{
	"id": "e376baba-bc1f-457f-96a0-89f82aa9ca00",
	"created_at": "2026-04-06T00:14:34.802542Z",
	"updated_at": "2026-04-12T02:21:41.932134Z",
	"deleted_at": null,
	"sha1_hash": "a9f9196ff8f55f2b3ddb9d1fcfc646d7f1686a46",
	"title": "The Underground Economist: Volume 3, Issue 12",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2608285,
	"plain_text": "The Underground Economist: Volume 3, Issue 12\r\nBy Learn More about the Authors Behind The Underground Economist\r\nArchived: 2026-04-05 20:22:16 UTC\r\nWelcome back to The Underground Economist: Volume 3, Issue 12, an intelligence focused blog series\r\nilluminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops\r\nteam scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to\r\nshare meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark\r\nweb and criminal underground. Here’s the latest for the week of June 26, 2023.\r\nMultifunctional Malware Dubbed ‘DarkGate’Advertised\r\nWell-regarded and established threat actor “RastaFarEye” advertised a multi-functional malware, dubbed\r\n“DarkGate,” on the predominantly Russian language Deep Web forum “Exploit.” This privately developed\r\nmalware would allow threat actors to build their own botnets by compromising and controlling various Windows\r\nmachines.\r\nAdditional features of the malware include:\r\nGenerates malicious .lnk files\r\nSmall build size (490kb)\r\nRuns in memory\r\nObfuscates payloads to avoid detection by most antivirus products’ dynamic scans\r\nMaintains access to compromised machines across system restarts\r\nSteals sensitive data from web browsers\r\nLogs keystrokes\r\nGains higher-level permissions on compromised machines\r\nUses the resources of compromised machines for cryptocurrency mining\r\nPrices for the malware vary depending on the length of the license, including:\r\n$100,000 USD per year\r\n$15,000 USD per month\r\n$1,000 USD per day\r\nhttps://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/\r\nPage 1 of 4\n\nOriginal screenshot from threat actor “RastaFarEye” advertising a multi-functional malware dubbed “DarkGate”\r\nActor Highlights Free GitHub Projects That Facilitate Cyber Crime\r\nWell-regarded threat actor and moderator “Nowheretogo” advertised two free GitHub projects that facilitate cyber\r\ncrime on the Russian language Dark Web forum “RAMP.” \r\nThe actor first highlighted a free obfuscation tool, dubbed “Theattacker-Crypter,” on June 9, 2023. The tool allows\r\nthreat actors to encrypt malicious files to avoid detection by most antivirus products. This is accomplished by\r\ninjecting payloads into processes on 32-bit or 64-bit Windows machines. \r\nThe tool also contains several post-exploitation modules, including: \r\nBypasses AMSI to run PowerShell commands\r\nDeletes malicious .exe file from target machine after process injection\r\nNotifies user when payload executed\r\nThe actor advertised a second project, dubbed “ShadowByte-Botnet,” on June 16, 2023. This project allows a\r\nthreat actor to build their own botnet by compromising and controlling both Windows and Linux machines. In\r\naddition to malicious .exe files, the project contains the resources for threat actors to host their own command-and-control (C2) servers.\r\nZeroFox researchers assess the presence of these free tools will likely facilitate an increase in cyber-attacks\r\nbecause they lower the barrier to entry for threat actors.\r\nhttps://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/\r\nPage 2 of 4\n\nOriginal screenshots from threat actor “Nowheretogo” advertising two free GitHub projects that facilitate cyber\r\ncrime.\r\nNew ‘Meduza’ Stealer Malware Announced\r\nWell-regarded threat actor “Meduza” announced a new stealer malware, dubbed “Meduza,” on the predominantly\r\nRussian language Deep Web forum “XSS.” In addition to stealing login credentials and other browser information\r\nfrom victims, the malware collects sensitive data from:\r\nVarious cryptocurrency wallets\r\nPassword managers\r\nDiscord\r\nTelegram\r\nSteam\r\nOpenVPN\r\nThe malware also comes with a secure web panel that would allow threat actors to exfiltrate the stolen data and\r\nview statistics about the compromised machines. \r\nThe actor charged $200 USD per month for the stealer malware. \r\nZeroFox researchers assess this new stealer is likely to gain traction among threat actors on the criminal\r\nunderground because several well-regarded peers have already vouched for the malware. \r\nOriginal screenshot from threat actor “Meduza” announcing new stealer malware dubbed “Meduza”\r\nZero-Day Exploit For Vulnerability In Peplink Routers Alleged\r\nNew and untested threat actor “Celine” announced an alleged exploit for a zero-day buffer overflow vulnerability\r\nin Peplink routers on the English language Dark Web forum “Onniforums.” The alleged exploit would give threat\r\nactors administrator access to the compromised devices. The actor claims they successfully tested the exploit on\r\nrouters based in Thailand. \r\nZeroFox highlights the impact of this alleged zero-day exploit would likely be significant because many public\r\nsafety agencies leverage Peplink routers, including police, fire, and emergency medical services. \r\nhttps://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/\r\nPage 3 of 4\n\nOur researchers note it is unclear how credible the actor’s claim is without conducting further analysis.\r\nThe ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct\r\nthreat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web\r\nintelligence team extends the reach of your security resources, engaging with the underground community. We\r\ngive you an advantage over emerging threats and stop active threats before damage can be done. Integrated into\r\nhundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human\r\nintelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn\r\nmore here.\r\nSource: https://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/\r\nhttps://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/"
	],
	"report_names": [
		"the-underground-economist-volume-3-issue-12"
	],
	"threat_actors": [],
	"ts_created_at": 1775434474,
	"ts_updated_at": 1775960501,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a9f9196ff8f55f2b3ddb9d1fcfc646d7f1686a46.pdf",
		"text": "https://archive.orkl.eu/a9f9196ff8f55f2b3ddb9d1fcfc646d7f1686a46.txt",
		"img": "https://archive.orkl.eu/a9f9196ff8f55f2b3ddb9d1fcfc646d7f1686a46.jpg"
	}
}