{
	"id": "341dd601-dcaf-4535-aefc-2bbebb9946d0",
	"created_at": "2026-04-06T01:32:27.52666Z",
	"updated_at": "2026-04-10T03:20:50.128985Z",
	"deleted_at": null,
	"sha1_hash": "3549021b2b8f8f8c1addb134e713e510fad3e381",
	"title": "The Underground Economist: Volume 2, Issue 24",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 383124,
	"plain_text": "The Underground Economist: Volume 2, Issue 24\r\nBy ZeroFox Intelligence\r\nPublished: 2022-12-28 · Archived: 2026-04-06 01:17:37 UTC\r\nWelcome back to The Underground Economist: Volume 2, Issue 24, an intelligence focused blog series\r\nilluminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops\r\nteam scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to\r\nshare meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark\r\nweb and criminal underground. Here’s the latest for the week of December 23, 2022.\r\nRebranded Ransomware-As-A-Service Project Advertised\r\nUntested threat actor “nebel” advertised what they claim is a new ransomware-as-a-service (RaaS) project, dubbed\r\n“Nevada,” on the Russian language Dark Web forum “RAMP.” Despite the actor’s claims the project is new,\r\nZeroFox researchers assess this is likely a rebranded version of an older RaaS project, dubbed “Luna,” because the\r\ntwo have nearly identical features, including:\r\nWritten in Rust\r\nUses AES and ECC encryption\r\nWorks on systems running Windows, Linux, and ESXI\r\nControlled via administrator panel\r\nContains real-time chat to negotiate with victims\r\nLike the old project, the actor refuses to work with English-speaking threat actors. They also offered to split any\r\nsuccessful ransom payments 85 to 15 in favor of affiliates, which is notable because most ransomware developers\r\ntypically offer affiliates a smaller cut of the profits.\r\nZeroFox researchers assess the actor likely rebranded the initial “Luna” RaaS project because it failed to attract\r\naffiliates, indicating it is highly likely that there is a lull in interest from threat actors in the current ransomware\r\nmarket.\r\nhttps://www.zerofox.com/blog/the-underground-economist-volume-2-issue-24/\r\nPage 1 of 4\n\nOriginal post from threat actor “nebel” advertising what they claim is a new ransomware-as-a-service (RaaS) project, dubbed “Nevada” \r\nActor Sells Access To ATM Management Software For Unnamed European Bank\r\nIn early December 2022, untested threat actor “theskull77” sold access to the ATM management software for an\r\nunnamed European bank on the predominantly Russian language forum “Exploit.” The alleged deal would allow\r\nthreat actors to exploit a SQL injection vulnerability to steal sensitive data from the backend of the bank’s ATM\r\nnetwork, including the balances and locations of various ATM machines. The actor said that operators can also\r\nrestart the ATMs, which would likely allow a skilled threat actor to compromise the machines with malware and\r\nsteal cash from the devices. \r\nThe asking price for the access started at $100,000 USD, indicating the alleged buyer would likely expect to net a\r\nsignificant return on their investment. \r\nZeroFox researchers assess the actor is credible because they agreed to use the forum’s escrow service, which\r\nwould require them to deposit funds before a deal was brokered.\r\nThreat Actors Abusing Malware Loader Developed As Penetration Testing Tool\r\nhttps://www.zerofox.com/blog/the-underground-economist-volume-2-issue-24/\r\nPage 2 of 4\n\nNew and untested threat actor “DarkBLUP” advertised a malware loader dubbed “Ares” on the Russian language\r\nDark Web forum “RAMP.” ZeroFox researchers assess this loader is likely a legitimate penetration testing tool\r\nthat is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was\r\npreviously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer\r\n“CerberSec.”\r\nThe loader mimics legitimate software to trick victims into the executing malware with administrator rights on\r\ntheir machines.. Additional features of the loader include:\r\nWritten in C/C++\r\nSupports 64-bit payloads\r\nMakes it look like malware spawned by another process\r\nPrevents non-Microsoft signed binaries from being injected into malware\r\nHides suspicious imported Windows APIs\r\nLeverages anti-analysis techniques to avoid reverse engineering\r\nThe actor had ten licenses available for $300 USD per month.\r\nOriginal post from threat actor “DarkBLUP” advertising a malware loader dubbed “Ares” on the\r\npredominantly Russian language Dark Web forum “RAMP”\r\nBundle Contains Exploits For Unpatched Vulnerabilities In Different Services\r\nWell-regarded and established threat actor “LORD1” advertised a bundle containing exploits for unpatched\r\nvulnerabilities in different services, including Fortinet, Windows, Linux, Atlassian Bitbucket, VMware, and\r\nOracle, on the predominantly Russian language Deep Web forum “Exploit.” The alleged exploits impact various\r\nremote code execution (RCE) vulnerabilities, tracked as:\r\nCVE-2022-40684 (Fortinet)\r\nCVE-2022-36804 (Atlassian Bitbucket)\r\nCVE-2021-39144, CVE-2022-31675, CVE-2022-22960 (VMware)\r\nCVE-2022-21497, CVE-2021-35587 (Oracle)\r\nAdditionally, the bundle contains exploits for several undisclosed local privilege escalation (LPE) vulnerabilities\r\nin Windows and Linux.\r\nhttps://www.zerofox.com/blog/the-underground-economist-volume-2-issue-24/\r\nPage 3 of 4\n\nThe actor charged $4,000 USD for the bundle. They also had exploits for unpatched vulnerabilities in Veeam and\r\nApache. The actor did not specify a price for these exploits.\r\nZeroFox researchers assess the sale of this bundle would likely lower the barrier to entry for threat actors because\r\nthe exploits come with an intuitive graphical user interface (GUI) and an integrated post-exploitation toolkit. \r\nOriginal post from threat actor “LORD1” advertising a bundle containing exploits for unpatched\r\nvulnerabilities in different services\r\nFor more insights and information on improving your threat intelligence strategy, download our Buyers Guide for\r\nThreat Intelligence.\r\nSource: https://www.zerofox.com/blog/the-underground-economist-volume-2-issue-24/\r\nhttps://www.zerofox.com/blog/the-underground-economist-volume-2-issue-24/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zerofox.com/blog/the-underground-economist-volume-2-issue-24/"
	],
	"report_names": [
		"the-underground-economist-volume-2-issue-24"
	],
	"threat_actors": [],
	"ts_created_at": 1775439147,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3549021b2b8f8f8c1addb134e713e510fad3e381.pdf",
		"text": "https://archive.orkl.eu/3549021b2b8f8f8c1addb134e713e510fad3e381.txt",
		"img": "https://archive.orkl.eu/3549021b2b8f8f8c1addb134e713e510fad3e381.jpg"
	}
}