The Underground Economist: Volume 5, Issue 7

MySQL DataBase Advertised in Dark Web Forum

On April 1, 2025, a Russian-speaking actor known as “Vespiary” advertised unauthorized access to a MySQL database belonging to a large, unnamed U.S.-based organization on the xss forum. According to the advertisement, buyers will gain live access to unencrypted information associated with 751,000 clients, none of which are duplicates.

The data allegedly includes comprehensive credit card details connected to 70,000 clients, 30 percent of which have been verified as valid using various open source tools such as pickup24[.]cc and odincheck[.]com. 

• The allegedly compromised organization is described as specializing in “lead generation” for medical professionals working in commercial institutions, generating an annual revenue of USD 1.5 billion. Access to the data set is being advertised for sale for USD 30,000.

Vespiary has a strong reputation on xss, having completed at least 11 transactions via escrow since joining the forum in July 2020. While ZeroFox has observed no feedback from other actors within the forum, Vespiary’s reputation adds credibility to their services and the proposed sale. As of the writing of this report it is unclear if a sale has been made, with communications almost certainly taking place via private messaging channels.

If the data and access is as advertised, a purchase could enable a buyer to conduct targeted social engineering campaigns and financial fraud against a large number of victims.

Blackfield Claims Possession of Sensitive U.S Officials' Data

On April 1, 2025, threat actor “blackfield” posted on the Russian language dark web forum RAMP, claiming to have gained access to “critical” data related to U.S. political personnel. Blackfield provided minimal information on the stolen data  but alluded that it includes personal identifiable information (PII). According to the advertisement, only “old buyers” will be engaged due to operational security (OPSEC) concerns. Interested parties were encouraged to make contact via the encrypted messaging platform Tox.

• ZeroFox previously reported on separate statements by blackfield, whereby they claimed responsibility for numerous data breaches targeting primarily Israel-based victims.

• Most recently, on March 15, 2025, blackfield warned that upcoming attacks would target U.S.-based entities and would be conducted in such a manner as to appear to originate from China, Iran, or North Korea.

Blackfield is a pro-Palestinian threat actor and carries a positive reputation within deep and dark web (DDW) forums, with more than 500 positive reaction points from fellow forum members. The actor is very likely primarily ideologically motivated, with the majority of their victims being based within nations perceived as hostile toward Gaza. 

While recent activity shows blackfield shifting their focus from Israeli to U.S. targets, this development very likely reflects an expansion of their operational remit, rather than a cessation of attacks on Israeli entities.

ZeroFox assesses that the compromised data set is likely genuine, as indicated by the actor’s decision to limit transactions to previously verified buyers, a tactic commonly used to maintain OPSEC and avoid detection. This approach likely indicates that the actor is handling sensitive or high-value data—or is displaying a degree of caution intended to make potential buyers think this is the case.

• Since the actor is claiming the stolen information is “critical,” it is likely that detailed insights about the data will be disclosed only to vetted buyers.
• Blackfield’s insistence on verified buyers is likely a filtering mechanism to identify genuinely interested parties, which may also serve to limit the buyer pool.
• Given that RAMP frequently hosts politically and ideologically aligned actors, it is likely that similarly minded buyers will deem the alleged information potentially lucrative.

While it is unclear which entity and individuals were compromised and what information was stolen, any compromised data associated with U.S. political personnel is very likely to attract the interest of both financially and politically motivated threat actors seeking to conduct social engineering, mis- and dis-information campaigns, and data theft.

Free Ransomware Source Code Advertised on BreachForums 

On April 1, 2025, a user known as “M33D0X” and “MEED” posted in the hacking forum BreachForums advertising a malware kit named “M-RANS” and also shared a link to a GitHub resource where the full source code can be found. According to the post, the ransomware kit was developed by the actor. ZeroFox rarely observes the advertisement and provision of free malware within DDW forums.

The actor claims that M-RANS is currently the most dangerous malware available and is “100 percent” free to use. MEED added a disclaimer, stating that they accept no responsibility for any illegal or inappropriate use of the tool. MEED states the software is being provided for educational and research purposes only.

The offer allegedly contains a comprehensive kit, including both an encrypting malware and post-breach extortion message. 

• As of the writing of this report, the only responses to the advertisement have been from unrecognized actors communicating mostly from accounts with a low credibility score.
• Some actors speculated that the offering could be a trap designed to monitor, track, and collect data on would-be attackers attempting to leverage it in digital extortion attacks.

If the malware is as advertised, it will very likely appeal to a range of financially motivated threat actors, such as digital extortion collectives that have the experience and illicit network access required to conduct ransomware attacks. The offering is unlikely to gain significant traction or interest prior to the public posting of positive feedback.

New Malware Targeting Android Devices Announced

On March 28, 2025, untested threat actor "droid" advertised a new Android malware named “Nillious” on the dark web forum Exploit, seeking collaborators able to provide their own traffic and target designated applications within specific countries. According to the post, Nillious is compatible with Android versions 9-15. The targeting of victims located within the Commonwealth of Independent States (CIS) countries is not permitted and is likely blocked via the detection of installed Russian-language keyboards.

• The actor provided a demo of the malware, which is hosted on an anonymous online storage service: hXXps://gofile[.]io/d/YqbB4i

As of the writing of this report, the post has garnered minimal feedback from other forum members regarding its legitimacy and effectiveness. It is very likely that newly developed malicious tools like this have a higher chance of bypassing Android security protocols, leading to a potentially significant, emerging threat. 

• ZeroFox observed that the malware was also advertised within the dark web forum xss in January 2025, though for a price of USD 2000.

According to droid, Nillious’ payload is built from scratch using the latest Android SDK API 35 and utilizes Telegram as the command and control (C2) infrastructure for the malware (regardless of the target using Telegram). It allegedly comes embedded with a hidden virtual network computing (hVNC) component, which obfuscates malicious activity. The keylogger feature allegedly tracks the target’s keystrokes, enabling password theft. 

• Using screen manipulation like “black screen of death,” the malware prevents users from interacting with the system. Other features include the muting of alerts by antivirus systems, a list of banking and cryptocurrency apps, and anti-uninstall protection.

• Notably, the malware is advertised as being protected against uninstall, highlighting a differentiating feature in comparison to the majority of Android-based malware which is removed upon device reset.

User “PigaFreak” replied to the post, accusing droid of conducting scams in the xss forum which resulted in a ban. Droid subsequently denied the accusation, blaming the ban on a disagreement over fund deposits with the xss administrators.

Droid’s displayed geographical proclivities and the seeking of partnerships with specific requirements indicate that the malware is likely ready to be deployed against Android devices located in regions outside of CIS. Due to the lack of feedback and seller reputation, the threat posed by Nillious cannot be determined. However, droid likely intends to operate this malware as-a-service, receiving a share of profits.  

ZeroFox Intelligence Recommendations

• Develop a comprehensive incident response strategy.
• Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
• Implement network segmentation to separate resources by sensitivity and/or function.
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
• Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.

• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Proactively monitor for compromised accounts and credentials being brokered in DDW forums.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).

Appendix A: Traffic Light Protocol for Information Dissemination

Appendix B: ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.