From NoName’s activity decrease to a new Android SMS stealer, KELA has captured the latest tools, services, and cybercriminal trends emerging on the dark web in August 2025. We are diving into the evolving landscape of cybercrime, highlighting new threats across hacktivism, cybercrime services, and vulnerabilities. Read on for what you need to know. 

Hacktivist Activity 

The most active hacktivist groups claiming attacks in their Telegram channels were those involved in a joint operation against Israel (#OpIsrael), as well as the Pro-Palestinian and Southeastern hacktivist teams XSec404, Babayo Eror System, Mr Hamza, BD Anonymous, and AnonXF34rl3ss. These groups had the most domains in their messages (presumably victims’ domains), a pattern associated with claimed DDoS and defacement, data theft, and other attacks. The following groups were specifically claiming DDoS attacks (based on the attacked websites’ accessibility reports provided as proof): Mr Hamza, AnonXF34rl3ss, OpIsraelTeam, HeziRash, and DieNet.

KELA also observed that Pro-Russian actors remained active: Zarya resurfaced after months of silence, vowing imminent leaks, while NoName057(16) both announced an alliance with Kurdish actor Hezi Rash and escalated retaliatory DDoS attacks against Western government portals. It is worth mentioning that, according to KELA’s data lake, the overall volume of attacks by NoName057(16) has decreased. At the same time, hacktivist collectives including Cyber Jihad Movement, Akatsuki Cyber Team, RuskiNet, and others rallied around #OpCounterAttack and #OpIndia to threaten widespread disruption of Indian targets ahead of Independence Day, with RuskiNet later halting its attacks on Australia in response to Canberra’s announcement of plans to recognize Palestine. Together, these developments reflect a hacktivist landscape where groups exploit symbolic dates, shifting alliances, and global political events to amplify ideological narratives and disruptive operations.



Vulnerabilities Chatter 

KELA has observed active discussions on cybercrime forums concerning vulnerabilities disclosed in 2025. Notably, one actor was seeking a PoC for CVE-2025-7775, a memory overflow vulnerability leading to remote code execution (RCE) and/or denial-of-service (DoS) in NetScaler ADC and NetScaler Gateway, as well as for CVE-2025-6543, another memory overflow issue resulting in unintended control flow and DoS in the same products. The actor offered at least USD 1,000 for working exploits. In parallel, another actor was looking for a functional PoC for CVE-2025-53770, a Microsoft SharePoint Server RCE vulnerability, claiming that publicly available scripts on GitHub were non-functional. A response pointed to a Metasploit module exploiting the flaw; however, actors noted that operational challenges exist, particularly around AMSI and antivirus evasion. Discussions also focused on a potential zero-day exploit. One actor claimed to be selling a previously unknown vulnerability in Microsoft IIS that enables unauthenticated RCE with wormable capabilities, allowing the exploit to automatically propagate across vulnerable servers. The actor advertised the exploit as available for a limited time via Telegram. While the post generated interest, other users questioned its legitimacy, pointing out that the seller was using a new account and lacked a reputable history.

Cybercrime Services 

KELA has been monitoring new cybercrime services being advertised in August 2025. The types of new services identified included an advanced data stealer, a stealth web-based payment data sniffer, and a new Android SMS stealer. Here’s the overview: 

AURA Stealer: an advanced solution for extensive data collection from over 110 browsers, 70 applications (including wallets and 2FA), and 250+ browser extensions. Written in C++ and operating on Windows 7-11 without dependencies, it features hidden imports, dynamic function acquisition, encrypted strings, and robust anti-detection mechanisms like AntiVM/Sandbox, AntiDebug, and ApiHammering. The customizable grabber searches files with a fast wildcard engine, collects data without dropping files to disk, assembles archives in memory, and sends logs in parts. Communication with the C2 server is AES-256 encrypted over HTTPS. Notably, it avoids targeting CIS regions based on system language and IP checks. The service includes a user-friendly panel. Pricing ranges from $295/month (Basic) to $585/month (Advanced), with varied user feedback.

ScatSniff: a new web-based sniffer for payment data. It boasts stealth injection, dynamic code generation, and an integrated obfuscator for anti-debug and WAF bypass. Data is encrypted (AES-256-GCM) and logs masked. It features passive data collection, fingerprinting for admins/researchers, and modules for real-time monitoring, configuration, and analytics. ScatSniff runs on servers or Docker, with dual-layer obfuscation and anti-tampering. Pricing starts at $1250 for obfuscated source code; the Ultimate package (unobfuscated) is $2500. KELA observed no notable engagement.

Nexoria Panel: an Android SMS stealer, was advertised on August 29, 2025. This new service, priced at $500/month by author S1N3R\_HACK, offers a web panel for bot management with Telegram integration. Its features include intercepting SMS/PUSH notifications, collecting messages, importing SMS/contacts, exporting device data, sending SMS/USSD requests, and auto-start. It also provides mass device management, real-time tracking, stealth mode, 24/7 stability, a built-in crypt for the Telegram bot, FUD APKs, and Google Play Protect/Kaspersky bypass. No significant engagement has been observed yet.

Stay tuned for next month’s update, where we’ll continue to track and analyze the newest cybercrime threats and trends. If you want a deeper dive into the latest threats and services that KELA is tracking, contact us today.