Incident Overview

A threat actor operating under the handle "Saturned33" is auctioning unauthorized RDP and shell access to an unidentified Spain-based organization in the business services sector on the Exploit forum. According to the listing, the victim organization has an estimated revenue of approximately €5 million ("~5kk"). The access being sold includes both RDP and shell capabilities with Domain Administrator and SYSTEM-level privileges across more than 20 hosts.

The threat actor states that Windows Defender has been deactivated on the compromised systems. Additionally, the listing advertises access to over 5TB of critical internal data including backups, personal data, and client information. Extra access to two internal NAS devices with unlimited administrative privileges is also included. The auction starts at $700 USD with a $300 step increment and a blitz (buy-it-now) price of $1,300 USD. The auction runs for 12 hours ending on the last bid or blitz purchase, with all transactions covered by autogarant (escrow).