By About StealthMole
StealthMole is a cutting-edge artificial intelligence platform built to enhance cybersecurity through advanced dark web monitoring and threat intelligence.
It offers a comprehensive suite of modules, including Dark Web Tracker, Telegram Tracker, Compromised Data Set, Credential Lookout, Ransomware Monitoring, Leaked Data Monitoring, Government Monitoring, and Defacement Alerts — all integrated into a single platform that enables powerful monitoring and efficient investigative capabilities.
Data Leak Monitoring: Case Study – Brazil
StealthMole enables users to track cyberattacks and data breaches on a country-specific level. For instance, between January 1 and April 25 of this year, Brazil experienced at least 82 data leaks. Below is a screenshot illustrating the data leak monitoring map for Brazil during this period.
StealthMole enables the classification of data leaks either by economic sector or by threat actor. A threat actor-based analysis identified the top four cyber threat actors as “GoldenLeak”, “GoldenLeaks” (with “GoldenLeak” likely linked to “GoldenLeaks”), “memberphp”, and “ComboPoster”.
Pivoting on the Threat Actor Username: “memberphp”
StealthMole empowers investigators to pivot on threat actor usernames, expanding their investigations through modules like Dark Web Tracker, Telegram Tracker, Compromised Data Set, and Credential Lookout. Investigators can choose to pivot either within StealthMole or externally, leveraging additional tools to support their investigations.
For instance, a search for the username “memberphp” in historical data leaks uncovered a prior registration on RaidForums using the same username and the email address funkey-100@hotmail.com, linked to an IP address geolocated in São Paulo, Brazil. Further breach records tied to funkey-100@hotmail.com revealed additional IP addresses, hosted by the same operator, Claro NXT Telecomunicações Ltda and similarly geolocated in São Paulo.
Real-Time Monitoring for Advanced Investigations and Incident Response
StealthMole enables organizations to proactively monitor both their internal and external environments for data leaks, while also preparing for and responding to cyberattacks.
Ransomware Monitoring: Case Study – Brazil
As one of the largest markets within the BRICS group, Brazil has seen a sharp rise in cyberattacks in recent years. With attacks on Brazilian enterprises expected to increase in both scale and frequency, businesses in Brazil require proactive monitoring and advanced investigative capabilities to effectively prepare and respond.
StealthMole’s Ransomware Monitoring module allows investigators to categorize ransomware incidents by country, ransomware group, and economic sector. Between January 1 and April 23, 2025, Brazil recorded 43 ransomware attacks. A ransomware attack map for this period is displayed below.
The most active ransomware gangs targeting Brazil include LockBit3, RansomHub, Akira, Arcus Media, Babuk2, Alphv, FunkSec, 8base, Sarcoma, and Fog.
Pivoting Case Study I: LockBit3
LockBit was the most prolific ransomware group globally in 2022, accounting for an estimated 44% of all ransomware incidents by early 2023. In February 2024, law enforcement agencies successfully seized control of LockBit’s dark web infrastructure used for attacks. However, subsequent ransomware activities linked to LockBit were reported, with the group rebranding under different variants.
Through further investigation using SilentPush.com, we analyzed one of LockBit3’s onion domains, [lockbit7ouvrsdgtojeo…], and identified the associated IP address 165.227.85.87 (hosted by DigitalOcean, LLC; geolocated in New Jersey, US; VPN service: MaxiVPN).
Pivoting Case Study II: Sarcoma Group
The Sarcoma ransomware group has been linked to a total of 95 cyberattacks, with 5 of these incidents targeting Brazilian companies.
An investigation of their onion domain, [sarcomawmawlhov…], using SilentPush.com revealed an html_body_murmur3 hash value of -318338258. Subsequent searches based on this hash identified the associated IP address 23.192.32.224 (Server: AkamaiGHost; hosted by Akamai Technologies, Inc; geolocated in New Jersey, US).
Further analysis is required to validate or invalidate the connection between this IP server and the Sarcoma group.
Defacement Alert: Case Study – Brazil
StealthMole also offers global defacement alerts, enabling investigators to monitor country-specific defacements, track threat actors, and set custom alerts.
In a targeted search for the threat actor “MrVGunz”, StealthMole identified their involvement in a total of 489 defacement incidents across multiple countries.
An example of a defacement case in Brazil attributed to “MrVGunz” is presented below.
Investigators can identify all defacement incidents linked to this threat actor and further pivot into other StealthMole modules, such as Telegram Tracker, Compromised Data Set, Credential Lookout, and Leaked Monitoring, to expand their investigations.
Pivoting Case Study: “MrVGunz”
“MrVGunz” is a known Iranian threat actor affiliated with “Team 1979”, maintaining a broad presence across various social media platforms, as illustrated in the table below.
| Platform | Username / ID | Details |
| X.com | MrVGunz / 1482144065873399814 | Registered: January 2022 Links to t.me/MrVGunz 339 Following 152 Followers Website: mrvgunz.xyz Email: mrvgunz@gmail.com Instagram: MrVGunz GitHub: MrVGunz Additional links: zone-h.org/archive/notifie/notifier=MrVGunz defacer.id/archive/attacke/attacker/MrVGunz |
| GitHub | MrVGunz / 78943971 | Location: Iran |
| 112517790821535790714 | N/A | |
| Sololearn | MrVGunz | Location: Iran |
Conclusion and Recommendations
StealthMole proves to be a powerful and comprehensive platform for cybersecurity monitoring and advanced investigations. Its integrated modules — covering dark web tracking, ransomware monitoring, defacement alerts, credential leaks, and more — enable investigators to proactively detect threats, pivot efficiently across multiple data sources, and build a more complete threat landscape picture.
By providing real-time insights, historical data correlation, and the ability to pivot across multiple environments (including dark web forums, Telegram, and leaked databases), StealthMole significantly enhances an organization’s ability to respond quickly to emerging threats and conduct deeper attribution analysis.
Recommendations:
- Proactive Monitoring: Organizations should continuously monitor both internal and external threats using StealthMole’s customizable alert systems to detect and mitigate risks early.
- Integrated Investigations: Leverage the platform’s pivoting capabilities across modules to uncover hidden connections between actors, infrastructure, and incidents.
- Country-Specific Threat Tracking: For markets with higher threat exposure, such as Brazil, tailor monitoring efforts to specific sectors, threat actors, and attack types.
- Incident Response Preparation: Leverage insights from StealthMole to enhance incident response plans, threat hunting strategies, and intelligence reports.
- Ongoing Threat Actor Analysis: Regularly analyze emerging and active threat groups by pivoting through usernames, domains, and IPs to maintain situational awareness.
