Dark Web Cybercrime Activity and Monitoring Trends

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.

Citrix has released patches for three vulnerabilities in NetScaler ADC and NetScaler Gateway. One of these vulnerabilities, CVE-2025-7775, is actively exploited in the wild. The flaws include memory overflow vulnerabilities and improper access control issues. The vulnerabilities affect specific configurations of NetScaler ADC and NetScaler Gateway, including unsupported, end-of-life versions. Citrix has confirmed active exploitation of CVE-2025-7775, which can lead to remote code execution or denial-of-service. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to remediate within 48 hours. Nearly 20% of NetScaler assets identified are on unsupported, end-of-life versions, with a significant concentration in North America and the APAC region. CISA lists 10 NetScaler flaws in its KEV catalog, with six discovered in the last two years. Threat actors are using HexStrike AI, an AI-driven security platform, to exploit the Citrix vulnerabilities, significantly reducing the time between disclosure and mass exploitation. HexStrike-AI was created by cybersecurity researcher Muhammad Osama and has been open-source and available on GitHub for the last month, where it has already garnered 1,800 stars and over 400 forks.

ShinyHunters and Scattered Spider, two distinct cybercrime groups, have been collaborating in recent attacks on major companies. This partnership combines ShinyHunters' expertise in large-scale data theft with Scattered Spider's proficiency in social engineering. The collaboration, evident in shared tactics, infrastructure, and synchronized targeting, makes future campaigns harder to detect and mitigate. The groups have targeted companies like Google, Louis Vuitton, Allianz, Salesforce customers, and Workday, using tactics such as vishing, domain spoofing, credential misuse, and VPN obfuscation. This collaboration poses a significant threat to organizations, necessitating a shift in defensive strategies to focus on behavioral patterns and proactive detection measures. The collaboration has also expanded to include the development of a ransomware-as-a-service solution called ShinySp1d3r, and the groups have ties to a broader cybercriminal network known as The Com. Additionally, BreachForums, a cybercrime forum associated with ShinyHunters, has been turned into a honeypot by international law enforcement. The Allianz Life breach, part of this campaign, impacted 1.1 million individuals, with personal information stolen and leaked by ShinyHunters. Scattered Spider has also been involved in sophisticated social engineering attacks targeting high-profile organizations worldwide, and has recently shifted focus to the aviation and transportation industries. A 20-year-old member of Scattered Spider, Noah Michael Urban, was sentenced to ten years in prison for wire fraud and aggravated identity theft. Urban, also known by aliases Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was ordered to pay $13 million in restitution. Urban was arrested in January 2024 for thefts totaling at least $800,000 from at least five victims. Urban and co-conspirators used SIM swapping attacks to hijack cryptocurrency accounts. The DoJ unsealed charges against Urban and four other Scattered Spider members in November 2023. Tyler Robert Buchanan, another member, was extradited from Spain to the U.S. in April 2025. Scattered Spider, ShinyHunters, and LAPSUS$ have formed a new cybercrime alliance associated with The Com. Scattered Spider uses tactics to generate urgency and fear, including timed leaks and countdown threats. Scattered Spider targets specific sectors and attacks multiple organizations within that vertical over a short span. Scattered Spider exploits weaknesses in security programs by targeting people through social engineering. The group Scattered Lapsus$ Hunters, a collaboration of ShinyHunters, Scattered Spider, and LAPSUS$, has claimed responsibility for accessing Google's Law Enforcement Request System (LERS) and the FBI's eCheck system. The group has targeted Salesforce data through social engineering and exploitation of exposed authentication tokens, impacting multiple high-profile companies. Google Threat Intelligence (Mandiant) has been actively tracking and disclosing the activities of the Scattered Lapsus$ Hunters group, which has taunted law enforcement and security researchers through various Telegram channels.