{ "id": "981677d6-6b0c-461f-be51-6e6441efcd0e", "created_at": "2026-04-06T00:19:36.254512Z", "updated_at": "2026-04-10T03:36:50.079046Z", "deleted_at": null, "sha1_hash": "2845e3fb412dce53aa075f27aefe7c99015e4c94", "title": "Dark Peep #17: Dark Web Manifesto, Hacker Forums, and Ransomware Misadventures", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5769200, "plain_text": "Dark Peep #17: Dark Web Manifesto, Hacker Forums, and\r\nRansomware Misadventures\r\nPublished: 2024-12-17 · Archived: 2026-04-05 17:34:29 UTC\r\nIf the events from dark web this series were a script, it would be the kind of thriller where everyone fumbles their\r\npart. From ransomware gangs accidentally losing their own ransom records to threat actors leaking millions of\r\nrecords, it’s a chaotic mix of ambition and irony.\r\nTake DonutLeaks, for example—the ransomware group that somehow destroyed its own chat database and is now\r\nawkwardly asking victims to reconnect through a contact form. Imagine a cyber heist movie where the\r\nmastermind forgets their own getaway plan. That’s DonutLeaks: high-tech extortion with a touch of slapstick.\r\nThreat actors clashing in a cage with bats, under SOCRadar’s control and oversight. (Image created by DALL-E)\r\nMeanwhile, Nam3L3ss is busy posting sensitive data on dark web forums, leaking millions of records while\r\nclaiming to expose systemic flaws in cloud security. Their dramatic manifesto might belong in a dystopian\r\nanime… Once data starts circulating on the dark web, it never really disappears—it just becomes fuel for phishing\r\nattacks and fraud.\r\nAnd then there’s Qilin Ransomware, who mixed up their victims so badly that payroll data for dentists somehow\r\nended up attributed to a highway department. It’s like watching a villain in a crime drama press the wrong button\r\nand accidentally blow up their own hideout.\r\nhttps://socradar.io/dark-peep-17-dark-web-hacker-forums-ransomware/\r\nPage 1 of 9\n\nFrom espionage experts like Turla, who infiltrate rival hacker infrastructure, to honeypots like Jinn Ransomware\r\nBuilder, which tricked over 100 would-be hackers into exposing themselves, this week’s cyber stories are proof\r\nthat the dark web isn’t just dangerous—it’s unpredictable, ironic, and occasionally, downright absurd.\r\nBridges, Potholes, and… Root Canals?\r\nQilin Ransomware strikes again—this time proving that even cybercriminals can mess up their paperwork. They\r\nproudly posted their latest haul, only to mix up their victims. Unless the Whitestone, New York Highway\r\nDepartment has suddenly diversified into dental care, those payroll records for a dental director, two dentists, and\r\nfive hygienists are just a bit out of place.\r\nMoral of the story? When even ransomware gangs can’t keep their stolen data straight, trusting them is like\r\ntrusting your dentist to fix a pothole.\r\nTurla Hijacks Hackers to Hide Its Tracks\r\nThe Russian cyber-espionage group Turla pulled off another stealthy move, hijacking Storm-0156’s infrastructure\r\nto hit Afghan and Indian government targets. Instead of breaching fresh systems, Turla piggybacked on networks\r\nStorm-0156 had already compromised, deploying their signature malware tools like TinyTurla and TwoDash.\r\nTurla’s activities observed within Storm-0156’s infrastructure (Source: Lumen)\r\nhttps://socradar.io/dark-peep-17-dark-web-hacker-forums-ransomware/\r\nPage 2 of 9\n\nTurla didn’t stop at stealing access—they looted Storm-0156’s workstations, swiping malware tools like\r\nCrimsonRAT and stolen credentials. Turns out, even hackers need better cybersecurity.\r\nWannaCry Returns?\r\nThe Indonesian group INDOHAXSEC TEAM claims to have developed a web-based version of WannaCry, but\r\nwhether they truly have the technical chops to pull it off remains uncertain. Creating ransomware of this scale\r\nrequires significant expertise, and groups often exaggerate their capabilities for attention. While their claims of\r\nencrypting websites and demanding Bitcoin are bold, it’s worth waiting for verified evidence before raising\r\nalarms.\r\nA ransomware message on a red screen labeled “WannaCry,” demanding 0.2 BTC to unlock encrypted files\r\nHackers Tried to Hack Ended Up Hacked\r\nJinn Ransomware Builder appeared on BreachedForums as a customizable ransomware creation tool, promising\r\nC2 callbacks, AES encryption, and multi-language support. In reality, it was a honeypot crafted by security\r\nresearcher Cristian Cornea to trap curious hackers and script kiddies. Over 100 victims fell for the bait.\r\nhttps://socradar.io/dark-peep-17-dark-web-hacker-forums-ransomware/\r\nPage 3 of 9\n\nJinn Ransomware builder honeypot\r\nThe builder disguised its true purpose by backdooring the system. A hardcoded “CmD.eXE” executable connected\r\nto a remote server while pretending to run encryption tasks. The multi-language feature? Just a prompt. AES\r\nencryption? Purely cosmetic, designed to hide the malicious code in plain sight.\r\nThe zero detections on VirusTotal gave it credibility, but that’s the catch—low detection doesn’t mean safe.\r\nHackers running the payload unwittingly opened their systems to a reverse compromise.\r\nMoral of the story? Hackers got hacked. Script kiddies got schooled. All thanks to a well-played honeypot—\r\ncreativity meets irony in the best way.\r\nWhen Hacktivists Turn on Each Other\r\nIn November, hacktivist group Rippersec pointed fingers at Azzasec for shutting down several Telegram accounts\r\nbelonging to rival hacktivists. The twist? Azzasec’s former owner reportedly offers a Telegram takedown service\r\nfor $300.\r\nClaiming roots in Italy, Azzasec once worked alongside pro-Russian groups and even claimed to have a\r\nransomware variant. Targeting Telegram accounts isn’t groundbreaking—mass reporting has been a favorite tactic\r\n—but turning it into a paid service adds a new layer of chaos to the hacktivist world. Turns out, if you can’t beat\r\nthem, you can always buy their page’s demise.\r\nhttps://socradar.io/dark-peep-17-dark-web-hacker-forums-ransomware/\r\nPage 4 of 9\n\nRansomHub Says Data Will Be Used for Criminal Purposes\r\nWell, of course it will. It’s not like they’re planning a charity fundraiser or a bake sale with your stolen data.\r\nOnce a Leak Begins, It Never Truly Ends\r\nThe infamous MOVEit vulnerability (CVE-2023-34362) has resurfaced, this time linked to a new threat actor\r\nnamed Nam3L3ss, who claims no affiliation with ransomware groups like Cl0p but continues to release sensitive\r\ndata on BreachForums. High-profile victims, including Amazon, HSBC, McDonald’s, and U.S. Bank, have had\r\ninternal employee directories leaked, exposing names, contact details, and organizational hierarchies.\r\nThe threat actor’s posts, allegedly featuring the latest MOVEit-related databases\r\nNam3L3ss, calling themselves a “watcher” rather than a hacker, insists their actions highlight systemic security\r\nnegligence—specifically misconfigured cloud services and unprotected databases. Yet, their leaks, now millions\r\nof records deep, are a roadmap for phishing attacks, impersonation schemes, and fraud.\r\nhttps://socradar.io/dark-peep-17-dark-web-hacker-forums-ransomware/\r\nPage 5 of 9\n\nA manifesto posted by the threat actor alongside the MOVEit data leak posts\r\nTheir message may come wrapped in self-righteousness, but once the floodgates of stolen data open, there’s no\r\nclosing them. A breach, once begun, doesn’t simply end. Data lives on, passed around like digital contraband,\r\nresurfacing years later in new forms of exploitation. Nam3L3ss allegedly reviving Avaddon’s 2020 data linked to\r\nAmerican Bank Systems is proof—breaches don’t die; they just evolve, becoming new risks for old mistakes.\r\nSo, while Nam3L3ss claims to be the messenger, their chilling edge remains: “If you can’t protect it, I’ll show the\r\nworld just how broken it is.” The leaks may start with exposure, but the consequences ripple endlessly.\r\nDonutLeaks: When Hackers Lose Their Own Data\r\nThe DonutLeaks ransomware group has found themselves in an ironic twist—they claim to have accidentally\r\ndestroyed their internal chat database. Now, they’re requesting victims to reconnect through a contact form,\r\npromising updates on leaked files soon.\r\nhttps://socradar.io/dark-peep-17-dark-web-hacker-forums-ransomware/\r\nPage 6 of 9\n\nDonutLeaks’ statement (Source: X)\r\nIt’s a rare moment when the hackers become victims of their own disorganization, proving that even\r\ncybercriminals can fumble their operations in unexpected ways.\r\nLaughs Aside, the Stakes Are Real\r\nThis edition of Dark Peep proves once again that the dark web and hacker forums are a hotbed of not only danger\r\nbut also irony and missteps. From ransomware gangs losing their own chat databases to self-styled watchers\r\nexposing millions of sensitive records, the cyber underworld is as unpredictable as ever.\r\nhttps://socradar.io/dark-peep-17-dark-web-hacker-forums-ransomware/\r\nPage 7 of 9\n\nWhile some stories may seem comedic, the reality is far from it. Sensitive employee directories, internal\r\ndatabases, and even healthcare records leaking onto the dark web carry serious implications, from targeted\r\nphishing campaigns to large-scale fraud. Organizations must recognize the risks these leaks pose to their\r\noperations, reputation, and stakeholders.\r\nThis is where SOCRadar comes in. With advanced Dark Web Monitoring capabilities, SOCRadar empowers\r\norganizations to stay one step ahead of emerging threats by:\r\nProviding real-time alerts when their assets are mentioned on the dark web.\r\nKeep track of black market leaks, botnet activity, PII breaches, and more using SOCRadar’s Dark Web Monitoring\r\nIdentifying and tracking compromised credentials, helping mitigate risks before further breaches occur.\r\nOffering tools like Integrated Takedown to neutralize fake domains and phishing campaigns targeting their\r\nbrand.\r\nIn today’s landscape, where every leak could ripple into long-term consequences, SOCRadar’s solutions provide\r\nthe edge organizations need to protect their assets and reputation. The dark web may be chaotic, but with the right\r\ntools, you can navigate it confidently.\r\nhttps://socradar.io/dark-peep-17-dark-web-hacker-forums-ransomware/\r\nPage 8 of 9\n\nSource: https://socradar.io/dark-peep-17-dark-web-hacker-forums-ransomware/\r\nhttps://socradar.io/dark-peep-17-dark-web-hacker-forums-ransomware/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://socradar.io/dark-peep-17-dark-web-hacker-forums-ransomware/" ], "report_names": [ "dark-peep-17-dark-web-hacker-forums-ransomware" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b605622e-b954-4c6d-b509-17bba2908e5d", "created_at": "2024-11-13T13:15:31.109211Z", "updated_at": "2026-04-10T02:00:03.755907Z", "deleted_at": null, "main_name": "Nam3L3ss", "aliases": [], "source_name": "MISPGALAXY:Nam3L3ss", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "90d3eea4-276c-4c82-be78-e244c2d7ecd4", "created_at": "2024-10-04T02:00:04.76317Z", "updated_at": "2026-04-10T02:00:03.714964Z", "deleted_at": null, "main_name": "AzzaSec", "aliases": [], "source_name": "MISPGALAXY:AzzaSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "5245f2ea-fd7e-4b43-ada3-d9eb41923dd2", "created_at": "2024-11-03T02:00:03.635546Z", "updated_at": "2026-04-10T02:00:03.731596Z", "deleted_at": null, "main_name": "RipperSec", "aliases": [], "source_name": "MISPGALAXY:RipperSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e25fe28d-105d-45cc-8b13-1336b6ec6aa2", "created_at": "2024-12-21T02:00:02.847703Z", "updated_at": "2026-04-10T02:00:03.782001Z", "deleted_at": null, "main_name": "INDOHAXSEC TEAM", "aliases": [], "source_name": "MISPGALAXY:INDOHAXSEC TEAM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434776, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2845e3fb412dce53aa075f27aefe7c99015e4c94.pdf", "text": "https://archive.orkl.eu/2845e3fb412dce53aa075f27aefe7c99015e4c94.txt", "img": "https://archive.orkl.eu/2845e3fb412dce53aa075f27aefe7c99015e4c94.jpg" } }