🚨 A new ransomware operation, The Gentlemen, has emerged following an affiliate split revealing how threat actors evolve from partners to independent operators while retaining advanced tooling, infrastructure, and access pipelines.

Our latest analysis explores how this group is operationalizing large-scale attacks by combining exploited network devices, credential harvesting, and advanced defense evasion techniques.

What the blog covers:
🔹The origins of The Gentlemen and its connection to a prior affiliate dispute on the RAMP forum
🔹Systematic exploitation of CVE-2024-55591 to compromise FortiGate devices, with an observed inventory of approximately 14,700 exposed systems offered to affiliates
🔹Operational tooling for credential harvesting and lateral movement (NetExec, Impacket, DonPAPI)
🔹Defense evasion via Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to disable EDR/AV protections at kernel level

Read the full technical analysis.

#ThreatIntel #Ransomware #CyberSecurity

🎉Group-IB was named an Overall Leader in Fraud Reduction Intelligence Platforms by KuppingerCole 2025.

In its 2025 Leadership Compass for Fraud Reduction Intelligence Platforms—eCommerce, KuppingerCole recognized Group-IB across three categories: Overall Leader, Product Leader, and Innovation Leader.

The analyst specifically highlighted our credential intelligence powered by dark web monitoring and Europol/Interpol information-sharing, our device intelligence depth including anti-detect browser and virtual camera detection, and an investigation interface described as "top-notch."

Download the full report.

#FraudPrevention #eCommerce #DarkWeb

Most cybersecurity strategies are already legacy the moment they’re approved.
Why? Because they’re built annually, around frameworks, without real-time threat context

Meanwhile, the business shifts constantly. Attackers adapt even faster.
👉 That gap is where risk lives.

In our latest breakdown, we explore where cybersecurity strategies fail in 2026, including:
✅ why security operates out of sync with business priorities
✅ how compliance-first thinking creates blind spots
✅ where gap analysis breaks down at the board level

Move beyond “all talk, no show” strategies:
🔹 Tie security directly to business risk
🔹 Shift to modular, adaptable planning
🔹 Use threat intelligence to drive decisions
🔹 Continuously reassess gaps

Prepare for what’s actually targeting your business right now. Read more.

#Cybersecurity2026 #RiskManagement #ThreatIntelligence

That RFQ email from a trusted supplier? It might be delivering Phantom Stealer — a toolkit built to harvest your credentials at scale.

Group-IB researchers have identified a sustained phishing campaign targeting European logistics, manufacturing, and tech companies. Across five distinct waves over three months, every email was blocked by Group-IB's Business Email Protection before reaching end users.

The emails mimic legitimate procurement correspondence with professional signatures and spoofed sender identities. But inside the archive attachment is an infostealer that harvests browser credentials, session tokens, and payment data.

Phantom Stealer is part of a growing stealer-as-a-service market - credential theft is now a subscription business, and threats like this are only scaling.

Our latest Email Protection Spotlight breaks down the full campaign and shows how multi-layer detection stopped it at the inbox. Read the full analysis.

#CyberSecurity #Phishing #InfoStealer #EmailProtection

The regulatory landscape is shifting fast. The UK, Singapore, Australia, the EU, and North America are introducing mandatory fraud intelligence-sharing frameworks. But there’s a challenge: How can institutions share suspicious activity in real time without violating privacy laws?

The Problem:
🔹 Payments settle in 10–40 seconds
🔹 Fraud detection takes 3–7 days
🔹 Criminals layer funds, convert them to crypto, and move funds offshore
🔹 Less than 1% of laundered funds are recovered

Why Standard Solutions Fail: Traditional hashing methods are vulnerable to dictionary attacks, meaning “anonymized” data can be reversed creating GDPR risks

The Solution: Privacy-preserving distributed tokenization enables institutions to share fraud signals in real time while staying compliant.

Real Results: In a pilot with 46 banks, just two institutions running real-time checks prevented $10–15M in fraud annually.At full participation, projected savings could reach $100–300M.

Read the full framework.

#GDPR #Cybersecurity

🚨Remote hiring has opened new opportunities for companies worldwide but it has also created a new attack surface.

Our latest research dives into how DPRK-linked IT worker operations are infiltrating global companies by posing as remote developers. Instead of relying on traditional cyber intrusions, these actors exploit legitimate hiring processes using synthetic identities, AI-assisted workflows, and trusted developer platforms.

Key highlights:
🔹A coordinated ecosystem of fake developer personas operating across GitHub, portfolio sites, and freelancing platforms.
🔹Reusable identity infrastructure including resumes, email accounts, and repositories.
🔹Evidence of AI-assisted job application workflows and templated interview responses
🔹Archived “persona packages” containing identity documents, portfolio assets, and operational instructions.
🔹Monitoring the activities of a specific intruder “group” from 2021 to March 2026.

Read the full blog here.

#ThreatIntelligence #CyberSecurity #InsiderThreat #DPRK

💫We are proud to announce that Group-IB is an initial data contributor to the newly released MITRE Fight Fraud Framework™ (F3) developed by MITRE Corporation.

By contributing our proprietary fraud taxonomy and intelligence derived from real-world investigations, we are helping shape a standardized framework that enables organizations to classify, understand, and respond to fraud threats more effectively.

This collaboration goes beyond classification. By integrating the framework into Group-IB’s Fraud Matrix, organizations will be able to connect standardized fraud techniques with live adversary intelligence, detection methodologies, and mitigation strategies strengthening predictive fraud defense across industries.

Fraud doesn’t begin with a transaction. It begins with an attacker and understanding adversary behavior is key to staying ahead.

Read the full announcement here.

#CyberSecurity #FinancialSecurity #FraudPrevention #ThreatIntelligence #FraudMatrix

🚨 W3LL wasn't just another phishing operation, it was a mature phishing-as-a-service ecosystem that industrialized BEC at scale. Over 7+ years, the actor built a closed, referral-only marketplace powering 500+ cybercriminals with AiTM tooling designed to bypass MFA, hijack sessions, and compromise Microsoft 365 accounts.

This investigation reveals not just the tools, but the infrastructure, operational model, and key weaknesses behind the W3LL phishing ecosystem.

Key highlights:
🔹 AiTM-based W3LL Panel engineered for MFA bypass and session cookie theft
🔹 W3LL Store: a full-service PhaaS marketplace with tooling, data, and infrastructure
🔹 License validation APIs exposing backend links to the operator
🔹 Analysis of 700+ weaponized phishing samples that supported victim and campaign mapping
🔹 OpSec failures across forums, infrastructure, Telegram, and Indonesian-speaking hacking community ties

Read the full technical analysis.

#ThreatIntel #Cybercrime #Phishing #BEC #CyberSecurity #Infosec

😧 In 2025, a hacktivist group filmed itself blocking biomass fuel supply and triggering emergency alarms at a Polish factory, then posted the video on Telegram.

Group-IB's Threat Intelligence team analyzed the 2025–early 2026 threat landscape targeting European manufacturing across six countries.

What we detected ⬇️
▪️200 hacktivist incidents targeting European manufacturers
▪️57 cases of claimed access to industrial control systems

‼️ The shift is real: hacktivist groups have moved beyond website takedowns to physical control of production systems, manipulating boiler temperatures, ventilation pressure, and biomass fuel supply.

Hacktivism is only one of five threat categories covered in our new report, Inside Europe's Manufacturing Cyber Threat Landscape. The other four are just as urgent.

Read more to predict and prevent attacks on your organization.

#CyberSecurity #Hacktivism #ThreatIntelligence

🚨 Our latest research suggests that a significant share of newly registered business accounts in France may be linked to mule activity, highlighting how business-grade payment infrastructure combined with fast remote onboarding has created an attractive entry point for large-scale financial crime operations

Key Highlights:
🔹Verified mule business accounts are sold on underground markets for $300–$700, with sellers offering escrow services, replacement guarantees, and daily inventory.
🔹Threat actors bypass KYC by using real victims harvesting PII via phishing and socially engineering them to complete identity verification.
🔹Operations rely on SIM farms, anti detect environments, and cheap Android devices to scale account creation and maintain infrastructure.
🔹Detecting these operations requires analysing the entire account lifecycle, since sign up, KYC, and first login can appear legitimate in isolation.

Read the full technical analysis.

#FraudPrevention #FintechSecurity #CyberSecurity

🚨 Group-IB’s latest research exposes the Phoenix System, a Phishing-as-a-Service platform powering reward point scams, fake parcel delivery lures, and large-scale mobile phishing campaigns worldwide.

Key highlights:
🔹 SMS delivery via fake BTS to bypass carrier-level filtering and spoof trusted brands.
🔹 2,500+ phishing domains linked to the operation since January 2025.
🔹 More than 70 organizations targeted across finance, telecom, and logistics globally.
🔹 The phishing sites implement IP-based filtering and geofencing to precisely target victims within specific countries.
🔹 Shared infrastructure is found across reward scam and parcel delivery campaigns despite differences in their attack contexts and target audiences.
🔹 Both campaigns use the Phoenix System, successor to the Mouse System.
🔹 The phishing kits are distributed via a dedicated Telegram ecosystem.

Read the full analysis here.

#Phishing #CyberSecurity #Smishing #ThreatIntelligence

🚨Our latest investigation uncovers how threat actors are combining deepfake impersonation, social engineering, and cryptocurrency infrastructure to operate at industrial scale across Australia and the United States.

Key highlights:
🔹 A network of 208+ connected fake investment platforms with an estimated $187M in illicit revenue.
🔹 Threat actors impersonate well-known financial professionals using deepfake technology & geo-targeted social media advertisements to funnel victims into WhatsApp-based coordination groups.
🔹 20+ fake WhatsApp accounts impersonating a single Australian economist were identified, indicating centralized control by an organized group.
🔹 Coordinated inflows of $1.5M to $3M, achievable with 500 to 3,000 victims, can drive up to 12.4% price movement in a NASDAQ-listed small-cap stock.
🔹 Use of KYC-compliant exchanges for cash-out, with minimal obfuscation, creating both risk and investigative opportunity.

🔗 Read the full analysis.

#CyberSecurity #FraudPrevention #InvestmentScams

🎉 Group-IB unveils Prevyn AI, the cognitive core of its Unified Risk Platform designed to shift cybersecurity from reactive detection to predictive defense. Powered by decades of cybercrime intelligence and real-world investigative logic, Prevyn AI enables organizations to anticipate threats, accelerate response, and outpace machine-speed attacks.

Think Faster Than The Threat.

Learn More

#PrevynAI

🚨The new Group-IB research uncovers a sophisticated fraud operation targeting SNCF customers through phishing emails, fake SNCF-themed websites, legitimate payment processors, and social engineering phone calls impersonating bank advisors.

Key findings from the investigation:
🔹Fraud infrastructure was timed around French school holidays to exploit periods of increased travel activity
🔹Victims were redirected through legitimate Stripe-hosted payment pages to reduce suspicion during checkout
🔹Targeted users were linked to previously exposed data from the Addka72424 breach, indicating the use of leaked datasets for precision targeting
🔹Threat actors leveraged emotional manipulation and real-time phone calls to extract OTPs, IBAN details, and authorize secondary payments
🔹Infrastructure overlaps and recurring domain patterns suggest a centralized and scalable fraud ecosystem

Read the full analysis

#Cybersecurity #Phishing #FraudPrevention

🚨201 arrests. 3,867 victims identified. 53 servers seized.

Group-IB supported INTERPOL’s Operation Ramz, the first large-scale cybercrime operation across the MENA region, spanning 13 countries and targeting phishing, malware, and cyber fraud infrastructure.

Key contributions from Group-IB:
🔹Intelligence on 5,000+ compromised accounts, including government-linked accounts
🔹Identification of active phishing infrastructure across MENA
🔹 Mapping of threat actor clusters involved in phishing distribution and leaked data trafficking

This operation reflects what public-private collaboration can achieve when intelligence is regionally grounded and globally coordinated. Our Digital Crime Resistance Centers in Egypt and the UAE were central to delivering that visibility.

We remain committed to supporting international efforts to dismantle cybercriminal ecosystems and protect individuals and organisations across the MENA region and beyond.

Read More.

#ThreatIntelligence #INTERPOL #DCRC #Phishing

🚨Chinese-language dark web forums and Telegram channels are flooding cybercrime ecosystems with claims of stolen data from financial institutions worldwide. Group-IB researchers dug in, and the datasets don't hold up.

After analyzing 17,000+ messages across five active sources, names and phone numbers trace back to the 2021 Facebook leak, password hashes to the 2020 Eatigo breach, assigned to entirely different individuals. These are not fresh breaches. They are repackaged old data sold as new.

The research includes sample validation walkthroughs, upstream source mapping, and identification markers organizations can use to assess similar claims.

Read the full analysis.

#CyberSecurity #DarkWeb #InfoSec #ThreatIntelligence

🚨Group-IB researchers uncovered a large-scale fraud ecosystem operating ahead of kickoff, with more than 4,300 fraudulent domains impersonating the tournament’s official web presence and over 300 active phishing domains targeting fans globally.

At the center of the operation is GHOST STADIUM, a sophisticated phishing campaign leveraging cloned SSO authentication flows, fake hospitality portals, coordinated social media distribution, and multi-rail payment fraud infrastructure.

Key Highlights:
🔹4,300+ fraudulent tournament-themed domains identified.
🔹300+ active phishing domains linked to one coordinated operator.
🔹2,513 compromised credential pairs circulating on dark web markets.
🔹Estimated premium ticket fraud losses ranging from $71M to $474M USD.
🔹130,000+ infostealer logs containing tournament-related data.
🔹Underground Fraud-as-a-Service vendors selling phishing kits and ticket scam infrastructure.

Read the full technical analysis.

#ThreatIntelligence #FraudProtection

🚨Group-IB researchers uncovered a sophisticated global smishing operation that has impersonated more than 267 brands across 72 countries and generated over 4,389 phishing domains since the second half of 2025.

The campaign combines SMS phishing, geofencing, device fingerprinting, fake Cloudflare error pages, and encrypted WebSocket communications to evade detection and harvest personal and payment card data in real time.

Key findings:
🔹 Telecommunications emerged as the most targeted sector with 1,754 domains, followed by financial services with 696 domains and consumer rewards programs with 488 domains.
🔹 Malicious content is revealed only to victims matching specific geographic and mobile device criteria.
🔹 Stolen data is exfiltrated through encrypted WebSocket channels using binary encoded payloads.
🔹 Approximately 30 percent of the infrastructure is hosted on Tencent Cloud and Alibaba origin servers while being fronted by Cloudflare.

Read the full technical analysis.

#DRP #Smishing

💳 The $48 Billion Blind Spot: Why Merchants Pay for Card Breaches They Can’t See

The scale of the problem:
🔹200M+ compromised payment cards actively circulating in underground markets
🔹E-commerce fraud projected to reach $53 billion in 2025
🔹Every $1 of fraud costs merchants $4.61 once chargebacks, fees, and operational costs are factored in

Why merchants can’t access the intelligence:
1️⃣ PCI DSS prohibits storing raw card data
2️⃣ Card network notification systems (Visa CAMS, Mastercard SAFE) operate issuer-to-issuer only
3️⃣ GDPR and data protection laws block cross-border sharing of personal identifiers

The result: Merchants absorb losses from cards that were already confirmed compromised. They just had no way to know.

What’s changing: Privacy-preserving Distributed Tokenization enables real-time compromised card checks at authorization, without raw card data or PCI DSS scope expansion.

Read the full analysis.

#FraudPrevention #EcommerceSecurity #Cybersecurity

Our latest research examines SilabRAT, a Malware-as-a-Service platform sold on underground forums that combines credential theft, browser profile cloning, HVNC, Chrome App-Bound Encryption bypass techniques, and cryptocurrency-focused capabilities into a single offering.

Key findings:
🔹 SilabRAT has been marketed on underground forums since late 2025 for $5,000/month
🔹 Leverages HVNC for invisible interaction with victim systems; other session access options include browser profile cloning, cookie theft
🔹 Includes functionality to bypass Chrome App-Bound Encryption (ABE) and extract protected browser data
🔹 Features automated cryptocurrency wallet targeting and password recovery capabilities
🔹 Observed in real-world campaigns leveraging ClickFix social engineering techniques

As cybercriminals move beyond simple credential theft toward full session compromise, understanding emerging RAT capabilities is critical for defenders.

🔗 Read the full analysis.

#ThreatIntel #MalwareAnalysis #CyberSecurity