Threat Intelligence

The Underground Economist: Volume 5, Issue 17

by ZeroFox Intelligence
The Underground Economist: Volume 5, Issue 17
10 minute read

Data Allegedly for Sale from European Union NATO-affiliated Company

On August 26, 2025, a prominent threat actor known as “blackfield” posted on the Russian–language dark web forum RAMP, advertising alleged access to an unnamed European Union NATO-affiliated company with revenues exceeding USD 5 billion. The access type and number of hosts were censored in the post at the time of writing this report; however, blackfield also claimed to have domain access privileges to the unnamed company’s active directory (AD) environment. The actor is selling the singular access vector for 1 BTC or approximately USD 112,447.

  • The actor also claimed to have exfiltrated the alleged data, which blackfield is offering for sale in addition to the domain access privileges for a total of 5 BTC or approximately USD 562,235.
  • The actor noted that buyers of the access alone could exfiltrate the data themselves but that it “won’t be easy to be honest.”

The actor is well-known in RAMP with positive reputational scoring from other forum users, which likely legitimizes blackfield’s claims for potential buyers. ZeroFox has observed blackfield predominantly targeting Israel-based assets, but the actor has also conducted attacks against U.S.-based entities or other NATO allies.

ZeroFox is unable to verify the access type and number of hosts blackfield is offering; however, analysis of the actor’s post suggests it is likely root access and that the number of compromised hosts exceeds 1,000. Root access (also known as “superusers”) grants a user unrestricted read, write, and execute privileges across an entire system; if used maliciously, an actor could significantly disrupt or exfiltrate data from company systems.

Dataset Containing U.S.-based Business Owners’ and Investors’ Information

On August 26, 2025, an actor using the alias “0kb” posted on the dark web forum Expoit, advertising alleged access to over 140,000 rows of customer relationship management (CRM) data records containing information on U.S.-based business owners and investors. The actor priced the dataset at USD 5,000; the dataset plus the CRM access is priced at USD 10,000, with availability for buyers to pay escrow. The actor also claimed that the CRM access can be leveraged by buyers to contact leads directly via calls and receive daily lead updates. According to 0kb, the headers allegedly include: 

  • First and last name
  • Address
  • Email address
  • Personal phone number
  • Office phone number
  • Website
  • Industry type
  • Company name
  • Recorded call

Content management system and CRM compromises pose a significant risk to organizations, as they can provide malicious actors with direct access to thousands—or potentially millions—of contacts, depending on the size of the targeted company. Data exposed from CRM systems can be used in subsequent targeted spear phishing campaigns or result in financial losses, fines, lawsuits, and reputational damage.

New Infostealer Announced on Dark Web Forum

On August 16, 2025, an actor using the alias “KatzStealer” posted on the dark web forum Exploit, announcing the release of a new infostealer named “Katz Stealer”. Notably, the Katz Stealer infostealer allegedly has the following features:

  • Ultra-lightweight. This likely means the malware is very small in size and uses minimal system resources, making it easier to bypass detection tools such as antivirus or endpoint detection and response (EDR).
  • High hit-rate. This likely refers to the malware being very successful at either compromising targets or data exfiltration. A high hit-rate will very likely be attractive to cybercriminals aiming for high return on investment (ROI).
  • Requires no dependencies. This likely references the infostealer being able to execute without needing to install or load external libraries or software, making deployment easier.
  • Build size is 30 KB to 100 KB. This is a very small executable size in comparison to other infostealers (most are between 100–200KB ), which will almost certainly enable faster download/execution.
  • Browser data extraction. The infostealer reportedly can extract data from a broad range of modern web browsers such as Chrome, Edge, Opera, Brave, and Firefox, which will very likely maximize credential and session token theft (including passwords, cookies, and autofill data).
  • Targets over 90 cryptocurrency extensions. There is likely a special focus on browser-based wallets such as MetaMask, Phantom, and Binance Wallet due to crypto theft being very popular among stealer-as-a-service (SaaS) operations.
  • Two-factor authentication. As is becoming increasingly common among other SaaS services such as LummaC, the Katz Stealer infostealer offers two-factor authentication (2FA) as an added layer of security for users.

According to KatzStealer, panel licenses for this new infostealer are available for USD 100 for one month, USD 270 for three months, and USD 480 for six months. This is competitive pricing, falling between mainstream infostealers like RedLine (approximately USD 100 to 150 per month) and premium variants such as  LummaC2 (approximately USD 250 per month).

  • As is common for  most other infostealers, KatzStealer states in the post that using Katz Stealer against Commonwealth of Independent States (CIS) countries is prohibited.

Notably, the user “xorit” commented on KatzStealer’s post, providing positive feedback about the service. Xorit noted that the stealer was built entirely from scratch in the programming language C/ASM, with the ability to bypass most antivirus solutions without any additional obfuscation or packers; most malware typically require this to aid in avoiding detection. 

  • Notably, KatzStealer’s credibility can not be judged at this time as they only joined Exploit in May 2025.

The Katz Stealer infostealer is likely to generate high interest among an array of financially motivated threat actors due to its alleged combination of stealth, efficiency, and accessibility. Its ability to bypass most antivirus solutions without the use of external packers or obfuscation reduces setup complexity while increasing deployment success rates. The lightweight build size, rapid data exfiltration speeds, and broad targeting scope (browsers, crypto extensions, and wallet apps) very likely make it well-suited for both mass deployment and targeted operations.

Guide to Prevent Deanonymization and IP Leaks Posted on Dark Web Forum

On August 14, 2025, the actor “devilish” posted on the dark web forum Dread, providing a comprehensive guide to help operators of private websites prevent IP leaks and a method to help avoid deanonymization. Devilish’s guide on preventing IP leaks on clear web rotators likely comprises measures to stop the rotators from exposing real IP addresses in order to ensure any browsing activity or ad campaigns stay private and secure. 

  • Devilish suggested that, if someone is using DDoS Guard as a budget-friendly distributed-denial-of-service solution, they should use IPTables to lock web ports 80 and 443 to only DDoS Guard’s IP ranges in order to avoid IP leaks.
  • The actor also attached a screenshot demonstrating a part of this process in the post.

The tips and guidelines provided in devilish’s post are comprehensive enough for a person well-versed in networking technology to understand. Researchers have observed several other guides on preventing deanonymization, but the additional tips on mitigating the risk of IP leaks on clear web rotators are not commonly discussed. Even though the guide does not apply to dark web domains, it is likely useful for private clearnet domains. 

Several clearnet sites associated with illicit dark web marketplaces and forums have previously been dismantled by law enforcement:

  • On July 22, 2025, European law enforcement agencies arrested the suspected leader of well-regarded Russian-language cybercrime forum XSS and took down its main website, xss[.]is.
  • In May 2025, the eXch cryptocurrency exchange, allegedly involved in money laundering and operating a criminal trading platform, was accessible on both the clearnet and the darknet before it was targeted in a German law enforcement operation.1
  • A clearnet domain associated with prominent English-language dark web forum BreachForums was also available before both the marketplace and the website became inaccessible in April 2025, amid rumors of law enforcement campaigns and vulnerabilities in its infrastructure.

Devilish’s guide is likely to gain traction with existing or potential illicit online marketplace operators seeking to secure their private websites or backup domains on the clearnet. With popular dark web marketplaces such as BreachForums and XSS facing operational disruptions, several new markets have come online in the cybercrime sphere. If the operators of these websites choose to have backup clearnet domains, they will very likely rely on guides like devilish’s to evade law enforcement or prevent compromise by competing marketplaces. 

Several threat actors also use clear web systems such as proxies, virtual private network endpoints, or traffic rotators to move money, store stolen data, or host phishing sites. They are likely to be interested in devilish’s guide to help prevent IP leaks and avoid being unmasked, as taking these steps will likely make it more difficult for investigators to track their servers or real identities.

Recommendations

  • Develop a comprehensive incident response strategy.
  • Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
  • Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
  • Implement network segmentation to separate resources by sensitivity and/or function.
  • Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
  • Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.
  • Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
  • Proactively monitor for compromised accounts and credentials being brokered in deep and dark web (DDW) forums.
  • Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 10:30 AM (EDT) on August 28, 2025; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.


  1. hXXps://www.bka[.]de/DE/Presse/Listenseite_Pressemitteilungen/2025/Presse2025/250509_exch_abgeschaltet.html

Tags: Cyber TrendsThreat Intelligence

See ZeroFox in action