๐จ PanARCH malware service advertised: Java RAT, exploit builder, payload delivery, and direct link hosting promoted on underground forum
A threat actor is advertising PanARCH, a malware-focused service bundle claiming to provide remote access tooling, payload-building modules, delivery infrastructure, and private file-hosting services.
โโโโโโโโโโโโโโโโโโโโ
Service: PanARCH
Sector: Malware-as-a-Service / Cybercrime Infrastructure
Incident: Malware Service Advertisement
Exposure: Java RAT, exploit builder, delivery engine, and direct link service
Actor: PanARCH
Price: Pricing available via direct message
Date: 17/05/2026
โโโโโโโโโโโโโโโโโโโโ
Whatโs being advertised:
โช๏ธ Java RAT tooling marketed for multiple operating systems
โช๏ธ Surveillance and remote access capabilities
โช๏ธ Credential theft and browser data collection features
โช๏ธ Payload builder modules for multiple delivery formats
โช๏ธ Browser-based payload delivery infrastructure
โช๏ธ Private direct-link file hosting with encrypted storage claims
โช๏ธ Custom licensing and modular access options
Potential impact:
The advertised tooling could support unauthorized access, credential theft, malware delivery, persistence, and broader compromise of personal or enterprise systems.
Status:
Underground forum advertisement. The actor posted a detailed service panel and promotional material describing multiple malware and delivery components.
Stop guessing what's redacted. Subscribers see everything โ darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor is advertising PanARCH, a malware-focused service bundle claiming to provide remote access tooling, payload-building modules, delivery infrastructure, and private file-hosting services.
โโโโโโโโโโโโโโโโโโโโ
Service: PanARCH
Sector: Malware-as-a-Service / Cybercrime Infrastructure
Incident: Malware Service Advertisement
Exposure: Java RAT, exploit builder, delivery engine, and direct link service
Actor: PanARCH
Price: Pricing available via direct message
Date: 17/05/2026
โโโโโโโโโโโโโโโโโโโโ
Whatโs being advertised:
โช๏ธ Java RAT tooling marketed for multiple operating systems
โช๏ธ Surveillance and remote access capabilities
โช๏ธ Credential theft and browser data collection features
โช๏ธ Payload builder modules for multiple delivery formats
โช๏ธ Browser-based payload delivery infrastructure
โช๏ธ Private direct-link file hosting with encrypted storage claims
โช๏ธ Custom licensing and modular access options
Potential impact:
The advertised tooling could support unauthorized access, credential theft, malware delivery, persistence, and broader compromise of personal or enterprise systems.
Status:
Underground forum advertisement. The actor posted a detailed service panel and promotional material describing multiple malware and delivery components.
Stop guessing what's redacted. Subscribers see everything โ darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
๐จ๐บ๐ธ Careficient allegedly breached: 164K patient and staff records exposed from home health EMR software provider
A threat actor claims to have leaked datasets tied to Careficient, a U.S.-based EMR software provider for home health, hospice, and home care management.
โโโโโโโโโโโโโโโโโโโโ
Target: Careficient
Sector: Healthcare / EMR Software / Home Health
Incident: Database Leak
Exposure: 164,862 total records
Actor: attacker_company
Country: United States
Date: 17/05/2026
โโโโโโโโโโโโโโโโโโโโ
Whatโs allegedly included:
โช๏ธ Patient dataset containing 163,644 records
โช๏ธ Staff dataset containing 1,218 records
โช๏ธ Patient identity and demographic fields
โช๏ธ Medical reference identifiers and record metadata
โช๏ธ Contact information including email and phone fields
โช๏ธ Address records including city, state, and ZIP code fields
โช๏ธ Staff account metadata and hashed authentication fields
โช๏ธ Organization or agency-related records
Potential impact:
The exposed data could create serious privacy, compliance, phishing, impersonation, and healthcare fraud risks for patients, staff, agencies, and care providers.
Status:
Unverified underground forum claim. The actor posted dataset counts and field categories, with additional content hidden behind forum access.
Stop guessing what's redacted. Subscribers see everything โ darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor claims to have leaked datasets tied to Careficient, a U.S.-based EMR software provider for home health, hospice, and home care management.
โโโโโโโโโโโโโโโโโโโโ
Target: Careficient
Sector: Healthcare / EMR Software / Home Health
Incident: Database Leak
Exposure: 164,862 total records
Actor: attacker_company
Country: United States
Date: 17/05/2026
โโโโโโโโโโโโโโโโโโโโ
Whatโs allegedly included:
โช๏ธ Patient dataset containing 163,644 records
โช๏ธ Staff dataset containing 1,218 records
โช๏ธ Patient identity and demographic fields
โช๏ธ Medical reference identifiers and record metadata
โช๏ธ Contact information including email and phone fields
โช๏ธ Address records including city, state, and ZIP code fields
โช๏ธ Staff account metadata and hashed authentication fields
โช๏ธ Organization or agency-related records
Potential impact:
The exposed data could create serious privacy, compliance, phishing, impersonation, and healthcare fraud risks for patients, staff, agencies, and care providers.
Status:
Unverified underground forum claim. The actor posted dataset counts and field categories, with additional content hidden behind forum access.
Stop guessing what's redacted. Subscribers see everything โ darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
๐จ๐ช๐ฌ Egypt Ministry of Tourism allegedly breached: 547GB employee and hotel-related government data advertised for sale
A threat actor claims to be selling databases allegedly tied to Egyptโs Ministry of Tourism, described in the post as affiliated with the Ministry of Interior.
โโโโโโโโโโโโโโโโโโโโ
Target: Egypt Ministry of Tourism
Sector: Government / Tourism / Hospitality
Incident: Data Breach / Data Sale
Exposure: 547GB
Actor: Revesky
Country: Egypt
Date: 17/05/2026
โโโโโโโโโโโโโโโโโโโโ
Whatโs allegedly included:
โช๏ธ Employee records allegedly linked to the Ministry of Tourism and hotel-related entities
โช๏ธ Full names, parent names, job titles, and phone number fields
โช๏ธ National ID and physical address fields
โช๏ธ Hotel names, hotel locations, and governorate data
โช๏ธ Employee profile picture documents
โช๏ธ National ID, educational qualification, birth certificate, and training documents
โช๏ธ Work contract, clearance certificate, legal check, and health certificate documents
Potential impact:
The exposed data could create identity theft, phishing, impersonation, fraud, and government-sector privacy risks for employees, hotels, and tourism-related entities.
Status:
Unverified underground forum sale listing. The actor claims the archive totals 547GB, with document samples and data samples hidden behind forum access.
Stop guessing what's redacted. Subscribers see everything โ darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor claims to be selling databases allegedly tied to Egyptโs Ministry of Tourism, described in the post as affiliated with the Ministry of Interior.
โโโโโโโโโโโโโโโโโโโโ
Target: Egypt Ministry of Tourism
Sector: Government / Tourism / Hospitality
Incident: Data Breach / Data Sale
Exposure: 547GB
Actor: Revesky
Country: Egypt
Date: 17/05/2026
โโโโโโโโโโโโโโโโโโโโ
Whatโs allegedly included:
โช๏ธ Employee records allegedly linked to the Ministry of Tourism and hotel-related entities
โช๏ธ Full names, parent names, job titles, and phone number fields
โช๏ธ National ID and physical address fields
โช๏ธ Hotel names, hotel locations, and governorate data
โช๏ธ Employee profile picture documents
โช๏ธ National ID, educational qualification, birth certificate, and training documents
โช๏ธ Work contract, clearance certificate, legal check, and health certificate documents
Potential impact:
The exposed data could create identity theft, phishing, impersonation, fraud, and government-sector privacy risks for employees, hotels, and tourism-related entities.
Status:
Unverified underground forum sale listing. The actor claims the archive totals 547GB, with document samples and data samples hidden behind forum access.
Stop guessing what's redacted. Subscribers see everything โ darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
๐จKRYBIT RaaS advertised: ransomware affiliate program and data extraction tooling promoted on underground forum
A threat actor is advertising KRYBIT RaaS, a ransomware-as-a-service program seeking experienced penetration testing teams to join its partner operation.
โโโโโโโโโโโโโโโโโโโโ
Service: KRYBIT RaaS
Sector: Ransomware-as-a-Service / Cybercrime Infrastructure
Incident: RaaS Advertisement
Exposure: Affiliate program, locker tooling, control panel, and data extraction utility
Actor: KRYBIT
Date: 17/05/2026
โโโโโโโโโโโโโโโโโโโโ
Whatโs being advertised:
โช๏ธ Ransomware affiliate program recruiting experienced operators
โช๏ธ Configurable encryption modes and targeting options
โช๏ธ Control panel with build generation and victim communication support
โช๏ธ Windows, Linux, and ESXi tooling referenced by the actor
โช๏ธ Data extraction utility for uploading or transferring stolen files
โช๏ธ Support services marketed around negotiations and victim-facing communications
โช๏ธ Dedicated leak and blog infrastructure shared by the actor
Potential impact:
The advertised service could support enterprise ransomware intrusions, data theft, extortion, operational disruption, and public leak campaigns against targeted organizations.
Status:
Underground forum advertisement. The actor posted Russian and English descriptions of the program, tooling, support model, leak infrastructure, and first-contact details.
Stop guessing what's redacted. Subscribers see everything โ darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor is advertising KRYBIT RaaS, a ransomware-as-a-service program seeking experienced penetration testing teams to join its partner operation.
โโโโโโโโโโโโโโโโโโโโ
Service: KRYBIT RaaS
Sector: Ransomware-as-a-Service / Cybercrime Infrastructure
Incident: RaaS Advertisement
Exposure: Affiliate program, locker tooling, control panel, and data extraction utility
Actor: KRYBIT
Date: 17/05/2026
โโโโโโโโโโโโโโโโโโโโ
Whatโs being advertised:
โช๏ธ Ransomware affiliate program recruiting experienced operators
โช๏ธ Configurable encryption modes and targeting options
โช๏ธ Control panel with build generation and victim communication support
โช๏ธ Windows, Linux, and ESXi tooling referenced by the actor
โช๏ธ Data extraction utility for uploading or transferring stolen files
โช๏ธ Support services marketed around negotiations and victim-facing communications
โช๏ธ Dedicated leak and blog infrastructure shared by the actor
Potential impact:
The advertised service could support enterprise ransomware intrusions, data theft, extortion, operational disruption, and public leak campaigns against targeted organizations.
Status:
Underground forum advertisement. The actor posted Russian and English descriptions of the program, tooling, support model, leak infrastructure, and first-contact details.
Stop guessing what's redacted. Subscribers see everything โ darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
It's kind of like Breached wants to get seized at this point...
๐จ๐ช๐จ VimaSistema allegedly breached: 35GB financial software data exposed across Ecuadorian cooperative records
A threat actor claims to have leaked data tied to VimaSistema, a financial software provider serving savings and credit cooperatives, mutual societies, and pension funds in Ecuador.
โโโโโโโโโโโโโโโโโโโโ
Target: VimaSistema / VimaCoop
Sector: Financial Software / Credit Cooperatives
Incident: Data Breach / Multiple Data Leak
Exposure: 35GB+
Actor: tost0n
Country: Ecuador
Date: 17/05/2026
โโโโโโโโโโโโโโโโโโโโ
Whatโs allegedly included:
โช๏ธ Customer and cooperative member records
โช๏ธ Names, identity number fields, and demographic details
โช๏ธ Biometric and fingerprint-related data
โช๏ธ Email, address, and cellphone number fields
โช๏ธ Bank account number and transaction-related records
โช๏ธ Cloud server database files and SQL exports
โช๏ธ Records organized across 2024 and 2025 datasets
โช๏ธ Data tied to multiple Ecuadorian cooperative domains and financial entities
Potential impact:
The exposed data could be used for identity theft, banking fraud, phishing, account impersonation, financial scams, and targeted social engineering against cooperative members and institutions.
Status:
Unverified underground forum claim. The actor posted folder previews and proof-of-concept samples showing structured financial and personal data fields.
Stop guessing what's redacted. Subscribers see everything โ darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor claims to have leaked data tied to VimaSistema, a financial software provider serving savings and credit cooperatives, mutual societies, and pension funds in Ecuador.
โโโโโโโโโโโโโโโโโโโโ
Target: VimaSistema / VimaCoop
Sector: Financial Software / Credit Cooperatives
Incident: Data Breach / Multiple Data Leak
Exposure: 35GB+
Actor: tost0n
Country: Ecuador
Date: 17/05/2026
โโโโโโโโโโโโโโโโโโโโ
Whatโs allegedly included:
โช๏ธ Customer and cooperative member records
โช๏ธ Names, identity number fields, and demographic details
โช๏ธ Biometric and fingerprint-related data
โช๏ธ Email, address, and cellphone number fields
โช๏ธ Bank account number and transaction-related records
โช๏ธ Cloud server database files and SQL exports
โช๏ธ Records organized across 2024 and 2025 datasets
โช๏ธ Data tied to multiple Ecuadorian cooperative domains and financial entities
Potential impact:
The exposed data could be used for identity theft, banking fraud, phishing, account impersonation, financial scams, and targeted social engineering against cooperative members and institutions.
Status:
Unverified underground forum claim. The actor posted folder previews and proof-of-concept samples showing structured financial and personal data fields.
Stop guessing what's redacted. Subscribers see everything โ darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
โค1
๐จ๐ซ๐ท Gรฎtes de France allegedly breached: 389K guest and booking records exposed from French holiday rental database
A threat actor claims to have leaked a database tied to Gรฎtes de France, a French holiday rental network specializing in countryside stays, rural gรฎtes, and tourist accommodation across France.
โโโโโโโโโโโโโโโโโโโโ
Target: Gรฎtes de France
Sector: Hospitality / Travel / Holiday Rentals
Incident: Database Leak
Exposure: 389,129 people / 312,685 lines / 470MB
Actor: ChimeraZ
Country: France
Date: 17/05/2026
โโโโโโโโโโโโโโโโโโโโ
Whatโs allegedly included:
โช๏ธ Guest and client records allegedly linked to Gรฎtes de France bookings
โช๏ธ Names, email addresses, and telephone number fields
โช๏ธ Address and accommodation site information
โช๏ธ Booking start and end dates
โช๏ธ Guest count and occupant details
โช๏ธ Stay duration and nightly booking fields
โช๏ธ Tourism tax, price, and agent-related records
โช๏ธ Site log and ticket-related JSON records
Potential impact:
The exposed data could be used for booking impersonation, targeted phishing, travel fraud, customer scams, and social engineering against guests, property owners, and tourism operators.
Status:
Unverified underground forum claim. The actor posted structured JSON samples and claims the archive includes booking, site log, and ticket-related datasets.
Stop guessing what's redacted. Subscribers see everything โ darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor claims to have leaked a database tied to Gรฎtes de France, a French holiday rental network specializing in countryside stays, rural gรฎtes, and tourist accommodation across France.
โโโโโโโโโโโโโโโโโโโโ
Target: Gรฎtes de France
Sector: Hospitality / Travel / Holiday Rentals
Incident: Database Leak
Exposure: 389,129 people / 312,685 lines / 470MB
Actor: ChimeraZ
Country: France
Date: 17/05/2026
โโโโโโโโโโโโโโโโโโโโ
Whatโs allegedly included:
โช๏ธ Guest and client records allegedly linked to Gรฎtes de France bookings
โช๏ธ Names, email addresses, and telephone number fields
โช๏ธ Address and accommodation site information
โช๏ธ Booking start and end dates
โช๏ธ Guest count and occupant details
โช๏ธ Stay duration and nightly booking fields
โช๏ธ Tourism tax, price, and agent-related records
โช๏ธ Site log and ticket-related JSON records
Potential impact:
The exposed data could be used for booking impersonation, targeted phishing, travel fraud, customer scams, and social engineering against guests, property owners, and tourism operators.
Status:
Unverified underground forum claim. The actor posted structured JSON samples and claims the archive includes booking, site log, and ticket-related datasets.
Stop guessing what's redacted. Subscribers see everything โ darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
๐จTLNTrip allegedly breached: 690K travel agency customer and booking records advertised for sale
A threat actor claims to be selling a database tied to TLNTrip, an online travel agency platform used by B2B and B2C customers to book, manage, and issue air tickets, hotels, and holiday packages.
โโโโโโโโโโโโโโโโโโโโ
Target: TLNTrip
Sector: Travel / Online Travel Agency / Booking Platform
Incident: Database Leak / Data Sale
Exposure: 690K records
Actor: Sensitive2025
Date: 17/05/2026
โโโโโโโโโโโโโโโโโโโโ
Whatโs allegedly included:
โช๏ธ Customer and lead user records allegedly linked to TLNTrip
โช๏ธ Passenger names, titles, gender, and date-of-birth fields
โช๏ธ Email addresses, phone numbers, and address records
โช๏ธ Passport number, issuing country, and expiration date fields
โช๏ธ Flight booking transaction and ticketing records
โช๏ธ Booking status, payment method, and journey details
โช๏ธ Hotel records including hotel names, addresses, cities, countries, and location metadata
Potential impact:
The exposed data could be used for identity theft, passport fraud, travel booking impersonation, phishing, payment scams, and targeted social engineering against travelers and travel agency customers.
Status:
Unverified underground forum sale listing. The actor posted CSV/SQL samples and claims the database was updated less than three weeks before the listing.
Stop guessing what's redacted. Subscribers see everything โ http://darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor claims to be selling a database tied to TLNTrip, an online travel agency platform used by B2B and B2C customers to book, manage, and issue air tickets, hotels, and holiday packages.
โโโโโโโโโโโโโโโโโโโโ
Target: TLNTrip
Sector: Travel / Online Travel Agency / Booking Platform
Incident: Database Leak / Data Sale
Exposure: 690K records
Actor: Sensitive2025
Date: 17/05/2026
โโโโโโโโโโโโโโโโโโโโ
Whatโs allegedly included:
โช๏ธ Customer and lead user records allegedly linked to TLNTrip
โช๏ธ Passenger names, titles, gender, and date-of-birth fields
โช๏ธ Email addresses, phone numbers, and address records
โช๏ธ Passport number, issuing country, and expiration date fields
โช๏ธ Flight booking transaction and ticketing records
โช๏ธ Booking status, payment method, and journey details
โช๏ธ Hotel records including hotel names, addresses, cities, countries, and location metadata
Potential impact:
The exposed data could be used for identity theft, passport fraud, travel booking impersonation, phishing, payment scams, and targeted social engineering against travelers and travel agency customers.
Status:
Unverified underground forum sale listing. The actor posted CSV/SQL samples and claims the database was updated less than three weeks before the listing.
Stop guessing what's redacted. Subscribers see everything โ http://darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations