{ "id": "ab337a03-417f-4a8d-91ea-905e191fe9b2", "created_at": "2026-04-06T00:17:02.943534Z", "updated_at": "2026-04-10T13:11:31.500012Z", "deleted_at": null, "sha1_hash": "d95e10106a719151537b70b2fbcfc3e8cb932db0", "title": "Another Hacker Selling Access to Charity, Antivirus Firm Networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1907055, "plain_text": "Another Hacker Selling Access to Charity, Antivirus Firm Networks\r\nBy Ionut Ilascu\r\nPublished: 2019-06-06 · Archived: 2026-04-05 21:25:02 UTC\r\nA threat actor observed on underground hacker forums peddling internal network access to various entities claims to have\r\nbreached the infrastructure of notable organizations such as UNICEF and cybersecurity companies Symantec and Comodo.\r\nThe hacker uses the online name Achilles and offers to sell details for a way in for modest prices, between $2,000 and\r\n$5,000, depending on the value of the target. Their activity jumped over the past seven months particularly in Fall 2019 and\r\nSpring 2019.\r\nThis appears to be a different threat actor than Fxmsp, who advertised access to antivirus companies with offices in the U.S.,\r\nnamely Symantec, McAfee, and Trend Micro. While Fxmsp is believed to be a group of Russian-speaking hackers, the new\r\nseller speaks English and may be Iranian.\r\nhttps://www.bleepingcomputer.com/news/security/another-hacker-selling-access-to-charity-antivirus-firm-networks/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/another-hacker-selling-access-to-charity-antivirus-firm-networks/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nHacker built a good reputation\r\nA report from fraud prevention company Advanced Intelligence (AdvIntel) notes that Achilles enjoys a good reputation and\r\npositive reviews on the forums they advertise on and has a record of sales. To increase credibility, the hacker insists that\r\npayment for some deals be completed through the forum's escrow service.\r\nIn conversations with potential buyers, Achilles said they could get into internal networks belonging to Symantec,\r\ncybersecurity company Comodo,  3-D software maker Hash Inc, and children's rights protection advocate UNICEF.\r\nThe hacker states in private messages that Symantec's internal infrastructure is possible through a remote desktop\r\nconnection. The same type of illegal entry was advertised for Hash Inc.\r\nAnswering our request for comments, a Symantec spokesperson provided the following statement to BleepingComputer.\r\n“At this time, Symantec has no evidence of a network intrusion, nor do we believe there is a reason for our customers to be\r\nconcerned.”\r\nUnsupported claims\r\nThe claims of having access to Comodo's network is shown in in private messages between Achilles and potential buyers.\r\nThere is no evidence that such access exists and Comodo and has not responded to BleepingComputer's queries regarding\r\nthe alleged access.\r\nAccording to AdvIntel, the hacker also tried to sell entry into the corporate network of Transat, a Canadian holiday travel\r\ncompany. They claim to have breached their network on May 12 or May 13.\r\nAlthough the affirmations are bold, all this could be just talk, despite the good reputation the actor has on underground\r\nforums. The report from AdvIntel report comments that the hacker provided no evidence to support their claims about\r\nbreaching the networks of Symantec, Comodo, and Transat.\r\nTerabytes of UNICEF data\r\nFor UNICEF, though, the hacker stated that they had direct network access and offered to sell it for $4,000.\r\nFor this money, the buyer would also be able to snoop through and download a large volume of data - about 3.6 terabytes.\r\nhttps://www.bleepingcomputer.com/news/security/another-hacker-selling-access-to-charity-antivirus-firm-networks/\r\nPage 3 of 7\n\nThe statement is backed by screenshots from the hacker and obtained by AdvIntel, which show that Achilles could access\r\ndocuments allegedly belonging to UNICEF.\r\nFolders included information relating to the activity of various UNICEF committees, meetings, policies, and country-specific policy guidance.\r\nIn one of the pictures, it appears that the hacker could get to two network locations, one of them being a 4TB drive that had\r\nonly 388GB of free space.\r\nBleepingComputer has also seen images showing more detailed information on the type of data the attacker allegedly has\r\naccess to and that belongs to Unicef. Due to the nature of these images, we have decided not to publish them.\r\nBleepingComputer has contacted Comodo, UNICEF, Hash Inc, and Transat for statements and did not receive a reply from\r\nany of the three organizations at publishing time.\r\nAchilles' work\r\nBy offering compromised network access on multiple hacking forums, Achilles was able to build the reputation of a\r\ntrustworthy seller. On l33t, they advertised DNS server access for several domains managed by the UK government.\r\nThe hacker suggested that this could be used for phishing and that they could change the DNS records for any of the listed\r\ndomains. A buyer could get the entire package for $300.\r\nhttps://www.bleepingcomputer.com/news/security/another-hacker-selling-access-to-charity-antivirus-firm-networks/\r\nPage 4 of 7\n\nIn April, the actor posted on the same forum that they had 600GB of data from various companies in the UK along with\r\nRDP access to them.\r\nFurthermore, AdvIntel says that Achilles also pushed details and credentials of employees from GoDaddy, DHL, Citrix,\r\nBBC, and Facebook.\r\nMost of the victims are from the private sector but the hacker's list of targets is diverse, including entities from the defense,\r\nenergy, tourism, finance, real estate, and information technology verticals.\r\nFor a typical intrusion, \"they either compromise a Remote Desktop Protocol (RDP) or leverage stolen credentials to\r\nestablish stable and secure external Virtual Private Network (VPN) access into the victim's network,\" says Yelisey\r\nBoguslavskiy, director of security research at AdvIntel.\r\nInformation obtained by the researcher indicates that Achilles tries to avoid malware and adopts a living-off-the-land\r\nstrategy that counts on utilities and services already available on the target systems. This usually makes detection more\r\ndifficult because the traffic comes from legitimate sources.\r\nBoguslavskiy says that a common tactic of this threat actor is to use a brute-force attack to get passwords to a company's\r\nexternal portal and remote services.\r\nOnce in, Achilles tries to elevate privileges and sets sight on Active Directory (AD) servers, which are responsible for\r\nauthenticating and authorizing computers in a Windows domain type network.\r\nhttps://www.bleepingcomputer.com/news/security/another-hacker-selling-access-to-charity-antivirus-firm-networks/\r\nPage 5 of 7\n\nWho is Achilles?\r\nSome of the clues uncovered by AdvIntel indicate that Achilles has ties with at least some Iranian hackers that made\r\nheadlines. One of them is Mr. Xhat, who is blamed for compromising the control panel for Tajikistan's domain registrar\r\nwebsite (domain.tj) and changing the DNS records.\r\nThe incident happened in 2014 and resulted in redirecting visitors of localized versions of Yahoo!, Twitter, Google, and\r\nAmazon sites to a defaced webpage under the control of the attacker.\r\nAnother theory, fueled only by conjecture, is that the attacker is linked to the Iranian hacker group Iridium. One that could\r\npoint to this conclusion are the use of password spraying tactics used by both Achilles and Iridium. Another is Achilles\r\ntalking about Citrix VPN systems at a time when Iridium had allegedly breached Citrix; the hacker's activity on forums and\r\nmessengers also increased.\r\nThe Iranian connection is also supported by an incident affecting a shipbuilder in Australia. According to press in Australia,\r\nan Iranian-based hacker was responsible. Achilles offered access data for a defense shipbuilder on l33t and KickAss forums,\r\nand \"additional evidence provided by Achilles suggests that the information was stolen from an Australian shipbuilder\r\nAustal,\" the researcher adds in the report.\r\nEven if these incidents are not related to Achilles, Boguslavskiy noticed that the hacker's activity follows the timezone in\r\nIran. Also, when asked if they'd rather talk in Farsi, Achilles reply was that more trust was required to switch the language.\r\nhttps://www.bleepingcomputer.com/news/security/another-hacker-selling-access-to-charity-antivirus-firm-networks/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/another-hacker-selling-access-to-charity-antivirus-firm-networks/\r\nhttps://www.bleepingcomputer.com/news/security/another-hacker-selling-access-to-charity-antivirus-firm-networks/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/another-hacker-selling-access-to-charity-antivirus-firm-networks/" ], "report_names": [ "another-hacker-selling-access-to-charity-antivirus-firm-networks" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f276b8a6-73c9-494a-8ab2-13e2f1da4c53", "created_at": "2022-10-25T16:07:24.441133Z", "updated_at": "2026-04-10T02:00:04.993411Z", "deleted_at": null, "main_name": "Achilles", "aliases": [], "source_name": "ETDA:Achilles", "tools": [ "RDP", "Remote Desktop Protocol" ], "source_id": "ETDA", "reports": null }, { "id": "ab5dc2a3-16dc-421e-af45-d60c8b4aafac", "created_at": "2023-01-06T13:46:39.012588Z", "updated_at": "2026-04-10T02:00:03.180595Z", "deleted_at": null, "main_name": "Fxmsp", "aliases": [], "source_name": "MISPGALAXY:Fxmsp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "312b7781-5501-4c1e-a9d5-9b75e9ad8455", "created_at": "2022-10-25T16:07:24.488292Z", "updated_at": "2026-04-10T02:00:05.006738Z", "deleted_at": null, "main_name": "Fxmsp", "aliases": [ "ATK 134", "TAG-CR17" ], "source_name": "ETDA:Fxmsp", "tools": [ "RDP", "Remote Desktop Protocol" ], "source_id": "ETDA", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434622, "ts_updated_at": 1775826691, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d95e10106a719151537b70b2fbcfc3e8cb932db0.pdf", "text": "https://archive.orkl.eu/d95e10106a719151537b70b2fbcfc3e8cb932db0.txt", "img": "https://archive.orkl.eu/d95e10106a719151537b70b2fbcfc3e8cb932db0.jpg" } }