⚠️ A defense evasion tool called ExEngine is being sold as a service, marketed as an AV/EDR killer that disables mainstream consumer security software including Windows Defender, Malwarebytes, Bitdefender, and Avast. The tool combines AV termination with a Ring-3 rootkit, UAC bypass, and decoy payload delivery to support stealthy initial access operations.
⠀
‣ Threat Actor: ryewx1
‣ Category: Defense Evasion Tool / Killer
‣ Offering: ExEngine AV/EDR Killer
‣ Industry: Malware Tooling
⠀
The seller claims ExEngine actively terminates security software rather than only obfuscating payloads, granting attackers a longer window of undetected operation. The tool supports Windows 10 and 11 builds and is sold per-build at $150 to $250.
⠀
Advertised capabilities:
⠀
▪️ AV/EDR termination with primary and fallback techniques
▪️ UAC bypass with automatic privilege escalation
▪️ Ring-3 rootkit functionality to hide files, processes, registry keys, and network connections
▪️ Discord webhook logging for victim machine info and execution status
▪️ Secondary decoy payload (game/document/installer) to keep targets unaware
▪️ Persistence across reboots and logouts
▪️ Anti-VM and anti-debug detection with fake error message exit
▪️ Universal Windows 10/11 support, all payload types
⠀
Risk to defenders:
⠀
▪️ Active termination of consumer AV products including Windows Defender means traditional endpoint protections cannot be relied on once ExEngine executes successfully
▪️ Decoy payload pattern is designed to delay user-driven incident reporting, lengthening attacker dwell time
▪️ Ring-3 rootkit hiding of files, processes, and network connections complicates incident response triage on compromised hosts
▪️ Discord webhook telemetry indicates the operator is targeting consumer and SMB victims at scale rather than running individual targeted campaigns
▪️ Sold per-build at low cost ($150 to $250), making it accessible to low-skill operators who can pair it with commodity stealers, RATs, or loaders
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations

‼️🇸🇦 Jeddah Transport Company (jedtc.com.sa), a Saudi Arabian transportation company, has allegedly been breached, with a database of 126,629 user records leaked.
⠀
‣ Threat Actor: lulzintel
‣ Category: Data Leak
‣ Victim: Jeddah Transport Company
‣ Industry: Transportation
⠀
What's in it:
⠀
▪️ 126,629 compromised user records
▪️ Passenger data: ID, customer ID, full name, date of birth, nationality ID, ID number, passenger type, timestamps, Hijri date of birth
▪️ User account data: ID, name, first name, last name, email, phone, email verification status
▪️ Hashed passwords
▪️ Two-factor authentication secrets
▪️ Two-factor recovery codes
▪️ Two-factor confirmation timestamps
▪️ Remember tokens
▪️ Current team ID
▪️ Profile photo paths
▪️ Account creation and update timestamps
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations

‼️🇫🇷 FacoParis, a French educational institution, has allegedly been breached, with a 12 GB database and complete source code leaked.
⠀
‣ Threat Actor: Spirigatito
‣ Category: Data Leak
‣ Victim: FacoParis
‣ Industry: Education
⠀
The actor is offering the full 12 GB dataset for download, which includes student and teacher personal information, identity documents, course materials, account credentials, and the complete source code of the FacoParis platform.
⠀
What's in it:
⠀
▪️ 12 GB of total data
▪️ Student information including 11,447 documents: national ID cards, passports, IBANs, diplomas, applications + database
▪️ 1,243 photos of students and teachers
▪️ 3,212 course documents (valued at $7,000)
▪️ All FacoParis accounts and connection logs
▪️ Complete FacoParis source code totaling 27,346 files
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations

‼️ Kodex Law Enforcement Panel accounts are allegedly being sold, providing access to submit Emergency Data Requests (EDRs) to 320+ major companies.
⠀
‣ Threat Actor: edr
‣ Category: Access Sale
‣ Victim: Kodex (Law Enforcement Platform)
‣ Industry: Law Enforcement / Data Request Platform
⠀
The actor is selling old Kodex accounts that can be used to send Emergency Data Requests to major companies including Discord, Coinbase, and Roblox. The seller claims the accounts are not proxied and that they own the logins directly. Funds in escrow are required before the country of origin is revealed. Trusted escrow/middleman services are accepted.
⠀
What's in it:
⠀
▪️ Old Kodex law enforcement panel accounts
▪️ Access to 320+ ready-to-use companies for data requests
▪️ Subpoena documents included
▪️ Ability to send EDRs to platforms like Discord, Coinbase, and Roblox
▪️ Price: $4,000
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations

‼️🇵🇦 Radimagen Panama, a Panamanian medical imaging provider, has allegedly been breached, with a database containing patient and medical data leaked for free.
⠀
‣ Threat Actor: ohmydays (Waxx Org.)
‣ Category: Data Leak
‣ Victim: Radimagen Panama (radimagen.com)
‣ Industry: Healthcare / Medical Imaging
⠀
The actor claims the database was pulled from an unsecured server with "zero protection" and is releasing it for free to the community. The leak exposes sensitive medical and personal information of patients, doctors, and staff.
⠀
What's in it:
⠀
▪️ 38,840 patient records with full PII (name, national ID, sex, phone, date of birth)
▪️ 68,814 medical appointments linking patients to specific studies and schedules
▪️ 42,106 user accounts with emails, phones, and role/access levels
▪️ 3,118 doctor records with associated information
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations

‼️🇵🇦 Clinica Hospital Panamericano (ch-panamericano.com), a Panamanian hospital, has allegedly been breached, with a database containing patient and medical data leaked for free.
⠀
‣ Threat Actor: ohmydays (Waxx Org.)
‣ Category: Data Leak
‣ Victim: Clinica Hospital Panamericano
‣ Industry: Healthcare / Hospital
⠀
The actor claims the database was pulled from an unsecured system, marking the second Panamanian medical leak released by the same threat actor.
⠀
What's in it:
⠀
▪️ 16,884 patient records with full PII (name, national ID, sex, date of birth)
▪️ 25,893 medical appointments linking patients to specific studies and schedules
▪️ 570 doctor records with national ID, user ID, full names, and additional information
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations

‼️🇪🇨 Banco de Machala, an Ecuadorian bank, has allegedly been breached, with over 100,000 biometric customer records leaked for free.
⠀
‣ Threat Actor: GondorPe
‣ Category: Data Leak
‣ Victim: Banco de Machala
‣ Industry: Banking / Finance
⠀
The actor claims the bank's biometric authentication system was compromised, granting full access to the customer database and image repository, which was reportedly stored without proper protection.
⠀
What's in it:
⠀
▪️ 100,000+ biometric records of customers
▪️ Biometric photographs (full face) of all customers as of May 1, 2026
▪️ Photographs of identity cards
▪️ Full names
▪️ ID numbers
▪️ Face photos linked to each ID number
▪️ Files distributed in JPG format
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations

‼️ A threat actor is allegedly selling YouTube Society Award Play Button codes for $160. The nature of how these codes were obtained is unclear, but the listing suggests unauthorized acquisition and resale of official YouTube creator award redemption codes.
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations