CYJAX’s open-source intelligence team collects data from social media, instant messaging platforms, gated communities, and dark web locations to safeguard clients from threats stemming from online locations.

Following the emergence of data-leak sites (DLSs) for new extortion groups Kairos, Chort, Termite, and CONTfr, Cyjax has observed a DLS for a group going by the name ’Argonauts Group’. This group has claimed 10 victims so far. This brings the total of new DLSs discovered this month to seven, with a few days remaining in November.

Following the emergence of data-leak sites (DLSs) for extortion groups Kairos, Chort, and Termite, Cyjax has observed the emergence of a Tor-based site belonging to a new French-speaking Ransomware-as-a-Service (RaaS) operation called ’ContFR’. ContFR is potentially referencing well-known ransomware group Conti, whilst incorporating a reference to France.

Just days after Cyjax observed the emergence of a data-leak site (DLS) for new extortion group Kairos, DLSs for two more new English-speaking groups, Chort and Termite, have debuted.

Initial access brokers (IABs) facilitate access for ransomware groups, data brokers, and advanced persistent threat groups (APTs) into corporate networks. They operate in an established, lucrative market, often on cybercriminal forums which are characterised by rigid rules and conventions. Our report explaining the illicit activities of IABs can be viewed here.

Cyjax recently identified a new financially-motivated extortion group going by the name Kairos, which shares data stolen from its victims on a data-leak site (DLS). An alleged spokesperson for the group, named ‘KairosSup’ made a bid on an initial access broker (IAB) listing on a prominent Russian-language cybercriminal forum. It is of note that the spokesperson’s name is likely styled after the representative of prolific ransomware group LockBit, who is called ‘LockBitSupp’.

It is nearing 2025, and data-leak sites (DLSs) for extortion groups continue to emerge. November 2024 continues this trend, with Cyjax observing the thirteenth most recent materialisation of a DLS for an extortion group calling itself “Kairos”. At the time of writing, Kairos has claimed attacks against six victims, two of which have acknowledged significant data breaches in 2024. However, it is unclear whether these are related.

CYJAX has identified a novel phishing technique which is used to harvest Microsoft credentials via websites which are masqueraded as locked Microsoft Word documents. This technique, which CYJAX is calling DirtyWord, uses a blurred Word document as the page background to inform the user that they must log in to view the document. Whilst CYJAX has not observed the delivery mechanism of the phish, it appears that it likely occurs through spear-phishing emails.