Skip to content Dark Web Informer - Cyber Threat Intelligence
Support
Sign In Subscribe
Initial Access

Alleged Sale of RDWeb Access to an Unidentified Software Company in USA

 and  Dark Web Informer
3 min read

Unlock Exclusive Cyber Threat Intelligence

Powered by DarkWebInformer.com

Foundational access to breach intelligence. Track breaches, leaks, and threats in real time with high quality screenshots and concise expert summaries.

📚
4,000+ Blog Posts
Continuously updated breach reports and threat summaries.
📢
26,000+ Alerts
Daily breach, leak, and DDoS alerts.
📤
Unredacted Threat Feed
Live tracking with JSON export.
🔍
Leak and Breach Coverage
Direct access to claims and posts.
📡
Snippets and Quick Facts
Concise summaries of DDoS, defacements, and breaches.
🌐
500+ Onion and Clearnet Resources
Verified index of dark web sites and services.
📊
Real Time Uptime Dashboard
Live status of 500+ sites.
🤖
WhiteIntel.io API
Integrated checks inside breach posts.
🖼️
High Resolution Images
Uncompressed, watermark free evidence.
🔑
Keyword Notifications
Browser alerts for tracked terms.
👥
Telegram Channels
Stay in the loop across channels.
📨
PGP Contacts
Verified PGPs for ransomware and threat groups.
💳 Subscribe Now 🪙 Pay with Crypto

📖 Overview

A threat actor is advertising restricted RDWeb access to a U.S.-based software company with reported annual revenue of $84 million. The listing specifies that only third-party applications on the web face are visible, while remote desktop protocols like MSTSC are blocked. The seller highlights the presence of CrowdStrike Falcon on the target environment, suggesting that the access is limited but still valuable to an experienced buyer.

📌 Key Details

  • Victim Country: USA
  • Industry: Software
  • Threat Actor: gadji
  • Network: openweb
  • Category: Initial Access
  • Severity: Medium
  • Access Type: Restricted RDWeb portal access with application limitations
  • Security Controls: CrowdStrike Falcon EDR present (claimed)
  • Annual Revenue (Target): $84 million
  • Price Structure: Start $1,500 • Step $500 • Blitz $2,500
  • Trading Conditions: End of trading listed as 08/21/2025, 13:00 Moscow time • Only via guarantor at buyer’s expense

🔗 Claim Post (Plain Text)

Claim Post: Available on the Threat Feeds and Paid Subscriber blog posts.

📸 Screenshot Preview

🛡️ WhiteIntel.io Access Infostealers Check

This section is available exclusively for paid subscribers in the Ransomware/Threat Feed blog posts.

🧩 TTPs (MITRE ATT&CK Mapping)

  • TA0001 – Initial Access: Exploitation of remote services (RDWeb)
  • TA0002 – Execution: Use of authorized portal sessions for persistence
  • TA0005 – Defense Evasion: Attempting to operate under the radar of CrowdStrike Falcon
  • TA0009 – Collection: Potential for reconnaissance and data staging within a restricted environment

👤 Threat Actor Profile: gadji

Summary

  • Total Matches: 23
  • First Seen: 2025-04-04
  • Last Seen: 2025-08-21
  • Data Start: 2024-10-02
  • Countries: USA, France, UK, Sweden, Slovenia
  • Industries: Hospital & Health Care, Manufacturing, Building & Construction, Software, Agriculture & Farming

📊 Threat Actor Activity

DateCountrySector / IndustryTypeTarget / AccessNetwork
2025-08-21USASoftwareInitial AccessRDWeb access to software company ($84M revenue)openweb
2025-08-19USABusiness ServicesInitial AccessRDWeb accessopenweb
2025-08-18USAAgriculture & FarmingInitial AccessAccess to agriculture companyopenweb
2025-08-14USAIndustrial MachineryInitial AccessRDWeb accessopenweb
2025-08-09USATelecommunicationsInitial AccessRDWeb accessopenweb
2025-08-07Multiple CountriesData LeakPassport scansopenweb
2025-08-06UKInitial AccessRDWeb access to unidentified organizationopenweb
2025-08-05UKManufacturingInitial AccessUnauthorized access to manufacturing companyopenweb
2025-07-18SwedenRetail IndustryInitial AccessRDWeb access to retail companyopenweb
2025-07-13UKManufacturingInitial AccessRDWeb access to manufacturing companyopenweb

ℹ️ Showing the latest 10 results. 13 more not shown.

🚨 Potential Risks

Even restricted RDWeb access provides a foothold into a corporate environment. With administrative misconfigurations or privilege escalation, attackers could leverage such access to move laterally, deploy malware, or exfiltrate sensitive company data. The presence of CrowdStrike Falcon raises the stakes — adversaries with advanced tradecraft may attempt to bypass or disable monitoring to maintain persistence.

  • Immediately audit RDWeb exposure and restrict access to authorized, VPN-protected users
  • Review CrowdStrike Falcon logs for anomalous login activity or session attempts
  • Enforce multi-factor authentication for all remote access portals
  • Monitor for persistence mechanisms and abnormal application launches in RDWeb sessions
  • Conduct penetration testing to simulate misuse of restricted portal access
  • Educate administrators and IT staff on hardening RDWeb deployments

💡 Final Thoughts

The recurring sale of RDWeb access on underground forums shows how exposed remote services remain a popular entry point for attackers. Even limited access can be weaponized by experienced threat actors, particularly when targeting organizations with high annual revenue. Defenders should treat RDWeb portals as critical assets, enforcing strong authentication, logging, and continuous monitoring to reduce the risk of compromise.

Related

Latest