A financially motivated threat actor known as Lionishackers has emerged as a significant player in the illicit marketplace for corporate data in recent months.<\/p>\n
Leveraging opportunistic targeting and a preference for Asian-based victims, the group employs automated SQL injection tools to breach database servers, exfiltrate sensitive records, and list them for sale on underground forums and Telegram channels.<\/p>\n
Though not overtly ransomware-based, their model reflects a form of \u201cdouble extortion\u201d by monetizing stolen data directly rather than encrypting and demanding payment for decryption.<\/p>\n
Outpost24 analysts noted that Lionishackers initially surfaced in September 2024, quickly establishing a reputation through proof-of-compromise screenshots and sample excerpts shared across multiple underground platforms.<\/p>\n
The group\u2019s communication strategy involves maintaining numerous forum aliases\u2014each tied to identical Telegram contact information\u2014thereby evading long-term attribution while preserving buyer outreach.<\/p>\n
Their services have diversified beyond corporate records to include social media and email credential databases, as well as ancillary offerings such as DDoS botnets and forum hosting projects.<\/p>\n
As Lionishackers\u2019 activity accelerated, their impact on targeted organizations became increasingly apparent. Victims span government bodies, telecommunications firms, pharmaceutical companies, educational institutions, retail chains, and notably, gambling sites.<\/p>\n
Data sets exfiltrated have included personally identifiable information (PII), financial records, and authentication credentials\u2014elements readily exploited for identity theft, account takeover, or corporate espionage.<\/p>\n
The group\u2019s tactics underscore the growing potency of database-focused cybercrime, which can inflict profound reputational and financial harm without deploying traditional ransomware.<\/p>\n
Outpost24 researchers identified<\/a> that the group\u2019s specialization in SQL-based attacks and reliance on widely available automation frameworks enable rapid compromise and scaling.<\/p>\n The transition from isolated database sales to additional offerings\u2014such as the Ghost botnet for network-layer DDoS\u2014demonstrates their evolving criminal enterprise.<\/p>\n A Telegram advertisement showcasing Ghost\u2019s capabilities. While the short-lived \u201cStressed Forums\u201d project launched amid law enforcement scrutiny of BreachForums<\/a>.<\/p>\n A closer examination reveals that Lionishackers primarily exploit SQL injection<\/a> vulnerabilities in poorly configured web applications.<\/p>\n By leveraging tools like SQLmap, they automate reconnaissance and payload delivery.<\/p>\n A typical injection sequence observed by Outpost24 follows:-<\/p>\n This command probes for injectable parameters, enumerates databases, and extracts table contents.<\/p>\n Once credentials are retrieved, the attackers often reuse valid login information to pivot deeper into internal networks<\/a>.<\/p>\n Persistence is achieved through the deployment of lightweight backdoors\u2014frequently simple web shells<\/a>\u2014hidden in temporary directories or disguised as innocuous update scripts.<\/p>\n These shells facilitate ongoing data pulls and serve as fallback access points if the initial vulnerability is patched.<\/p>\n By understanding Lionishackers\u2019 automation-driven SQL injection workflow and their nimble alias rotation across forums, defenders can prioritize application firewall<\/a> rules, enhance query parameterization, and implement continuous monitoring for anomalous database access patterns.<\/p>\n Integrate\u00a0ANY.RUN TI Lookup<\/strong>\u00a0with your SIEM or SOAR To Analyses Advanced Threats<\/strong>\u00a0->\u00a0Try 50 Free Trial Searches<\/a><\/strong><\/p>\n The post Lionishackers Threat Actors Exfiltrating and Selling Corporate Databases on Dark Web<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjID4n7PHUDQ1_rtqcbARXw-LcWEPAYW6cJbNX7zU9n4a51uqjaB3kGWXUAHroIejjFPc7BWTFgP0UcyHUiw4OfYjX_gzIYnnC6YGF1qqSygPN-PBhyphenhypheneaZL3VxFrDJWmImsbypAhfed9_o71XZYQ-haznDM90D14xXC40eW4IYQFXTjr4xrwCbCQMYDHoA\/s16000\/Lionishackers%2520commercializing%2520the%2520Ghost%2520botnet%2520in%2520Telegram%2520%28Source%2520-%2520Outpost24%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEipTI3pqG23MqoSSuTeASdqdofJC5NWrsDBBOS7p4KHPg-YxDY_8tl7k6C4IDIbi6sM4aF3nyPGm8GDTDtdL39JiK0oePKZ91Rqo21ZxNZMLNPMz-wne7ns6gs6R6QYI7VAtMYygAkZGTq7ihVGLyhzOx3DuUsutUrf1K_fAdKx0ooBHrqW0m7iliHCRjQ\/s16000\/Lionishackers%2520promoting%2520the%2520creation%2520of%2520the%2520Stressed%2520Forums%2520%28Source%2520-%2520Outpost24%29.webp?ssl=1\")
Infection Mechanism and Persistence Tactics<\/strong><\/h2>\n
sqlmap -u \"https:\/\/victim.com\/product?id=1\" \n --batch --dbs --threads=5 \n --tamper=space2comment --time-sec=10<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg4-XT543VLT6SvC3KMpsb4xNpQtcJ_VZEV6juuCrdStUF5Q6RS6ycy_wy_U2KhUM-7ZR9-CzOclGfjoVzzDa14bSVvUFO5OaqBDmZppe_sRVNHG1iJ0as2N3s3fujXXoRx6XeaYrn5dERoF0VTAqj7rjnZDSVzFDP6go3TZmwk0H5e0R5qTCNqXHPnmeQ\/s16000\/Lionishackers%2520using%2520the%2520alias%2520Captain%2520Fen%2520show%2520preference%2520in%2520compromising%2520casino%2520sites%2520%28Source%2520-%2520Outpost24%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhNuaOfjFlTOVA62C6hHHEP5lLf9NLue1tyGhbWzMQRVPBy0hYqZ5wXOMUVNyv6JtSwsDE0RqaGqIGGTr9WKnVc48bZ0RoTkbW6Yq0YrAzdRAXV_UlPUplellP28YfdO895V_mA9FopymKltLIaUxdcv83XXOeJiCCzTeQY_z9D08xbWQV2WNlt1GfVoRg\/s16000\/Post%2520on%2520Telegram%2520listing%2520some%2520of%2520the%2520countries%2520that%2520Lionishackers%2520would%2520be%2520specialized%2520in%2520%28Source%2520-%2520Outpost24%29.webp?ssl=1\")