The Many Doors of RansomHouse: Mapping an Evolving Ransomware Ecosystem

Ransomware groups rarely disappear when their infrastructure goes offline. Domains change, communication channels are abandoned, and public leak sites evolve over time, leaving behind fragments that can make long-term investigations difficult. While many ransomware reports focus on a single attack or victim, understanding how these groups maintain their presence across multiple platforms often provides a more complete picture of how they operate.

Among the many ransomware operations that have emerged in recent years, RansomHouse has established itself as a distinct actor. Since appearing in 2021, the group has publicly positioned itself as a data extortion operation, frequently claiming that victims are targeted for poor cybersecurity practices rather than relying solely on traditional ransomware deployment. Over time, it has published numerous victim disclosures through its leak site while continuously adapting the infrastructure used to support those operations.

This investigation takes a different approach. Instead of examining a single breach, it follows the digital footprint left behind by RansomHouse across its public infrastructure. Using StealthMole, the investigation reconstructs pieces of the group's online presence that are no longer readily accessible, revealing how websites, communication channels, and supporting infrastructure evolved over time.

Where the Trail Began

The investigation began with StealthMole's Ransomware Monitoring module, where RansomHouse was identified as an active ransomware operation. The group's most recent claimed victim at the time of investigation was a U.S.-based construction company, which appeared on the platform with an attack date of 29 June 2026. While the individual incident was noteworthy, it also raised a broader question: how extensive was RansomHouse's activity, and what digital footprint had the group left behind over the years?

To answer that, a broader search was conducted within the Ransomware Monitoring module using the RansomHouse identifier. The results showed that between May 2022 and June 2026, the group had claimed responsibility for more than 186 victim organizations, spanning multiple industries and geographic regions. The steady stream of disclosures over a four-year period suggested that RansomHouse was not a short-lived operation but one that had maintained a consistent presence within the ransomware landscape.

Beyond victim statistics, the platform also identified the group's primary leak site:

  • zohlm7********************************************2yid.onion

The leak site served as the public face of the operation, hosting victim listings and data disclosures. Rather than ending the investigation with the group's victim count, this onion domain became the next investigative pivot. By tracing the infrastructure connected to the leak portal through StealthMole's Dark Web Tracker, the investigation aimed to determine whether RansomHouse relied on additional websites, communication channels, or supporting infrastructure that could help reconstruct its broader operational ecosystem.

Inside RansomHouse

Pivoting from the leak site into StealthMole's Dark Web Tracker provided a closer look at how RansomHouse presents itself beyond its victim listings. Rather than functioning solely as a repository for leaked data, the website is structured as a centralized platform that explains the group's operating model, manages victim interactions, and facilitates communication with external parties.

At the center of the website are two categories used to organize victims: Evidence and Disclosed. Organizations listed under Evidence have samples of stolen data published as proof of compromise, while those marked as Disclosed have had their full datasets released publicly. This staged approach allows RansomHouse to apply pressure during negotiations before proceeding to a complete disclosure if an agreement cannot be reached.

The website also contains a detailed Frequently Asked Questions (FAQ) section that offers insight into how the group portrays its activities. One of the recurring themes is its attempt to distinguish itself from conventional ransomware operations. Rather than describing itself simply as a group that encrypts systems for financial gain, RansomHouse claims to target organizations with weak cybersecurity practices and presents data disclosure as a consequence of inadequate security rather than the primary objective of the operation.

For affected organizations, the FAQ explains how victims can establish contact, negotiate, or request the removal of published material. It also provides guidance for organizations wishing to purchase their undisclosed data before it is made public, illustrating that the website serves not only as a disclosure platform but also as a negotiation and transaction portal.

Interestingly, RansomHouse also dedicates a section of the website to journalists and researchers. Media representatives are encouraged to contact the group directly for additional information or clarification regarding published breaches, reflecting an effort to shape public reporting around its activities. Alongside its Tor-based infrastructure, the group also advertises alternative communication methods, including an I2P address, providing additional resilience should parts of its infrastructure become unavailable.

Following the Mirrors

With a clearer understanding of how RansomHouse presents itself, the investigation shifted from examining the contents of the website to tracing the infrastructure supporting it. Using the group's primary onion domain as the investigative pivot, StealthMole's Dark Web Tracker revealed that the public leak site represented only a small portion of a much larger network of interconnected services.

One of the first discoveries was the existence of an additional RansomHouse-branded onion domain:

  • xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion

Although no longer active, the domain hosted a mirror of the RansomHouse leak site during its operational lifetime. The preserved records indicate that it remained active throughout 2022 before eventually disappearing. Its discovery suggests that RansomHouse maintained multiple public-facing portals over time, providing redundancy while preserving access to victim disclosures.

As the investigation expanded, StealthMole identified a much broader layer of infrastructure supporting the operation. Rather than storing stolen data directly on the main leak portal, RansomHouse relied on numerous dedicated onion-based file servers to host disclosed datasets. Hundreds of these domains were identified, many of which are now inactive. Examples include:

  • vopa354z4toilkjn4ileaf6rinkzn2givaokvj4yguq5kbiqoulxnzyd.onion
  • m7vtnbsgctdcsccqmpnmi6igg3pcuiliqqqsq6uonkzg4blpa4eysiad.onion
  • nuhnnxg3owawo36mwdffyblbzplhthfswny55mh7yhbxq74en6jihyad.onion
  • q2bwuip5xq4qjn2vyevprcddhk26cigyqfqfu6yki7korjys2rposaad.onion
  • ge74uts2ybu22kzwahiayovxelbq5fwhywl73agev5w4fef2e5ikplid.onion

The use of separate file hosting infrastructure demonstrates a deliberate separation between the group's public leak portal and the servers responsible for distributing stolen data. This layered approach not only improves operational resilience but also allows individual file servers to be rotated or abandoned without disrupting the primary website.

Additional infrastructure was uncovered while examining individual victim disclosures. One example involved Prince George County, where the published disclosure page directed investigators to another onion domain:

  • yvqyd**********************************************raid.onion

The domain appeared to function as another dedicated file server containing the victim's disclosed data, reinforcing the pattern of decentralized data hosting observed throughout the investigation.

Beyond data hosting, StealthMole also identified two onion-based negotiation portals associated with the operation:

  • secxrosqawaefsio3biv2dmi2c5yunf3t7ilwf54czq3v4bi7w6mbfad.onion
  • am26uhnrvhikyekz7h5qgjhv6x4arnzpcr2tw4wxqdg7hw525xs4o2qd.onion

These portals appear to facilitate direct communication between RansomHouse and affected organizations, complementing the public-facing leak site and supporting the negotiation process described within the group's FAQ.

More Than Just a Hash

While the infrastructure analysis revealed how RansomHouse managed its public-facing operations, StealthMole also uncovered a technical artifact that offered another avenue for investigation. Unlike onion domains or communication channels, malware hashes can serve as persistent identifiers, helping investigators associate malicious files with related infrastructure and previously observed activity.

During the investigation, StealthMole identified the following SHA-256 malware hash associated with RansomHouse:

  • efe27717*****************************************6a582

Rather than examining the hash in isolation, it was used as the next investigative pivot. This led to the discovery of another onion domain:

  • jqmxd4j***************************************fktqd.onion

Although the domain appeared in connection with the malware artifact, the available evidence did not conclusively establish that it belonged to RansomHouse. No additional infrastructure, communication channels, or operational artifacts were identified that could confidently attribute the onion service to the group.

For that reason, the domain has been retained as an investigative lead rather than a confirmed component of the RansomHouse ecosystem. Maintaining this distinction is important, particularly in cyber investigations where infrastructure may be shared, repurposed, or coincidentally linked through third-party reporting. Treating every associated artifact as confirmed infrastructure risks creating inaccurate attribution.

Beyond the Onion

By this stage, the investigation had revealed a substantial network of websites, file servers, and negotiation portals supporting RansomHouse's public operations. However, ransomware groups rarely rely on websites alone. Communication platforms often provide a more dynamic view of how these groups announce new victims, interact with followers, and direct users across their infrastructure. With this in mind, the investigation expanded into StealthMole's Telegram Tracker to identify any channels or accounts associated with RansomHouse.

One of the first artifacts identified was the Telegram channel:

  • https://t.me/ransom*******e

The channel primarily served as a public announcement platform, publishing updates on newly disclosed victims while directing users back to the group's onion infrastructure. During its investigation, StealthMole also identified another RansomHouse-branded onion domain referenced through the channel:

  • xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion

Although the domain is now inactive, its discovery further supports the observation that RansomHouse maintained multiple public-facing portals throughout its operation.

The investigation then shifted to another Telegram artifact:

  • https://t.me/R********s

Unlike the announcement channel, this account contained very little publicly available information. No significant digital footprint or public activity was observed, suggesting that it primarily functioned as a point of contact rather than a channel used for publishing operational updates.

Further analysis led to https://t.me/RH****s, which proved to be considerably more active. StealthMole identified both the associated user account @RH******s and the public Telegram channel of the same name. Historical records also showed that the account had changed its username on three separate occasions, indicating that its identity had evolved over time while remaining connected to the group's communication ecosystem.

Within the channel, investigators also identified an invitation to a private Telegram group named RH_Group:

  • https://t.me/+VzR**********DUx

Alongside the invitation, the channel directed users to @RH******s as the primary contact point, illustrating how RansomHouse separated public announcements from direct communication.

Conclusion

What began as a routine review of a ransomware operation in StealthMole's Ransomware Monitoring module quickly evolved into a broader investigation of RansomHouse's digital footprint. Rather than identifying a single leak site, the investigation uncovered an interconnected ecosystem consisting of historical mirror domains, dedicated file servers, negotiation portals, malware artifacts, and a structured Telegram presence that supported the group's public operations.

The findings also highlight an important aspect of cyber threat investigations: the visible leak site is often only one component of a much larger infrastructure. By following each investigative pivot, it was possible to reconstruct parts of RansomHouse's operational ecosystem that are no longer publicly accessible, while also distinguishing verified infrastructure from artifacts requiring further validation. Maintaining this level of attribution discipline is essential, particularly when infrastructure overlaps or redistributed content can easily create misleading associations between unrelated threat actors.

This investigation demonstrates how StealthMole enables analysts to move beyond individual ransomware incidents and develop a broader understanding of how threat actors build, maintain, and adapt their digital infrastructure over time. By connecting historical records, dark web infrastructure, malware artifacts, and communication channels, investigators can reconstruct operational ecosystems that would otherwise remain fragmented across multiple sources.

Editorial Note

Attributing cybercriminal infrastructure is rarely straightforward. Domains are abandoned, communication channels change, and leaked data is frequently redistributed by unrelated actors, making careful validation an essential part of any investigation. This case illustrates StealthMole allows investigators to piece together a more complete picture while avoiding unsupported attribution, reinforcing the importance of evidence-driven intelligence throughout the investigative process.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com


Labels: ,

The Mosad Playbook: How One Alias Built a Cross-Platform Leak Network

Underground data leak operators rarely rely on a single platform. To reach buyers, build credibility, and keep their content available despite takedowns or forum closures, they often maintain a presence across multiple forums, encrypted messaging platforms, and mirrored communities. What begins as a single leak advertisement can quickly branch into a much larger network of accounts, channels, and communication points that are designed to reinforce one another.

This investigation began with the alias Mosad, an active seller advertising alleged government, military, and law enforcement datasets across several underground forums. Rather than examining the advertised leaks in isolation, the investigation followed the digital trail left behind by the alias itself. By pivoting across forum profiles, Telegram channels, and shared identifiers, it became possible to map a broader ecosystem that extended well beyond individual posts.

The findings show how a single underground identity can establish a coordinated presence across multiple platforms, using interconnected infrastructure to distribute content, promote new leak announcements, and direct users toward associated communities. This report documents that network and demonstrates how following one alias can uncover a much wider operational footprint than initially appears.

Following the First Lead

The investigation began after Mosad was flagged in StealthMole's Suspect Tracker as a database seller. To understand whether the alias was associated with a broader operation, the first step was to search the username across StealthMole's datasets rather than focusing on a single forum post.

An initial search in Leaked Monitoring returned 36 listings published between April and June 2026, many of which advertised alleged government, military, and law enforcement data. Instead of targeting a single country or organization, the listings referenced a wide range of sensitive material, including documents allegedly linked to intelligence agencies, diplomatic communications, defense organizations, and police departments. The volume and consistency of these advertisements suggested that Mosad was maintaining an active presence rather than promoting a one-off leak.

To better understand how these listings were being distributed, one of the advertisements was selected for closer examination. Beyond the advertised dataset itself, the thread contained several communication points, including a Telegram account, along with additional identifiers that could be used to trace the actor across other platforms. Rather than marking the end of the investigation, the forum post became the first pivot into a much larger network.

  • https://darkforums.**/Thread-Selling**********1B-Revenue-FOR-SALE

The First Pivot

The DarkForums thread titled "Selling 80k+ Working Access to Fortune Companies ($1B+ Revenue) FOR SALE" was selected for closer examination as it offered more than a typical marketplace advertisement. While the post promoted access to compromised corporate environments, it also served as a central point for directing prospective buyers toward the actor's preferred communication channels. Unlike many underground listings that simply advertise a product, this thread exposed several operational identifiers that could be used to continue the investigation beyond the forum itself.

The thread was further analyzed using StealthMole's Dark Web Tracker, which extracted the communication points embedded within the page. The following identifiers were recovered:

  • Telegram: https://t.me/m*********d
  • Jabber: c******@jabber.fr
  • Session ID: 0520*************************************15c696b
  • TOX ID: AA39*******************************************5007

The thread also reflected a posting style that appeared repeatedly throughout the investigation. In addition to the sale advertisement, it included preview material intended to demonstrate the value of the offering, a consistent profile image associated with the alias, and clearly defined communication channels for buyer engagement. These recurring elements suggested that the advertisement was part of a structured operational approach rather than an isolated forum post.

At this stage, the communication identifiers themselves were more valuable than the advertised dataset. Each represented a potential pivot into another platform or service, allowing the investigation to move beyond individual forum advertisements and begin reconstructing the broader infrastructure supporting the Mosad alias.

One Alias, Many Forums

The communication identifiers recovered from the initial DarkForums advertisement became the next investigative pivot. Using StealthMole's Dark Web Tracker, the username mosad was searched across indexed underground forums to determine whether the actor maintained additional identities or advertisements elsewhere.

The search revealed that the same alias maintained a widespread presence across multiple underground communities. Rather than operating from a single marketplace, Mosad was found advertising alleged government, military, intelligence, and law enforcement datasets while maintaining profile pages across numerous forums.

  • https://shieldforum.***/members/mosad****/
  • https://demonforums.****/mosad
  • https://spear.**/***mosad
  • https://pwnforums.**/****mosad
  • https://breachforum.**/***mosad
  • https://breached.**/***mosad
  • https://breached.**/members/mosad***/
  • https://darkforums.**/**mosad
  • https://raidforums.***/****mosad

The same search also uncovered advertisements distributed across multiple underground forums, including:

  • https://shieldforum.***/threads/rus-secret-fsb-ukraine*******25/
  • https://breached.**/threads/rus-secret-fsb-ukraine***********35/
  • https://darkforums.**/Thread-DATABASE-USA-New-York**********LEAK
  • https://spear.**/Thread-Free-NATO**********************GREENLAND
  • https://pwnforums.**/Thread-DOCUMENTS************************LEAK
  • https://xforums.**/threads/usa-virginia***********************25/

Across these posts, several recurring characteristics emerged. The advertisements consistently focused on alleged government, military, intelligence, and law enforcement material, while the same profile image and @mosad branding appeared repeatedly. Sample images of the purported datasets were also embedded within several listings, including documents presented as classified South Korean defense material bearing repeated @mosad watermarks. Together, these recurring artifacts reinforced the consistency of the alias across otherwise independent underground communities.

Following the Breadcrumbs

The investigation did not end with the forum advertisements. Several of the recovered artifacts pointed directly to Telegram, suggesting that the forums were primarily being used to attract attention, while communication and content distribution continued elsewhere. Each Telegram identifier recovered during the previous stage was used as a new investigative pivot within StealthMole's Telegram Tracker.

The first pivot began with the Telegram account advertised in the DarkForums thread:

  • Telegram: https://t.me/m*********d

From there, the investigation identified an interconnected network of Telegram channels and communities associated with the alias.

Telegram infrastructure identified during the investigation:

  • Mosad Leaks
    • https://t.me/B*********h

  • Mosad Intelligence Agency
    • https://t.me/be************e
    • Also advertised as: https://t.me/d*****r

  • InsideMossad
    • https://t.me/*********d

  • Telegram Chat Folder
    • https://t.me/addlist/**************k
    • Folder title: Mosad Groups

Rather than operating independently, these Telegram assets consistently referenced one another. The Mosad Groups chat folder bundled the three primary Telegram assets into a single subscription folder, allowing users to join the actor's entire communication ecosystem in one step.

This same chat folder was repeatedly embedded within multiple underground forum advertisements, alongside download links and community invitations, indicating that it formed a deliberate part of the actor's distribution strategy rather than serving as an isolated Telegram feature.

Further examination of the Telegram channels revealed additional communication artifacts that had not appeared during the initial forum analysis.

Additional identifiers recovered from Telegram included:

  • Matrix: @m*******g:matrix.org

The investigation also confirmed the continued use of previously identified communication points across the Telegram ecosystem:

  • Telegram: @mosad
  • Jabber: calimao@jabber.fr
  • Session ID: 052009b60169e247022a0f929a8a698d8551655e936cbc0103fd59d9e8315c696b
  • TOX ID: AA397F6879FEC8A52CCDFEC3F4B816E61F0104E6D0FEB3AFD5D29B918A2A0232A5011FB15007

Rather than introducing new identifiers for each platform, the repeated use of the same communication artifacts across forum advertisements and Telegram channels strengthened the attribution of these assets to the same operational identity. Instead of functioning as separate communication channels, the forums and Telegram infrastructure appeared to reinforce one another, creating a consistent pathway for buyers to move from public advertisements into the actor's broader ecosystem.

A Network That Reinforces Itself

By this stage of the investigation, it had become clear that Mosad's infrastructure extended beyond maintaining accounts on multiple forums or operating several Telegram channels. Instead, the various platforms functioned as a coordinated ecosystem, with each reinforcing the others and directing users toward additional communication channels.

One of the strongest indicators of this coordination was the user Telegram account, which appeared consistently throughout the investigation. The same account was advertised within forum posts, referenced across multiple Telegram channels, and identified within the InsideMossad community. The account also reused the same profile image that appeared across the actor's underground forum profiles, providing a consistent visual identity regardless of platform.

Within the InsideMossad community, the actor also promoted additional underground profiles, further expanding the identified infrastructure.

Forum profiles shared directly by the actor included:

  • https://darkforums.***/*****mosad
  • https://spear.***/******mosad
  • https://leakforum****/mosad
  • https://patched**/User/mosad****y
  • https://voided.***/mosad

Unlike profiles discovered through independent searching, these accounts were promoted directly from the actor's own Telegram community, strengthening the association between the various identities.

The investigation also identified a PGP-signed announcement published within the Mosad Intelligence Agency channel stating that m*****d was the only Telegram account the actor intended to use. While the signature itself was not independently verified during this investigation, the statement demonstrated an effort to establish a single trusted communication channel and reduce the risk of impersonation.

The investigation revealed a deliberate operational model. Underground forums were used to publish advertisements and attract potential buyers, while Telegram served as the primary communication hub through dedicated channels, community discussions, and centralized contact points. Rather than existing as isolated assets, the forums, Telegram channels, chat folder, and recurring communication identifiers formed a self-reinforcing network that allowed the Mosad alias to maintain a consistent presence across multiple underground platforms.

Conclusion

What began as the investigation of a single database seller evolved into the mapping of a coordinated cross-platform infrastructure. Starting with an alias identified in StealthMole's Suspect Tracker, each successive pivot revealed another layer of the actor's operational footprint, extending from underground forum advertisements to interconnected Telegram channels, community groups, and recurring communication identifiers.

Rather than relying on a single marketplace or communication platform, Mosad maintained a distributed presence that allowed advertisements, user profiles, and messaging channels to reinforce one another. Consistent branding, repeated contact identifiers, and self-promoted profiles created a recognizable digital identity that persisted across multiple underground communities. While the authenticity of the advertised datasets was outside the scope of this investigation, the infrastructure supporting the alias was both extensive and consistently maintained.

This investigation demonstrates how seemingly routine marketplace advertisements can provide the starting point for uncovering a much broader operational ecosystem. By correlating forum activity, messaging platforms, and shared identifiers, StealthMole transformed a single alias into a detailed map of the actor's cross-platform presence, providing analysts with a clearer understanding of how underground operators build visibility, maintain communication, and extend their reach beyond any single platform.

Editorial Note

Attribution within underground communities is rarely straightforward. Threat actors frequently reuse aliases, migrate between platforms, and adopt new communication channels to maintain their presence or avoid disruption. While no single artifact is sufficient to establish attribution on its own, correlating multiple independent indicators can reveal meaningful relationships that would otherwise remain hidden.

This investigation highlights how StealthMole's ability to connect data across forums, Telegram, and other underground sources helps analysts move beyond isolated observations and develop a more complete understanding of an actor's operational footprint.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com



Labels: ,

Selling Success: Inside the Telegram Network Behind Alleged NEET Paper Leaks

The National Eligibility cum Entrance Test (NEET) is India's largest medical entrance examination and serves as the primary gateway for admission to undergraduate medical and dental programs across the country. Every year, millions of students compete for a limited number of seats, making the examination one of the most competitive and closely watched in India.

That immense demand has also made NEET a recurring target for fraud. In the weeks leading up to the examination, social media platforms and messaging applications are frequently flooded with claims of leaked question papers, guaranteed answer keys, and offers promising access to the exam before test day. While many of these claims ultimately prove to be scams, allegations of genuine paper leaks have surfaced repeatedly over the years, blurring the line between opportunistic fraud and potentially organized criminal activity.

Against this backdrop, StealthMole identified a Telegram-based network actively promoting alleged NEET paper leaks ahead of the examination. What initially appeared to be a single advertisement soon developed into a broader investigation, revealing interconnected channels, recurring promotional tactics, and historical digital footprints that persisted even after some accounts had been removed from the platform.

This report examines that ecosystem, tracing the actors, infrastructure, and promotional strategies used to market alleged leaked examination papers while demonstrating how historical Telegram intelligence can help reconstruct online activity that might otherwise have disappeared.

Selling the Dream

The investigation was prompted by renewed public attention surrounding the NEET paper leak controversy in India. As allegations and media reports once again brought examination security into the spotlight, the objective was straightforward: to determine whether these discussions had left a measurable footprint within Telegram's underground communities and whether any actors were actively attempting to exploit the situation.

Using StealthMole's Telegram Tracker, initial searches for keywords such as "NEET" and "Exam" returned thousands of messages. Most consisted of news coverage, public discussions, and students debating the controversy. Buried among them, however, were a series of advertisements claiming to offer access to the NEET question paper before the examination. Rather than appearing as isolated posts, these messages surfaced repeatedly across different Telegram communities, each directing prospective buyers towards dedicated contact points or channels.

As the advertisements were reviewed more closely, recurring patterns began to emerge. Different accounts used remarkably similar language, promising "100% paper matches," advertising limited booking slots, and encouraging students to move into private conversations to complete transactions. Although none of these claims could be independently verified, the consistency of the messaging suggested a coordinated promotional effort rather than spontaneous opportunistic posts.

What began as a simple attempt to gauge the underground reaction to a high-profile national controversy quickly evolved into a broader investigation. Each new contact, channel, and advertisement opened another path to follow, gradually revealing that the alleged sale of leaked examination papers was part of a much larger Telegram ecosystem than initially expected.

Following the Advertisements

The initial advertisements uncovered through StealthMole's Telegram Tracker quickly demonstrated that the campaign extended beyond simple claims of leaked examination papers. Although different accounts were responsible for posting the messages, the advertisements followed a remarkably consistent pattern, suggesting that similar marketing tactics were being reused across multiple Telegram communities.

One of the earliest advertisements was identified in the Telegram channel PEER 2 PEER EXCHANGE, where a user publicly invited anyone interested in obtaining the NEET examination paper to contact a dedicated Telegram account.

  • Telegram Channel: https://t.me/E*******p
  • Message: "KISIKO NEET EXAM KA QUESTION PAPER CHAIYE TOH DM KARO"
    • Translation: Who wants NEET Exam question paper, DM me
  • Contact Identifier: @Neet********7

Rather than relying on a single promotional message, the campaign continued with increasingly aggressive claims. In subsequent posts, the same campaign publicly challenged India's National Testing Agency (NTA), dismissing official assurances that the RE-NEET examination paper would remain secure. One message openly declared that the authorities would be unable to prevent another leak before ending with an "Open Challenge" directed at the NTA.

The campaign did not stop at challenging the authorities. Additional advertisements introduced familiar scarcity tactics intended to create urgency among prospective buyers. Messages repeatedly claimed that bookings had opened, that only a limited number of students would receive the paper, and that interested candidates should secure their place before registrations closed. Several posts also promised that the examination paper would be delivered shortly before the exam while advertising a "100% Paper Match" guarantee.

Across different Telegram groups, the wording changed slightly, but the underlying message remained consistent. Prospective buyers were encouraged to move away from public discussions and contact specific Telegram accounts directly, suggesting that negotiations and transactions were intended to take place privately rather than within the public groups where the advertisements were originally posted.

As additional identifiers were investigated, the campaign continued to expand into other Telegram communities, revealing that the advertisements were being circulated by multiple accounts rather than remaining confined to a single group or operator. This marked the first indication that the investigation was dealing with a broader promotional network rather than isolated attempts to exploit public interest surrounding the NEET controversy.

Raghav: A Campaign Across Communities

One of the earliest actors to emerge from the investigation operated under the display name "RAGHAV SIR." Raghav did not rely on a dedicated Telegram channel to promote alleged examination papers. Instead, the campaign was distributed across multiple Telegram communities, allowing the advertisements to reach audiences already engaged in underground trading and illicit services.

StealthMole identified two separate Telegram user IDs using the RAGHAV SIR branding. While both accounts shared similar naming conventions and promoted alleged RE-NEET examination papers using comparable messaging, the available evidence is insufficient to conclude whether they belonged to the same individual or represented multiple operators using a common identity. For this reason, they are treated as related identities operating under the same promotional persona.

Observed Telegram User IDs

  • RAGHAV SIR: 8628584329
  • RAGHAV SIR NEET: 8494718439

Raghav's activity was spread across existing Telegram communities, including PEER 2 PEER EXCHANGE and MJ Trusted Market. This approach significantly increased the visibility of the advertisements by placing them alongside other underground services rather than restricting them to a single audience.

The investigation also showed that alleged NEET paper leaks represented only one aspect of the account's activity. Messages attributed to the RAGHAV SIR branding advertised a variety of unrelated products and services, including gift cards, iPhone unlock codes, and financial offers. This broader activity suggests that the operator was already active within Telegram's underground trading ecosystem and incorporated examination-related fraud into an existing portfolio of illicit advertisements rather than creating a campaign dedicated solely to NEET.

This distinction is important. Instead of investing in dedicated infrastructure, Raghav appeared to rely on visibility within established underground communities, adapting promotional content according to demand. The approach required little infrastructure while providing access to audiences already familiar with illicit transactions, making Telegram groups an effective distribution channel for alleged examination paper advertisements.

Although Raghav's campaign demonstrated how existing underground communities could be leveraged to promote alleged paper leaks, another investigative pivot uncovered a markedly different approach. Rather than operating across multiple communities, a second actor had established a dedicated Telegram channel devoted almost entirely to marketing alleged NEET examination papers, signalling a more structured and persistent operation.

Abhishek: Building a Dedicated Marketplace

While Raghav's campaign relied on visibility across established Telegram communities, another investigative pivot revealed a more structured operation centred around a dedicated Telegram channel. Instead of promoting alleged examination papers within unrelated groups, the operator concentrated promotional activity within a single space, creating an environment focused almost entirely on attracting prospective NEET candidates.

The investigation identified the Telegram account @abhimishra0345, which repeatedly directed users towards a dedicated Telegram channel named "Neet Paper Leaked 🚀." Unlike the distributed promotional strategy observed earlier, this channel functioned as a central hub where advertisements, updates, and recruitment messages were published on a regular basis.

Telegram Account

  • @abhimishra0345

Telegram Channel

  • https://t.me/r***************d

Channel Name

  • NEET Paper Leaked

Analysis of the channel showed that it was maintained as more than a simple advertisement board. Posts were published over an extended period, gradually building anticipation ahead of the examination. Rather than repeatedly sharing identical messages, the operator maintained an active campaign by announcing booking periods, reminding students of approaching deadlines, publishing updates for prospective buyers, and regularly encouraging users to contact the account directly.

One notable characteristic of the operation was its attempt to portray itself as an organised service rather than an anonymous seller. Alongside promotional posts advertising alleged examination papers, the operator published announcements relating to admissions, frequently responded to concerns about scams, and attempted to distinguish the channel from competing actors targeting NEET candidates. This consistent branding created the appearance of an established operation rather than a short-lived promotional campaign.

The investigation also revealed that the channel's activity remained highly focused on examination-related fraud. Unlike Raghav, whose advertisements appeared alongside a variety of unrelated underground services, Abhishek's operation revolved almost exclusively around NEET, allowing the channel to cultivate a dedicated audience interested in examination papers rather than general illicit trading.

This shift from distributed advertisements to a dedicated promotional channel marked an important evolution in the investigation. It suggested that while some actors leveraged existing underground marketplaces to reach potential buyers, others invested in maintaining their own infrastructure, giving them greater control over branding, messaging, and long-term engagement with prospective customers.

Manufacturing Credibility

Simply advertising alleged examination papers was not enough to convince prospective buyers. As the investigation progressed, it became evident that operators invested considerable effort in presenting themselves as credible and trustworthy, employing a range of psychological techniques designed to reduce hesitation and encourage students to engage privately.

One of the clearest examples was observed within the Neet Paper Leaked channel, where promotional messages were supplemented with screenshots presented as conversations with previous buyers. These posts portrayed individuals thanking the operator, claiming that the supplied papers matched the examination, and expressing satisfaction with the outcome.

Although the authenticity of these conversations could not be independently verified, they served an important purpose within the campaign. Rather than asking prospective buyers to rely solely on promotional claims, the operator attempted to create the appearance of a proven track record by showcasing what appeared to be successful transactions and satisfied customers.

Credibility was reinforced further through carefully staged promotional messages addressing common concerns raised by prospective buyers. Posts repeatedly assured students that the examination paper would be delivered before the exam, explained booking procedures, responded to questions regarding payment, and attempted to distinguish the channel from competing actors by warning users about scammers operating on Telegram.

The warnings about competing scammers were particularly noteworthy. Rather than discouraging participation altogether, the operator encouraged students to avoid "fake" sellers while portraying the channel as a reliable alternative. This approach positioned the operator as a trusted intermediary within an already crowded marketplace, allowing concerns about fraud to become part of the marketing strategy itself.

Another recurring tactic involved presenting the operation as an organised service rather than an anonymous transaction. References to booking windows, structured payment processes, and ongoing updates created the impression of an established operation with repeat customers and defined procedures. Whether genuine or fabricated, these elements worked together to reinforce the perception that prospective buyers were dealing with a long-standing service rather than a newly created Telegram account.

These findings suggest that the campaign relied on far more than bold claims about leaked examination papers. It systematically combined urgency, exclusivity, social proof, and anti-scam messaging to build credibility before attempting to convert interested students into paying customers.

What Historical Indexing Revealed

As the investigation progressed, attention shifted from the promotional campaign itself to the digital footprints left behind by its operators. One of the most valuable findings emerged when the Telegram account associated with the Neet Paper Leaked channel was revisited. By the time of the investigation, the account had already been deleted from Telegram, eliminating the profile that prospective buyers would have originally interacted with.

Ordinarily, the removal of an account would also erase much of the contextual information surrounding its activity. However, StealthMole's historical Telegram indexing preserved earlier snapshots of the profile, allowing the investigation to reconstruct details that were no longer publicly accessible.

Current Account Status

  • Telegram Account: @abhimishra0345
  • Current Status: Deleted

Historical Profile Information

  • First Name: Abhishek
  • Telegram ID: 5448350989

Historical Biography

  • https://t.me/r*********************d

The historical profile data established a direct connection between the deleted account and the promotional channel previously identified during the investigation. While the live Telegram profile had disappeared, its earlier biography still contained a reference to the Neet Paper Leaked channel, strengthening the attribution between the operator and the campaign.

Historical indexing also preserved messages that were no longer easily discoverable through Telegram itself. These records showed that the account had actively promoted alleged examination papers across multiple Telegram communities, announced booking periods, published campaign updates, and encouraged prospective buyers to join the dedicated channel throughout the promotional period.

Rather than representing isolated remnants of deleted content, these historical artifacts enabled the investigation to reconstruct the evolution of the campaign after its public infrastructure had begun to disappear. This proved particularly valuable because it demonstrated that the removal of a Telegram account does not necessarily eliminate the surrounding intelligence. Historical records can continue to reveal relationships between accounts, channels, and promotional activity long after individual profiles have been removed from public view.

In this case, historical Telegram intelligence did more than recover deleted information. It helped preserve the operational context of the campaign, connecting a deleted operator profile to an active promotional channel and providing a more complete picture of how the alleged examination paper advertisements were organized and maintained over time.

Conclusion

What began as a simple search to determine whether the latest NEET paper leak controversy had generated activity within Telegram quickly developed into a much broader investigation. Rather than uncovering isolated advertisements, the investigation revealed a network of Telegram communities where alleged examination papers were repeatedly promoted using recurring marketing strategies, multiple operator identities, and carefully constructed credibility-building techniques.

The investigation identified two distinct operational approaches. One actor relied on established underground communities to distribute promotional messages across multiple groups, while another maintained a dedicated Telegram channel focused almost exclusively on attracting prospective NEET candidates. Although no evidence was found to confirm that genuine examination papers were ever obtained or distributed, the investigation documented a structured campaign that systematically exploited examination anxiety through urgency, scarcity, and social proof.

These findings demonstrate that Telegram continues to provide fertile ground for actors seeking to profit from high-profile examination controversies. More importantly, they illustrate how historical intelligence, behavioral analysis, and careful correlation of digital artifacts can transform scattered advertisements into a coherent picture of the infrastructure and tactics supporting such campaigns.

Editorial Note

Investigations involving online fraud and underground communities rarely produce complete or definitive attribution. Identities change, accounts disappear, and campaigns evolve rapidly. This case demonstrates how StealthMole's historical intelligence and artifact correlation capabilities enable analysts to reconstruct activity, uncover meaningful connections, and investigate evolving campaigns with greater confidence.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com


Labels: ,

Following the Trail of Anubis: Forums, Onion Sites, and the Rise of a Ransomware Operation


Some ransomware operations appear suddenly. A new name surfaces, victims begin to appear, and attention quickly shifts to the impact of the attacks. What often goes unnoticed is everything that happens before that point.

Behind every ransomware operation is a period of growth. Infrastructure is built, relationships are formed, and an online presence gradually takes shape across corners of the internet that most people never see. Traces of that activity are often scattered across forums, hidden services, and other platforms, leaving behind a digital trail that can reveal how an operation evolved long before it gained wider attention.

This investigation follows that trail.

Using StealthMole, a series of seemingly unrelated discoveries led to a deeper examination of Anubis, a ransomware operation that has steadily expanded its presence across the underground ecosystem. What began as a routine inquiry soon developed into a broader effort to understand how the operation established itself, promoted its services, and grew its network over time.

The sections that follow reconstruct that journey, tracing the digital footprint left behind by Anubis and the individuals operating under its banner.

Following the First Lead

The investigation began after Anubis published a ransomware listing targeting a South Korean company operating in the semiconductor and industrial equipment sector. The victim entry was identified through StealthMole's Ransomware Monitoring module and directed visitors to a dedicated page hosted on the group's leak platform:

  • om6q4a*********************************u4aqd.onion/

At first glance, the listing appeared similar to many ransomware leak posts regularly published across the dark web. However, rather than focusing solely on the victim, the investigation turned toward the operation responsible for publishing the claim.

A broader search for Anubis within StealthMole's Ransomware Monitoring module revealed that the group had publicly listed 83 victims between February 2025 and June 2026, suggesting that the latest attack was part of a much larger operation. Additional searches across StealthMole's monitoring datasets uncovered references to the same leak infrastructure in connection with other organizations, including a US county, further indicating that the operation had maintained an active presence for an extended period.

While the victim listings provided a starting point, they offered only a limited view of the operation itself. To better understand who was behind Anubis and how the group had established its presence, the investigation shifted beyond the leak site and began tracing the digital footprint surrounding the operation. That search soon led to a recurring identity that appeared across multiple underground platforms.

The Emergence of Anubis Media

As the investigation moved beyond victim listings and into the wider footprint surrounding Anubis, one name began appearing repeatedly across multiple platforms: Anubis Media.

The earliest discovery was an account on the XSS forum, registered on 16 November 2024 under the profile:

  • https://xss.***/members/4*****8/

The account's profile description translated to "We convey information," a message that would later align closely with the branding and public image promoted by the Anubis operation. At the time, however, there was little to suggest how significant this persona would become.

Further investigation uncovered the same identity across multiple underground communities, including:

  • https://breachforums.**/User-Anubis-media
  • https://breachforums.**/User-Anubis-media
  • https://breachforums.**/User-Anubis-media

Rather than appearing as isolated registrations, these accounts demonstrated a consistent effort to establish a recognizable presence across several well-known cybercriminal forums.

The same branding also appeared outside traditional forum environments. An X account operating under the handle Anubis*****a was identified at:

  • https://x.com/Anubis******a

The account was used to publish updates related to the operation, share infrastructure announcements, and promote content associated with the Anubis brand.

It remained unclear whether Anubis Media represented a single operator, a spokesperson, or a broader public-facing identity used by the group. What was clear, however, was that the name appeared consistently across multiple platforms and increasingly served as a common thread connecting disparate pieces of the investigation.

As additional findings emerged, Anubis Media would become closely associated with the promotion of services, recruitment efforts, and infrastructure linked to the Anubis operation.

Building a Presence Across the Underground

The growing presence of Anubis Media across multiple platforms was accompanied by a steady stream of advertisements promoting various services associated with the operation. These posts provided a clearer view of how the group was attempting to establish itself within the underground ecosystem and attract potential partners.

One of the earliest examples was identified on ReHub:

  • https://rehubcom.***/threads/*****/

The post advertised a corporate access monetization program built around a profit-sharing model. Similar advertisements were later discovered on several BreachForums instances as well as mirrored versions.

  • https://breachforums.**/Thread********monetization-50-50-Earn

The advertisements sought individuals with access to corporate environments and invited them to collaborate with the operation under a 50/50 revenue-sharing arrangement. According to the posts, preferred targets included organizations located in the United States, Canada, Europe, and Australia. The advertisements specifically referenced access types such as VPNs, RDWeb deployments, Citrix environments, remote code execution opportunities, and other forms of corporate network access.

The same activity was not limited to a single forum. Similar recruitment efforts were identified on XSS, where the Anubis Media persona promoted access monetization services to another underground audience. The repeated appearance of these advertisements across multiple communities suggested a deliberate effort to expand the operation's network of partners rather than relying solely on internally obtained access.

At this stage, the investigation revealed an operation focused not only on public visibility but also on building relationships within the cybercriminal ecosystem. The recurring recruitment campaigns indicated that Anubis was actively seeking opportunities to acquire access, attract collaborators, and increase its operational reach.

While these advertisements demonstrated how the operation sought to expand, they also raised another question. What services were those partners ultimately being recruited to support? The answer emerged through a separate set of posts that revealed the group's ransomware ambitions.

From Leak Operation to Ransomware Program

The purpose behind Anubis' recruitment efforts became clearer following the discovery of a dedicated thread on the RAMP forum:

  • https://ramp4u.**/threads/data-ransom-ransomware-anubis*****

Created by the user superSonic on 23 February 2025, the post provided one of the earliest detailed descriptions of the services being offered under the Anubis brand. Notably, the timing closely aligned with the emergence of the group's leak infrastructure, suggesting that the operation's public-facing presence and recruitment efforts developed in parallel.

Rather than advertising a single service, the RAMP post presented Anubis as a multi-faceted operation built around two primary offerings: ransomware and data extortion.

The ransomware component promoted support for Windows, Linux, NAS, and ESXi environments while highlighting features designed to maximize operational impact. The advertisement described capabilities such as network-wide deployment, privilege escalation, shadow copy removal, and disruption of virtualized environments. The post also referenced multiple encryption modes, including a "Lite Locker" option and a destructive wipe mode.

Alongside the ransomware offering, the thread introduced a separate "Data Ransom" model. Unlike traditional ransomware campaigns that rely on encryption, this service focused on monetizing stolen corporate information. Individuals in possession of sensitive company data were invited to collaborate with the operation, allowing Anubis to leverage its existing infrastructure and publicity channels to pressure victims and generate revenue from leaked information.

This distinction proved particularly significant. The model suggested that Anubis was not solely dependent on ransomware deployments to generate income. Instead, the operation appeared willing to profit from both network intrusions and independently acquired datasets, broadening the range of opportunities available to potential partners.

The RAMP advertisement also outlined preferred target regions, including the United States, Canada, Europe, and Australia. At the same time, the post stated that organizations associated with government, education, non-profit sectors, BRICS countries, and former Soviet states were excluded from the group's stated targeting criteria.

By this stage of the investigation, Anubis no longer appeared to be simply a ransomware leak site or a collection of forum profiles. The evidence pointed toward an operation actively recruiting affiliates, acquiring access opportunities, and promoting multiple revenue streams under a single brand.

As the investigation continued, attention shifted from the services being advertised to the infrastructure supporting them.

Mapping the Anubis Infrastructure

The investigation's next phase focused on the infrastructure supporting the Anubis operation. Using StealthMole's Dark Web Tracker, multiple pages associated with the group's leak platform were identified, including dedicated sections for news, rules, frequently asked questions, and operational information.

At the center of this infrastructure was the group's primary leak site:

  • om6q4a6*************************************4aqd.onion

The site served as the public-facing hub for the operation, hosting victim listings, announcements, and guidance for both affected organizations and prospective collaborators. Several of the pages contained contact information and references that helped connect the infrastructure to identities previously identified during the investigation.

One of the most significant findings appeared within the Rules section, where the operation publicly provided multiple communication channels:

  • qTox ID: 354217********************************************948F
  • Email: anu*****t@onionmail.org
  • PGP Fingerprint: D59C**********************5A1

The same page also directed visitors to several forum profiles previously encountered during the investigation, including the RAMP account associated with superSonic and the Anubis Media presence on underground forums. These references provided an important bridge between the operation's infrastructure and its public recruitment activities.

Further examination of the platform revealed that Anubis had invested in maintaining a structured and regularly updated environment rather than a simple victim listing page. Sections dedicated to operational announcements, leak publications, and user guidance suggested an effort to create a recognizable and persistent presence within the underground ecosystem.

Additional infrastructure surfaced through the group's X account, which announced a new onion domain on 12 June 2025:

  • anubis*************************************y6ad.onion

The domain was described as a "New Node DLS." While the service appeared inactive or under maintenance at the time of investigation, the announcement provided evidence that the operation was actively expanding or maintaining additional infrastructure beyond its primary leak platform.

These findings revealed an operation that had developed far beyond a single leak site. The infrastructure connected communication channels, forum identities, victim publications, and operational announcements into a unified ecosystem supporting the broader Anubis brand.

Public Messaging and Brand Development

While the technical infrastructure provided insight into how Anubis operated, the content published across its platforms offered a different perspective into how the group wanted to be perceived.

Throughout the investigation, the Anubis operation consistently avoided presenting itself solely as a ransomware group. Instead, references across its leak platform, forum accounts, and social media presence repeatedly emphasized themes more commonly associated with information publishing and disclosure.

This approach was particularly visible through the Anubis Media identity, which appeared across multiple underground platforms and served as the public-facing voice of the operation. The account maintained a presence on X, BreachForums, XSS, and other communities, regularly promoting updates, services, and infrastructure associated with the Anubis brand.

The operation's About page reinforced this image by describing Anubis as a media-focused platform dedicated to publishing information. Similar messaging appeared elsewhere throughout the ecosystem, including the XSS profile description associated with Anubis Media, which stated: "We convey information."

The same narrative extended to the FAQ section of the leak platform. In addition to addressing victim inquiries, the page openly invited communication from individuals possessing unpublished corporate information and offered collaboration opportunities involving exclusive data. Separate sections also encouraged engagement from journalists and media representatives interested in discussing leaked information.

These findings suggest that Anubis was deliberately cultivating an identity that extended beyond traditional ransomware activity. Rather than presenting itself exclusively as an extortion operation, the group consistently incorporated media-oriented language into its public communications, recruitment efforts, and platform design.

Whether this branding strategy was intended to attract partners, increase visibility, or distinguish the operation from competing groups remains unclear. However, the consistency of the messaging across multiple platforms indicates that it formed a deliberate part of the Anubis identity rather than an isolated marketing effort.

Conclusion

What began with a single victim listing ultimately revealed a much broader operation. By following the trail left across ransomware monitoring data, underground forums, social media accounts, and onion services, the investigation uncovered an ecosystem that extended well beyond a conventional leak site.

The findings show that Anubis invested considerable effort into establishing its presence across the underground landscape. Recruitment campaigns, access monetization programs, dedicated infrastructure, and the recurring appearance of the Anubis Media persona all point to an operation focused not only on conducting attacks but also on expanding its reach and visibility within cybercriminal communities.

While many ransomware groups become visible only after victims begin appearing on their leak sites, the Anubis case demonstrates the value of examining the activity that occurs behind the scenes. Long before an operation gains wider attention, traces of its development can often be found across the platforms, services, and communities that support its growth. By connecting those traces, it becomes possible to build a more complete understanding of how an operation evolves and positions itself within the broader ransomware ecosystem.

Editorial Note

Cybercriminal operations rarely emerge fully formed. Long before victims appear on leak sites or attacks attract public attention, traces of an operation's growth can often be found across forums, hidden services, recruitment posts, and other pieces of digital infrastructure.

While the findings presented in this report are based on artifacts identified during the investigation, attribution in cybercrime investigations is rarely absolute, and online identities can be shared, abandoned, or deliberately misleading. This case highlights how StealthMole can help investigators navigate that uncertainty by connecting information across multiple sources, enabling a clearer view of how an operation develops and establishes itself within the underground ecosystem.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com


Labels: ,

Learn more about StealthMole

Talk to our team of experts today to learn how you can manage your dark web exposure.
Request demo More Reports

Share this report