Unlock Exclusive Cyber Threat Intelligence
Powered by DarkWebInformer.com
Foundational access to breach intelligence. Track breaches, leaks, and threats in real time with high quality screenshots and concise expert summaries.
Continuously updated breach reports and threat summaries.
Daily breach, leak, and DDoS alerts.
Live tracking with JSON export.
Direct access to claims and posts.
Concise summaries of DDoS, defacements, and breaches.
Verified index of dark web sites and services.
Live status of 500+ sites.
Integrated checks inside breach posts.
Uncompressed, watermark free evidence.
Browser alerts for tracked terms.
Stay in the loop across channels.
Verified PGPs for ransomware and threat groups.
📖 Overview
A threat actor is advertising restricted RDWeb access to a U.S.-based software company with reported annual revenue of $84 million. The listing specifies that only third-party applications on the web face are visible, while remote desktop protocols like MSTSC are blocked. The seller highlights the presence of CrowdStrike Falcon on the target environment, suggesting that the access is limited but still valuable to an experienced buyer.
📌 Key Details
- Victim Country: USA
- Industry: Software
- Threat Actor: gadji
- Network: openweb
- Category: Initial Access
- Severity: Medium
- Access Type: Restricted RDWeb portal access with application limitations
- Security Controls: CrowdStrike Falcon EDR present (claimed)
- Annual Revenue (Target): $84 million
- Price Structure: Start $1,500 • Step $500 • Blitz $2,500
- Trading Conditions: End of trading listed as 08/21/2025, 13:00 Moscow time • Only via guarantor at buyer’s expense
🔗 Claim Post (Plain Text)
Claim Post: Available on the Threat Feeds and Paid Subscriber blog posts.
📸 Screenshot Preview

🛡️ WhiteIntel.io Access Infostealers Check
This section is available exclusively for paid subscribers in the Ransomware/Threat Feed blog posts.
🧩 TTPs (MITRE ATT&CK Mapping)
- TA0001 – Initial Access: Exploitation of remote services (RDWeb)
- TA0002 – Execution: Use of authorized portal sessions for persistence
- TA0005 – Defense Evasion: Attempting to operate under the radar of CrowdStrike Falcon
- TA0009 – Collection: Potential for reconnaissance and data staging within a restricted environment
👤 Threat Actor Profile: gadji
Summary
- Total Matches: 23
- First Seen: 2025-04-04
- Last Seen: 2025-08-21
- Data Start: 2024-10-02
- Countries: USA, France, UK, Sweden, Slovenia
- Industries: Hospital & Health Care, Manufacturing, Building & Construction, Software, Agriculture & Farming
📊 Threat Actor Activity
Date | Country | Sector / Industry | Type | Target / Access | Network |
---|---|---|---|---|---|
2025-08-21 | USA | Software | Initial Access | RDWeb access to software company ($84M revenue) | openweb |
2025-08-19 | USA | Business Services | Initial Access | RDWeb access | openweb |
2025-08-18 | USA | Agriculture & Farming | Initial Access | Access to agriculture company | openweb |
2025-08-14 | USA | Industrial Machinery | Initial Access | RDWeb access | openweb |
2025-08-09 | USA | Telecommunications | Initial Access | RDWeb access | openweb |
2025-08-07 | – | Multiple Countries | Data Leak | Passport scans | openweb |
2025-08-06 | UK | – | Initial Access | RDWeb access to unidentified organization | openweb |
2025-08-05 | UK | Manufacturing | Initial Access | Unauthorized access to manufacturing company | openweb |
2025-07-18 | Sweden | Retail Industry | Initial Access | RDWeb access to retail company | openweb |
2025-07-13 | UK | Manufacturing | Initial Access | RDWeb access to manufacturing company | openweb |
ℹ️ Showing the latest 10 results. 13 more not shown.
🚨 Potential Risks
Even restricted RDWeb access provides a foothold into a corporate environment. With administrative misconfigurations or privilege escalation, attackers could leverage such access to move laterally, deploy malware, or exfiltrate sensitive company data. The presence of CrowdStrike Falcon raises the stakes — adversaries with advanced tradecraft may attempt to bypass or disable monitoring to maintain persistence.
✅ Recommended Security Actions
- Immediately audit RDWeb exposure and restrict access to authorized, VPN-protected users
- Review CrowdStrike Falcon logs for anomalous login activity or session attempts
- Enforce multi-factor authentication for all remote access portals
- Monitor for persistence mechanisms and abnormal application launches in RDWeb sessions
- Conduct penetration testing to simulate misuse of restricted portal access
- Educate administrators and IT staff on hardening RDWeb deployments
💡 Final Thoughts
The recurring sale of RDWeb access on underground forums shows how exposed remote services remain a popular entry point for attackers. Even limited access can be weaponized by experienced threat actors, particularly when targeting organizations with high annual revenue. Defenders should treat RDWeb portals as critical assets, enforcing strong authentication, logging, and continuous monitoring to reduce the risk of compromise.