

On July 17, 2025, an actor known as “stewie99k” posted on the dark web forum Exploit, advertising the sale of a vulnerability related to Stripe. According to the actor, the vulnerability enables potential buyers to charge two-dimensional cards, with payment processed within two days. Stewie99k provided no further details surrounding the nature of the vulnerability but specified that there are five copies available that can be purchased via escrow for USD 10,000 each. 

• Stewie99k joined Exploit in February 2023 and has since established a positive reputation in the forum.
• There are two primary types of payment gateways: two-dimensional (2D) and three-dimensional (3D). 2D payment gateways typically only require a card number, expiration date, and card verification value (CVV) to process payments. 3D payment gateways usually require an extra security measure to process payments, such as a one-time-password (OTP) or biometric verification. As such, 2D payment gateways are more susceptible to fraudulent activity.

Stripe is an Irish-American online payment processing platform and financial infrastructure company that reportedly processed USD 1.4 trillion in 2024.¹ As of February 2025, Stripe was reportedly used by half of the organizations listed in the Fortune 100, 80 percent of the Forbes Cloud 100, and 78 percent of the Forbes AI 50.²

In the post, stewie99k shared several images of what appear to be successful Stripe payment gateway transactions, which have likely been conducted using compromised payment details. The actor outlined that potential buyers would need the following information to successfully exploit the vulnerability:

• A “bank drop”, which typically refers to a bank account (sometimes a fake or stolen one) that is used as a temporary destination for fraudulent funds.
• Compromised personally identifiable information (PII) of a U.S. citizen—including name, address, and Social Security number (SSN)—which are very likely required by potential buyers to open a Stripe account and connect to the desired merchant.

There is a roughly even chance that the vulnerability being advertised is legitimate, given the reputation of the seller. However, it is very likely that such a vulnerability, as advertised in the post, would have a short life span. Unauthorized payments are considered high-risk, and vulnerabilities enabling them are usually discovered and patched within days or even hours—especially if they are impacting an industry leader like Stripe.

PII Related to IDF Personnel Advertised for Sale

On July 16, 2025, the actor “blackfield” posted in the Russian-language dark web forum RAMP advertising the sale of PII associated with personnel of the Israeli Defense Forces (IDF). According to blackfield, the data set is available for USD 50,000 but will be provided for free to groups known to work against Israeli interests. The data set is allegedly comprised of 200,000 lines of PII, including:

• Names
• Phone numbers
• Email addresses
• Family information (very likely meaning information about the relatives of alleged IDF members, such as  names and email addresses)
• Location details (very likely meaning the home addresses or military post locations of IDF members)

Blackfield included sample data in the post, which contained 54 lines of first and last names and accompanying email addresses of alleged IDF members. Notably, this sample did not include phone numbers, family information, or location details—likely because blackfield chose not disclose PII deemed more sensitive and valuable.

• Blackfield is part of the pro-Palestinian, anti-Israel hacktivist group Shadow, a collective responsible for numerous cyberattacks exclusively targeting Israeli infrastructure.
• The actor joined RAMP on February 5, 2023, where they have a “well-known member” reputation status.
• On March 15, 2025, blackfield announced on RAMP that they had gained access to sensitive documents associated with high-ranking IDF officers, Israeli political figures, and an Israel-based healthcare organization with an annual revenue of USD 1 billion.
• On April 1, 2025, blackfield posted on RAMP claiming to have gained access to “critical” data related to U.S. political personnel. Blackfield provided minimal information on the stolen data but alluded to it including PII.

Like other pro-Palestinian hacktivist groups, blackfield displays an overt hostility towards Israel and Israeli-based entities, which almost certainly extends to allies such as the United States, European nations, the European Union (EU), the North Atlantic Treaty Organization (NATO), and the West in general. Future activity from blackfield is very likely to target those perceived as misaligned with the interests of Palestinian and Iranian entities. Despite the clear ideological motivation, blackfield very likely also seeks to simultaneously financially profit from their attacks.

The data set advertised is very likely genuine, based on blackfield’s established reputation and similar past advertisements. The information advertised by blackfield almost certainly appeals primarily to other ideologically, politically, and financially motivated threat actors that would seek to leverage PII in disruption attacks, social engineering campaigns, or in the planning of physical targeting.

Recommendations

• Develop a comprehensive incident response strategy.
• Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
• Implement network segmentation to separate resources by sensitivity and/or function.
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
• Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.
• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Proactively monitor for compromised accounts and credentials being brokered in deep and dark web (DDW) forums.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 7:00 AM (EDT) on August 1, 2025; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.

1. hXXps://stripe[.]com/newsroom/news/stripe-2024-update
2. Ibid.