‼️ New Dark Web Informer Blog Post!
Title: When the Defenders Become the Attackers: Two U.S. Cybersecurity Pros Sentenced in BlackCat Ransomware Case
Link: https://darkwebinformer.com/when-the-defenders-become-the-attackers-two-u-s-cybersecurity-pros-sentenced-in-blackcat-ransomware-case/
Title: When the Defenders Become the Attackers: Two U.S. Cybersecurity Pros Sentenced in BlackCat Ransomware Case
Link: https://darkwebinformer.com/when-the-defenders-become-the-attackers-two-u-s-cybersecurity-pros-sentenced-in-blackcat-ransomware-case/
Dark Web Informer
When the Defenders Become the Attackers: Two U.S. Cybersecurity Pros Sentenced in BlackCat Ransomware Case
‼️ Mini Shai-Hulud Malware Reaches Packagist Through Compromised Intercom PHP Package, Mirroring Earlier npm Attack 👇
https://x.com/DarkWebInformer/status/2049975097012658485?s=20
https://x.com/DarkWebInformer/status/2049975097012658485?s=20
X (formerly Twitter)
Dark Web Informer (@DarkWebInformer) on X
‼️ Mini Shai-Hulud Malware Reaches Packagist Through Compromised Intercom PHP Package, Mirroring Earlier npm Attack 👇
❤1
‼️ Interesting claim... A threat actor operating under the alias paws is selling root-level remote code execution (RCE) and shell access to a Linux-based firewall device belonging to an unidentified DDoS protection company.
The access is priced at $1,500 USD payable in Monero (XMR).
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
The access is priced at $1,500 USD payable in Monero (XMR).
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
Pushed a bug fix to the News Feed... when clicking the Open article button it pushed the page to the top only if you have the external link box to show the warning. It will now stay at the position you are currently at on the page.
‼️ Follett Software LLC and TOWERPOINT WEALTH, LLC have been claimed a victim to ShinyHunters
Deadline: May 4th, 2026
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
Deadline: May 4th, 2026
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
Cyberattack News Alert
━━━━━━━━━━━━━━━━━━━━━━━━━
Victim: Columbia Surgical Partners
Domain:
Country: 🇺🇸 US
Date: Apr 29th, 2026
Summary:
The parent company of Columbia Surgical Partners clinic fell victim to a ransomware attack this week, rendering electronic medical records inaccessible to patients. The clinic, which operates in Maury County, Tennessee, notified its patients of the cyberattack. It is managed by Advanced Diagnostic Imaging (ADI) in Nashville, and authorities are working to resolve the issue.
Source: https://www.wsmv.com/2026/04/30/patient-medical-records-compromised-by-cyberattack-columbia-surgical-clinic/
━━━━━━━━━━━━━━━━━━━━━━━━━
Victim: Columbia Surgical Partners
Domain:
columbiasurgicalpartners.comCountry: 🇺🇸 US
Date: Apr 29th, 2026
Summary:
The parent company of Columbia Surgical Partners clinic fell victim to a ransomware attack this week, rendering electronic medical records inaccessible to patients. The clinic, which operates in Maury County, Tennessee, notified its patients of the cyberattack. It is managed by Advanced Diagnostic Imaging (ADI) in Nashville, and authorities are working to resolve the issue.
Source: https://www.wsmv.com/2026/04/30/patient-medical-records-compromised-by-cyberattack-columbia-surgical-clinic/
WSMV
Patient medical records compromised by cyberattack at Columbia surgical clinic
The clinic’s parent company was reportedly hit by a ransomware attack this week.
❤1
‼️🇨🇴 Universidad del Cauca, a public university in Popayán, Colombia founded in 1827, has allegedly been breached, with a database containing student and personnel PII leaked.
⠀
‣ Threat Actor: Jansz (with GersonFDP)
‣ Category: Education Data Leak
‣ Victim: Universidad del Cauca
‣ Industry: Education / Public University
⠀
The actors leaked a database containing identity, contact, and residential information for university members.
⠀
What's in it:
⠀
▪️ Full names (first and last)
▪️ Document type and number (national ID, ID card, passport)
▪️ Date of birth
▪️ Gender
▪️ Location (DANE administrative codes)
▪️ Place of origin (street, municipality, department)
▪️ Current residence (street, municipality, department)
▪️ Email addresses (institutional and personal)
▪️ Verified phone numbers
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
⠀
‣ Threat Actor: Jansz (with GersonFDP)
‣ Category: Education Data Leak
‣ Victim: Universidad del Cauca
‣ Industry: Education / Public University
⠀
The actors leaked a database containing identity, contact, and residential information for university members.
⠀
What's in it:
⠀
▪️ Full names (first and last)
▪️ Document type and number (national ID, ID card, passport)
▪️ Date of birth
▪️ Gender
▪️ Location (DANE administrative codes)
▪️ Place of origin (street, municipality, department)
▪️ Current residence (street, municipality, department)
▪️ Email addresses (institutional and personal)
▪️ Verified phone numbers
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️🇧🇷 Kenlo Imob (formerly inGaia Imob), a leading Brazilian real estate CRM used by brokers and agencies to manage listings, leads, and scheduling, has allegedly been breached, with 6 million PII records and 10,000+ documents held under an active extortion threat. The actor leaked a partial 705,000-record sample to pressure payment.
⠀
‣ Threat Actor: mastermind
‣ Category: Real Estate CRM Breach / Extortion
‣ Victim: Kenlo Imob (kenlo.com.br)
‣ Industry: Real Estate / CRM Software
⠀
The actor is operating on a "pay or leak" model, threatening to publish the full 6M+ record dataset and 10,000+ supporting documents if their demands are not met.
⠀
What's in it:
⠀
▪️ 6,000,000+ PII records under threat
▪️ 10,000+ documents
▪️ 705,000 record sample already released
▪️ Names, emails, phones, dates of birth
▪️ Nationality, gender, marital status
▪️ Active status, document type, site
▪️ Financial token, isDefaulter flag, legal responsible party
▪️ Contact records and creator metadata
▪️ Property records (envelope ID, status, origin, closure date)
▪️ Agency IDs, agency source data, photos
▪️ Created/updated timestamps
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
⠀
‣ Threat Actor: mastermind
‣ Category: Real Estate CRM Breach / Extortion
‣ Victim: Kenlo Imob (kenlo.com.br)
‣ Industry: Real Estate / CRM Software
⠀
The actor is operating on a "pay or leak" model, threatening to publish the full 6M+ record dataset and 10,000+ supporting documents if their demands are not met.
⠀
What's in it:
⠀
▪️ 6,000,000+ PII records under threat
▪️ 10,000+ documents
▪️ 705,000 record sample already released
▪️ Names, emails, phones, dates of birth
▪️ Nationality, gender, marital status
▪️ Active status, document type, site
▪️ Financial token, isDefaulter flag, legal responsible party
▪️ Contact records and creator metadata
▪️ Property records (envelope ID, status, origin, closure date)
▪️ Agency IDs, agency source data, photos
▪️ Created/updated timestamps
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️🇬🇹 The Tribunal Supremo Electoral (TSE), Guatemala's Supreme Electoral Tribunal, has allegedly been breached, with 2,136 electronic signatures of TSE employees leaked. The signatures are used to validate official government documents and could be replicated to forge other official paperwork.
⠀
‣ Threat Actor: MrGoblinciano
‣ Category: Government Data Leak
‣ Victim: Tribunal Supremo Electoral (TSE) Guatemala
‣ Industry: Government / Electoral Authority
⠀
The actor states the dump was pulled directly from firmaelectronica.tse.org.gt and is being released for free. The TSE has since put its electronic signature service into maintenance mode, citing a "wave of cyberattacks against Guatemalan state institutions" and the activation of an Information Security Threat Response and Containment Plan.
⠀
What's in it:
⠀
▪️ 2,136 electronic signature images
▪️ Format: JPG
▪️ Signatures of TSE employees authorized to validate government documents
▪️ Sequentially numbered files (e.g. 9505 through 9532+) suggesting full enumeration of the signature database
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
⠀
‣ Threat Actor: MrGoblinciano
‣ Category: Government Data Leak
‣ Victim: Tribunal Supremo Electoral (TSE) Guatemala
‣ Industry: Government / Electoral Authority
⠀
The actor states the dump was pulled directly from firmaelectronica.tse.org.gt and is being released for free. The TSE has since put its electronic signature service into maintenance mode, citing a "wave of cyberattacks against Guatemalan state institutions" and the activation of an Information Security Threat Response and Containment Plan.
⠀
What's in it:
⠀
▪️ 2,136 electronic signature images
▪️ Format: JPG
▪️ Signatures of TSE employees authorized to validate government documents
▪️ Sequentially numbered files (e.g. 9505 through 9532+) suggesting full enumeration of the signature database
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️🇫🇷 Madeindesign (madeindesign.com), a French online retailer specializing in designer furniture, lighting, and home decor, has allegedly been breached, with a partial database of 464,000 records leaked.
⠀
‣ Threat Actor: ChimeraZ
‣ Category: E-commerce Data Leak
‣ Victim: Madeindesign
‣ Industry: E-commerce / Furniture & Design
⠀
The actor leaked a partial database covering customer orders and invoices.
⠀
What's in it:
⠀
▪️ 464,000 records
▪️ Format: JSON
▪️ Size: 205 MB
▪️ Order IDs and invoice IDs
▪️ Customer full names
▪️ Home addresses (street, postal code, city, country)
▪️ Phone numbers
▪️ Payment method (Visa, MasterCard)
▪️ Delivery method (Colissimo, etc.)
▪️ Order totals
▪️ Product details (name, dimensions, brand)
▪️ Order dates (records dating back to 2013)
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
⠀
‣ Threat Actor: ChimeraZ
‣ Category: E-commerce Data Leak
‣ Victim: Madeindesign
‣ Industry: E-commerce / Furniture & Design
⠀
The actor leaked a partial database covering customer orders and invoices.
⠀
What's in it:
⠀
▪️ 464,000 records
▪️ Format: JSON
▪️ Size: 205 MB
▪️ Order IDs and invoice IDs
▪️ Customer full names
▪️ Home addresses (street, postal code, city, country)
▪️ Phone numbers
▪️ Payment method (Visa, MasterCard)
▪️ Delivery method (Colissimo, etc.)
▪️ Order totals
▪️ Product details (name, dimensions, brand)
▪️ Order dates (records dating back to 2013)
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️🇧🇷 Guia de Motéis (guiademoteis.com.br), a Brazilian online motel guide and reservation app with over one million Google Play Store downloads, has allegedly been breached, with 1,596,471 customer records put up for sale.
⠀
‣ Threat Actor: joaoestrella
‣ Category: Data Sale
‣ Victim: Guia de Motéis (guiademoteis.com.br)
‣ Industry: Hospitality / Mobile App / Travel
⠀
The actor is selling customer data spanning from 2022 to present, including subscription records, plaintext passwords, and reservation history. The seller offered a "just login at guiademoteis.com.br" challenge as proof of access.
⠀
What's in it:
⠀
▪️ 1,596,471 customer records
▪️ Full names and dates of birth
▪️ Email addresses
▪️ Plaintext passwords
▪️ CPF (Brazilian national ID)
▪️ CEP (postal codes)
▪️ Phone numbers (landline and mobile)
▪️ Registration dates
▪️ Marketing/mailing preferences
▪️ Origin and account status
▪️ Reservation records (reservas_presenciais)
▪️ Subscription data (expiration dates, payment methods, plan release dates, status, cancellation, logs)
▪️ Coupon usage records
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
⠀
‣ Threat Actor: joaoestrella
‣ Category: Data Sale
‣ Victim: Guia de Motéis (guiademoteis.com.br)
‣ Industry: Hospitality / Mobile App / Travel
⠀
The actor is selling customer data spanning from 2022 to present, including subscription records, plaintext passwords, and reservation history. The seller offered a "just login at guiademoteis.com.br" challenge as proof of access.
⠀
What's in it:
⠀
▪️ 1,596,471 customer records
▪️ Full names and dates of birth
▪️ Email addresses
▪️ Plaintext passwords
▪️ CPF (Brazilian national ID)
▪️ CEP (postal codes)
▪️ Phone numbers (landline and mobile)
▪️ Registration dates
▪️ Marketing/mailing preferences
▪️ Origin and account status
▪️ Reservation records (reservas_presenciais)
▪️ Subscription data (expiration dates, payment methods, plan release dates, status, cancellation, logs)
▪️ Coupon usage records
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️ Canonical has confirmed they and Ubuntu are under a DDoS attack. 313 Team has taken responsibility.
https://discourse.ubuntu.com/t/update-concerning-ddos-attack-on-canonical-and-ubuntu/81482
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
https://discourse.ubuntu.com/t/update-concerning-ddos-attack-on-canonical-and-ubuntu/81482
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️🇨🇦 Questrade, a Canadian financial services company offering online investing and trading platforms, has allegedly been breached, with 186,515 investor records put up for sale.
⠀
‣ Threat Actor: ijpys
‣ Category: Fintech Data Sale
‣ Victim: Questrade
‣ Industry: Financial Services / Online Brokerage
⠀
The breach exposes Canadian investor PII tied to a Questrade lead-check or onboarding system.
⠀
What's in it:
⠀
▪️ 186,515 investor records
▪️ Email addresses
▪️ First and last names
▪️ Home addresses (street, city, state, zip)
▪️ Phone numbers
▪️ Gender
▪️ Questrade.LeadCheck status
▪️ User type
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
⠀
‣ Threat Actor: ijpys
‣ Category: Fintech Data Sale
‣ Victim: Questrade
‣ Industry: Financial Services / Online Brokerage
⠀
The breach exposes Canadian investor PII tied to a Questrade lead-check or onboarding system.
⠀
What's in it:
⠀
▪️ 186,515 investor records
▪️ Email addresses
▪️ First and last names
▪️ Home addresses (street, city, state, zip)
▪️ Phone numbers
▪️ Gender
▪️ Questrade.LeadCheck status
▪️ User type
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
⚠️ A defense evasion tool called ExEngine is being sold as a service, marketed as an AV/EDR killer that disables mainstream consumer security software including Windows Defender, Malwarebytes, Bitdefender, and Avast. The tool combines AV termination with a Ring-3 rootkit, UAC bypass, and decoy payload delivery to support stealthy initial access operations.
⠀
‣ Threat Actor: ryewx1
‣ Category: Defense Evasion Tool / Killer
‣ Offering: ExEngine AV/EDR Killer
‣ Industry: Malware Tooling
⠀
The seller claims ExEngine actively terminates security software rather than only obfuscating payloads, granting attackers a longer window of undetected operation. The tool supports Windows 10 and 11 builds and is sold per-build at $150 to $250.
⠀
Advertised capabilities:
⠀
▪️ AV/EDR termination with primary and fallback techniques
▪️ UAC bypass with automatic privilege escalation
▪️ Ring-3 rootkit functionality to hide files, processes, registry keys, and network connections
▪️ Discord webhook logging for victim machine info and execution status
▪️ Secondary decoy payload (game/document/installer) to keep targets unaware
▪️ Persistence across reboots and logouts
▪️ Anti-VM and anti-debug detection with fake error message exit
▪️ Universal Windows 10/11 support, all payload types
⠀
Risk to defenders:
⠀
▪️ Active termination of consumer AV products including Windows Defender means traditional endpoint protections cannot be relied on once ExEngine executes successfully
▪️ Decoy payload pattern is designed to delay user-driven incident reporting, lengthening attacker dwell time
▪️ Ring-3 rootkit hiding of files, processes, and network connections complicates incident response triage on compromised hosts
▪️ Discord webhook telemetry indicates the operator is targeting consumer and SMB victims at scale rather than running individual targeted campaigns
▪️ Sold per-build at low cost ($150 to $250), making it accessible to low-skill operators who can pair it with commodity stealers, RATs, or loaders
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
⠀
‣ Threat Actor: ryewx1
‣ Category: Defense Evasion Tool / Killer
‣ Offering: ExEngine AV/EDR Killer
‣ Industry: Malware Tooling
⠀
The seller claims ExEngine actively terminates security software rather than only obfuscating payloads, granting attackers a longer window of undetected operation. The tool supports Windows 10 and 11 builds and is sold per-build at $150 to $250.
⠀
Advertised capabilities:
⠀
▪️ AV/EDR termination with primary and fallback techniques
▪️ UAC bypass with automatic privilege escalation
▪️ Ring-3 rootkit functionality to hide files, processes, registry keys, and network connections
▪️ Discord webhook logging for victim machine info and execution status
▪️ Secondary decoy payload (game/document/installer) to keep targets unaware
▪️ Persistence across reboots and logouts
▪️ Anti-VM and anti-debug detection with fake error message exit
▪️ Universal Windows 10/11 support, all payload types
⠀
Risk to defenders:
⠀
▪️ Active termination of consumer AV products including Windows Defender means traditional endpoint protections cannot be relied on once ExEngine executes successfully
▪️ Decoy payload pattern is designed to delay user-driven incident reporting, lengthening attacker dwell time
▪️ Ring-3 rootkit hiding of files, processes, and network connections complicates incident response triage on compromised hosts
▪️ Discord webhook telemetry indicates the operator is targeting consumer and SMB victims at scale rather than running individual targeted campaigns
▪️ Sold per-build at low cost ($150 to $250), making it accessible to low-skill operators who can pair it with commodity stealers, RATs, or loaders
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
🔥1