PII Related to Israeli Air Force Personnel Advertised for Sale on Dark Web

On October 21, 2025, notorious threat actor “blackfield” posted in the dark web forum RAMP, claiming to have collected the personally identifiable information (PII) of 30,000 Israeli Air Force personnel that was recently referenced in a Qatari Al Jazeera broadcast. No pricing was provided in the post; however, blackfield invited interested parties to contact them via private message for more information.

• Blackfield alleged that they had previously collected the PII, which was referenced  in a Qatari Al Jazeera broadcast on October 20, 2025, titled “‘The Hidden is More Immense”; the network claimed to have obtained a “leaked document” containing the names of approximately 30,000 Israeli Air Force personnel.¹
• Blackfield is part of the pro-Palestinian, anti-Israel hacktivist group Shadow, a collective responsible for numerous cyberattacks exclusively targeting Israeli infrastructure.
• Blackfield joined RAMP on February 5, 2023, where they have a “well-known member” reputation status.
• On March 15, 2025, blackfield announced on RAMP that they had gained access to sensitive documents associated with high-ranking Israeli Defense Forces (IDF) officers, Israeli political figures, and an Israel-based healthcare organization with an annual revenue of USD 1 billion.

In the post, blackfield claims to have collected the information a “long time ago”, although no specific timeframe was provided. They also have allegedly compromised at least 7,000 active phone numbers belonging to the military personnel mentioned using an unspecified zero-day vulnerability. The dataset allegedly contains:

• Names
• Phone numbers
• Geolocation data (likely pertaining to residential addresses)
• Family member information (likely pertaining to names and residential addresses)
• Personal photographs

The dataset advertised is very likely genuine, based on blackfield’s established reputation and similar past advertisements. The information advertised by blackfield almost certainly appeals primarily to other ideologically, politically, and financially motivated threat actors that would seek to leverage PII in disruption attacks, social engineering campaigns, or in the planning of physical targeting.

Updates to Octo Bot Posted in Dark Web Forum

On October 20, 2025, an actor using the alias “goodluck” posted in the dark web forum Exploit regarding well-known Android malware bot “Octo”, announcing their latest updates for “Octo 2” and revealing license prices of USD 2,000 for two weeks or USD 3,000 for one month. The actor also shared GitHub documentation for Octo 2, likely to provide proof of authenticity to interested buyers.²

• Octo 2 is one of the most advanced and commonly used Android bots and is capable of stealing data via private and customized injections.
• One of the updated bot’s most notable features is its hidden virtual network computing (HVNC) capability, which enables the attacker to remotely control the infected device without the victim’s knowledge.
• On August 20, 2024, goodluck announced the release of the new version of their Octo malware, Octo 2; now, the associated bot has been updated.

The actor goodluck claims in the post that the new Octo 2 bot features include:

• Compatibility with Android 16: This indicates the bot functions with a newer operating system (OS) for Android devices, which likely adapted the bot to newer OS APIs and protections to increase the number of vulnerable victims.
• Ability to bypass Google Play Protect: This likely means that the bot can bypass Google Play Protect’s scanning and blocking mechanisms.
• Manual pre-moderation in the control panel: The actor asserts that control-panel submissions are manually reviewed and that the panel has been improved to evade detection by some AV vendors or researchers.
• Hiding the app icon: This likely means that the bot can remove its launcher icon so the app is not visible in the application grid, making it less likely that a user will notice and manually uninstall it.
• Collection of data from injections: This likely refers to the use of UI overlaps or app-injection techniques to intercept credentials, session tokens, messages, or other sensitive information from targeted apps or web content.

These most recent updates likely represent an attempt by goodluck to promote the Octo 2 bot to attract more users and gain more market share. The updates are likely also aimed at increasing the potential victim pool, especially across devices updated to the newest Android OS. The Octo 2 bot’s adaptability and concealment features will likely appeal to buyers and increase the likelihood it will remain one of the most commonly purchased bots on the market.

Database Related to Valve and Steam Advertised for Download on Dark Web Forum

On October 13, 2025, a threat actor using the alias “Observe” posted in the dark web forum XSS, advertising a database for download related to valvesoftware[.]com and store.steampowered[.]com. Observe stated in the post that the database contains approximately 47 million records, which the actor claimed to have personally breached; if true, this would likely indicate the data is recent and not recycled.

• Valve Corporation, commonly referred to as Valve Software, is an American company based in Bellevue, Washington, that specializes in video game development, publishing, and digital distribution.
• The website, store.steampowered[.]com, is Valve Corporation’s official digital storefront for PC games, allowing users to browse, purchase, and download titles from both independent developers and major publishers.³
• Observe joined XSS on October 4, 2025, and has not yet established a positive reputation. Therefore, ZeroFox cannot determine Observe’s credibility at this time.

In the post, Observe included the following field headers:

Observe provided a sample of the database stored in a 38 KB file, which included similar data headers as listed in the table above. The actor also claimed that the full database had been uploaded but did not provide a download link to the complete dataset.

It is very likely that Observe is attempting to build credibility and garner attention on the forum by claiming responsibility for disclosing such a large dataset. By posting a sample of the data and omitting the full download, it is likely that Observe is attempting to generate interest before selling the full dataset. The data, if legitimate, will likely appeal to a variety of threat actors seeking to conduct malicious cyber campaigns, such as social engineering or phishing.

Top Secret Information Related to the FBI Advertised for Sale on Dark Web Forum

On October 8, 2025, an actor using the alias “jrintel” posted in the dark web forum DarkForums, advertising the sale of top secret U.S. Federal Bureau of Investigation (FBI) schematics of an unmanned aerial vehicle (UAV) designed to imitate a bird. The actor did not disclose a price for the alleged documentation but provided Telegram and Session links for any interested parties to use to contact them.

Jrintel joined DarkForums in August 2025 and has since garnered a positive reputation, which likely adds credibility to their claims.

In the post, jrintel provided a Telegram link⁴ to access the content—likely to showcase proof of the documentation; however, the channel has since been removed or deleted by the owner. Jrintel operates a separate Telegram channel called “buygovdocs”⁵ where they frequently advertise the purchase and sale of sensitive worldwide government-related information. In this channel—which was established on October 13, 2025, just five days after the actor’s most recent UAV schematics offer—jrintel shared a list of alleged material that they claim to possess, including documentation related to the following governments:

• The United States: Information related to the Department of War (DoW), the Central Intelligence Agency (CIA), the Defense Advanced Research Projects Agency (DARPA), the Defense Intelligence Agency (DIA), the Idaho National Laboratory, and Space Force
• China: Information related to UAVs and strategic plans for Taiwan
• India: A strategic assessment on “Operation Trinetra”
• Pakistan: A strategic report on “Operation Zeb-e-Maal”
• United Kingdom: BAE Systems submarine technology developments
• Russia: UAV technology advancements

It is likely that the advertisement posted by jrintel on DarkForums is credible, given their positive reputation on the forum. There is a likely chance that jrintel is in possession of at least some of the documentation that they advertised on their “buygovdocs” Telegram channel as well. The information that jrintel claims to be in possession of is likely to appeal to both financially motivated threat actors—who would likely seek to sell the data to nation-states or the media—and nation-states seeking to obtain information on governments they perceive to be adversarial.

ZeroFox Intelligence Recommendations

• Develop a comprehensive incident response strategy.
• Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
• Implement network segmentation to separate resources by sensitivity and/or function.
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
• Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.

• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Proactively monitor for compromised accounts and credentials being brokered in deep and dark web (DDW) forums.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 10:30 AM (EDT) on October 23, 2025; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

ZeroFox Intelligence Probability Scale

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.

1. hXXps://vinnews[.]com/2025/10/21/al-jazeera-airs-alleged-leak-of-30000-israeli-air-force-personnel/
2. hXXps://thearch001.github[.]io/octo_docs/
3. hXXps://www.valvesoftware[.]com/en/about
4. hXXps://t[.]me/leakdocuments/30
5. hXXps://t[.]me/buygovdocs