Leveraging darknet to predict attacks
In a perfect world, cyber intelligence helps organizations stay a step ahead of adversaries. In the real world, however, intel teams have to deal with attacks that already occurred, identifying offender tactics, techniques, and procedures relevant for a particular geography.
Our previous article demonstrated that such information can be very effective in threat prediction, for, according to the Pyramid of Pain model, it is TTPS that are strenuous to change in cyber threat landscapes.
In some cases, valuable tactical insights can be obtained directly from adversaries. This can be achieved by accessing their correspondence, or by monitoring chats, channels (specifically, Telegram), underground forums and marketplaces.
This article elaborates on how to leverage these data. We look into posts advertising malware, exploits, access to corporate IT infrastructures, and disclosing information about compromised organizations.
Malware is the most often traded underground commodity. To attract attention to their offerings, threat actors commonly provide detailed specifications, making it possible to assess the product’s capabilities.
Underground resources are in no shortage of ads for all sorts malware: loaders, RATs, stealers, rootkits, ransomware, crypters, AV/EDR killers, etc. Moreover, the malware advertised often combines capabilities of multiple tools in one.
We use several examples to demonstrate the kind of actionable intelligence that can be extracted from such posts.
The post below advertises a malware-as-a-service (MaaS) solution:
At the beginning, the author highlights the malware’s capabilities, including those that can be used for its detection:
- Node.js, a legitimate interpreter used as a sample for malicious code execution
- Smart contracts for obtaining the C2 address
Further analysis of the text allows us to gather the following information:
- The interpreter will have a standard name, node.exe.
- The C2 address will be obtained via a smart contract on the ETH network.
- The malware allows the operator to take screenshots.
- The malware can download executable files to a temporary folder and run them.
- This enables command execution in the Windows command line.
The outlined capabilities suggest that the malware may manifest itself through:
- running of suspicious files via
node.exe - execution of suspicious commands—for example, those related to system information gathering, through the Windows command line launched by
node.exe - creation of executable files in a temporary folder by
node.exe - suspicious communications with services providing information about smart contracts— fora example,
etherscan[.]io
As we can see, even a basic description can yield a wealth of information to enable a truly proactive response to emerging cyber threats.
Let us consider another example, this time related to a popular malware delivery method known as ClickFix:
In this case, the seller provides fewer technical details, pointing out that popular implementations of this delivery method involve the use of cmd.exe, powershell.exe, curl.exe, mshta.exe, and other common Windows tools—all easily detected even by Windows Defender. The seller, however, claims to have an implementation that evades security solutions.
Nevertheless, a closer examination of this method shows that the executed command will be deleted from the Run history.
The history is stored in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU. Consequently, we can use the folder clearing events to build a detection logic.
Thus, even advertisements without many technical details can facilitate the detection of suspicious or malicious activity.
Posts offering exploits for vulnerabilities, both known and zero day, can often be found on shady web resources.
The sale of exploits for known vulnerabilities indicates that they are being used or will be soon, which helps prioritize which ones to patch first.
Let us look at an example. This advertisement offers a tool to exploit CVE‑2025‑54309 in CrushFTP.
The seller emphasizes that about 200,000 servers are vulnerable and that successful exploitation will allow the attacker to execute arbitrary commands via an uploaded web shell.
If the process of dealing with known vulnerabilities is fairly straightforward, working with zero days can be challenging. Nevertheless, information about such vulnerabilities can often be used to understand where an attack is most likely to originate, and in some cases, to detect exploitation attempts—for example, if the seller shares enough technical detail.
In the next example, a threat actor offers a zero‑day exploit for Palo Alto Networks firewalls.
The seller notes that over 14,000 servers are unpatched and that successful exploitation will allow the attacker to execute arbitrary code.
Although there are no technical details in the post, we can at least identify Palo Alto devices in our IT infrastructure. Perhaps, this vulnerability is not relevant to us at all.
If potentially vulnerable devices are present, we are, at the very least, aware of a potential source of malicious activity. And if we collect logs from such devices, we can monitor them for anomalies—most exploitation chains lead to the creation of files in suspicious folders, the launch of atypical process sequences, and network communications.
Information about planned cyberattacks or breached organizations is often exactly what companies expect from darknet research. However, handling such data is trickier than it might appear.
An announcement may not necessarily mention your organization. However, exfiltrated data may contain information related to your business, including highly sensitive materials. For example, email addresses that could subsequently be used for phishing campaigns, or passwords that users may recycle across various services, including corporate ones.
Note the source of such information. Often, the compromise of a particular organization can be attributed to a specific cluster. This means that such information can also be used for prioritization.
Let us look at another example where the attackers report the compromise of a logistics company.
Analysis of the source points to a concrete cluster behind this cyberattack—C.A.S., also known as Pandemonium Hyena. While this information provides additional context (TTPs and IoCs), it also highlights the cluster’s activity at the present moment.
Thus, even if a data leak announcement does not affect your organization, you have the latest data about who and how is targeting organizations similar to yours, and can take appropriate measures.
Until very recently, access to CIS organizations was not traded on darknet resources. Today, such offers do appear, albeit infrequently, as most forums prohibit these kinds of posts.
Again, do not wait for someone to advertise access to your infrastructure or credentials on a darknet forum or in a chat. We can use such data proactively—that is, learn from the mistakes of others.
Here is an example:
Notably, such access can be sold for as low as a few hundred dollars, as in the case with the above ad ($750).
The seller emphasizes that they have access to the victim’s database, email, and CRM—through a web server. Consequently, we can deduce that the access was most likely obtained by exploiting vulnerabilities in it.
Such intelligence reveals both the industries currently targeted by adversaries and the IT infrastructure components most likely to be attacked.
Although underground resources do not provide a complete view of the threat landscape and adversary methods, they remain a valuable source of operational intelligence. These platforms often contain first‑hand, up‑to‑date information from threat actors, providing early insight into emerging attack methods and tools before they are used against your organization.
For more analysis of darknet advertisements, see our research Threat Zone 2025: The Other Side.