(rapid7.com) Initial Access Brokers: Market Maturation, Rising Prices, and Shifting Forum Dominance in H2 2025

Initial Access Brokers (IABs) are shifting toward high-impact, high-value access sales, with average prices surging 4,055% YoY to $113,275. DarkForums and RAMP now dominate the market (81% of threads), while XSS and Exploit decline.

In brief - IABs are maturing into a profit-driven market, prioritizing Domain Admin (32.1%) and Local Admin (12.5%) access to enable rapid ransomware deployment. Government, Retail, and IT sectors are top targets, with the US accounting for 31% of listings. RDP (21.2%), VPN (12.8%), and RDWeb (11.2%) remain primary vectors.

Technically - Privilege escalation is central, with Domain User (42.9%) and Domain Admin (32.1%) access dominating sales. DarkForums features Fortinet access sold by threat actor 'BigBro,' while RAMP is controlled by 'Big-Bro' and 'lacrim' (78.8% of threads). A critical zero-day, CVE-2025-61882 (Oracle E-Business Suite RCE), previously exploited by Cl0p, was observed for sale. Exploit forum’s shift from RDP to RDWeb reflects attacker adaptation to hardening measures.

Source: https://www.rapid7.com/blog/post/tr-initial-access-broker-shift-high-value-targets-premium-pricing

#Cybersecurity #ThreatIntel

(pointwild.com) Fileless Remcos RAT Campaign: Multi-Stage Attack Chain Leveraging JavaScript Dropper, PowerShell Reflective Loading, and LOLBin Abuse

New multi-stage Remcos RAT campaign leverages fileless execution and LOLBin abuse to evade detection.

In brief - A sophisticated phishing-driven attack delivers Remcos RAT via obfuscated JavaScript, PowerShell reflective loading, and abuse of aspnet_compiler.exe for in-memory execution. C2 communication and data exfiltration follow, with anti-analysis checks in place.

Technically - The attack begins with MV MERKET COOPER SPECIFICATION.js, executed via WSH, fetching ENCRYPT.Ps1. The PowerShell script uses Base64 and rotational XOR (key index: ($bytePosition + $rotationTracker) % $keyMaterial.Length) to reconstruct ALTERNATE.dll in memory via .NET reflection. Cqeqpvzeia.exe (MZ header) is injected into aspnet_compiler.exe, establishing C2 at 192.3.27.141:8087. MPRESS-packed secondary payloads are delivered post-exploitation. Execution guards check for Aspnet_compiler process absence to hinder analysis.

Source: https://www.pointwild.com/threat-intelligence/from-inbox-to-intrusion-multi-stage-remcos-rat-and-c2-delivered-payloads-in-network/

#Cybersecurity #ThreatIntel

Cyber Intel Digest for March 31, 2026

🔴 Trivy Supply Chain Attack (CVE-2026-33634) added to CISA KEV. Attackers injected malicious code into the release pipeline via a stolen GitHub Actions token. If your CI/CD uses Trivy, verify image digests and update to a clean release immediately.

🔴 Iran's Handala group breached FBI Director Kash Patel's personal Gmail, publishing documents and photos online. Personal accounts of senior officials remain prime targets for nation-state actors.

🟡 Citrix NetScaler CVE-2026-3055 now actively exploited. SAML-enabled configs leak admin session IDs, enabling session hijacking. Patch and rotate admin credentials.

Full feed: solomonneas.dev/intel

#cybersecurity #infosec #threatintel #cisakev

(checkpoint.com) Operation TrueChaos: Chinese-Nexus Threat Actor Exploits TrueConf Zero-Day to Target Southeast Asian Government Entities

New Chinese-nexus espionage campaign exploits zero-day CVE-2026-3502 (CVSS 7.8) in TrueConf video conferencing client to target Southeast Asian governments.

In brief - Operation TrueChaos leverages a flaw in TrueConf’s update validation to distribute malware via on-premises servers, compromising dozens of government entities. The attack chain abuses DLL side-loading, UAC bypass, and Havoc C2, with concurrent ShadowPad activity observed.

Technically - The threat actor replaced TrueConf’s legitimate update package with a weaponized Inno Setup installer, dropping poweriso.exe and malicious 7z-x64.dll via DLL side-loading. Post-exploitation included UAC bypass via iscsicpl.exe (DLL search-order hijacking), persistence via HKCU Run, and Havoc C2 communication to Alibaba/Tencent-hosted IPs (43.134.90[.]60, 47.237.15[.]197). FTP exfiltration and encrypted rom.dat were also noted.

Source: https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/

#Cybersecurity #ThreatIntel

[HANDALA] - Ransomware Victim: IranWire - https://www.redpacketsecurity.com/handala-ransomware-victim-iranwire/

#handala #dark_web #data_breach #OSINT #ransomware #threatintel #tor

[EMBARGO] - Ransomware Victim: https://www[.]lagoonpark[.]com/ - https://www.redpacketsecurity.com/embargo-ransomware-victim-https-www-lagoonpark-com/

#embargo #dark_web #data_breach #OSINT #ransomware #threatintel #tor

[QILIN] - Ransomware Victim: Chickasaw Holding - https://www.redpacketsecurity.com/qilin-ransomware-victim-chickasaw-holding/

#qilin #dark_web #data_breach #OSINT #ransomware #threatintel #tor

[AKIRA] - Ransomware Victim: MerchNOW - https://www.redpacketsecurity.com/akira-ransomware-victim-merchnow/

#akira #dark_web #data_breach #OSINT #ransomware #threatintel #tor

(bluevoyant.com) Augmented Marauder's Multi-Pronged Casbaneiro and Horabot Campaigns Targeting Latin America and Europe

Augmented Marauder (Water Saci) is conducting a multi-pronged campaign targeting Latin America and Spain with Casbaneiro banking trojan and Horabot via dynamic phishing lures and WhatsApp automation.

In brief - A Brazil-based eCrime group is deploying Casbaneiro and Horabot malware through sophisticated phishing campaigns using fake judicial summons, dynamic payload generation, and self-propagating botnet tactics to evade detection and target financial institutions.

Technically - The attack chain leverages password-protected PDFs with embedded links to UUID-based ZIP archives, HTA files initiating VBScript payloads, and AutoIT loaders (Turo.exe/Tekojac.exe) to reflectively load AES-encrypted DLLs (staticdata.dll/at.dll). Horabot uses Outlook COM/MAPI for contact scraping and PHP-based dynamic PDF generation. Anti-analysis includes expanded sandbox username blocklists and WMI VM artifact checks. Casbaneiro targets Latin American banks with OpenSSL dependencies, while Horabot hijacks Yahoo/Live/Gmail webmail via modular C2.

Source: https://www.bluevoyant.com/blog/augmented-marauders-multi-pronged-casbaneiro-campaigns

#Cybersecurity #ThreatIntel

[QILIN] - Ransomware Victim: Q-Lab - https://www.redpacketsecurity.com/qilin-ransomware-victim-q-lab/

#qilin #dark_web #data_breach #OSINT #ransomware #threatintel #tor