From CAPTCHA Cracking to Dark Web Crawling: Tracking Malware Supply Chains with Real-Time Adversary Intelligence and Analyst-Driven Insights

In a conversation with Amir Hadzipasic, CEO and founder of SOS Intelligence, we explored how cybercriminals are evolving their tactics and how defenders are adapting in response. SOS Intelligence has been recognized as a National Cyber Security Centre (NCSC) Startup Alumni, having been selected to assist the UK government in addressing the cyber challenge of ransomware.

Our discussion covered real-time monitoring of malware supply chains and credential leaks to the growing professionalization of underground ecosystems. Hadzipasic elaborated on CAPTCHA bypass, dark web visibility, and intelligence that shape modern cyber defense.

One of the key takeaways was the rising complexity of threat actor ecosystems, which now mirror legitimate software development, complete with modular tooling, apprenticeship models, and version-controlled malware. 

Hadzipasic also detailed the shift from traditional perimeter defense to intelligence-led detection. He emphasized that in today’s threat landscape, capabilities like real-time credential alerts, deep and dark web visibility, and rapid deployment of data collection pipelines have shifted from being advanced features to baseline expectations.

The interview also shed light on the tactics of nation-state actors, the operational evolution of hacktivist groups, and the quiet but significant threats posed by third-party supply chain breaches. 

Vishwa: Looking back on your journey, what pivotal moments or decisions led you into the world of cybersecurity and ultimately to founding SOS Intelligence? What lessons have shaped your leadership style, and what challenges convinced you this industry was the one worth committing to? As threats continue to evolve, how do you define success personally and professionally, in building solutions that stay ahead of the adversary curve?

Amir: From a very young age, I've been captivated by the intricate world of cybersecurity. My curiosity has always drawn me to dissect systems, to understand their fundamental architecture, and to uncover what truly lies "under the hood." This innate drive propelled me into the nascent days of the internet, where I embarked on a journey of learning website development. 

This initial foray naturally led me to delve deeper into the mechanics of search engines, ultimately inspiring me to build my own. These early, ambitious endeavors, spanning over two decades, laid the crucial foundational groundwork for what would eventually become SOS Intelligence.

Many years later, SOS Intelligence was formally established with a clear and ambitious objective: to develop a proprietary information collection platform. This platform was designed to leverage my extensive experience in search and crawling technologies, with the ultimate goal of achieving significant cost savings for our clients by circumventing the often-prohibitive expenses associated with established threat intelligence providers.

My leadership approach has been profoundly shaped by critical observations of prior managers and directors throughout my career. A central tenet of my philosophy is to cultivate an environment where those reporting to me feel genuinely empowered to offer constructive criticism regarding decisions, regardless of how challenging or unpopular they might be.

I strive to foster a culture where individuals can formulate their own opinions robustly and without apprehension, ensuring that they are not merely assenting to every proposition put forth. This commitment to fostering independent thought and critical feedback is something I deem absolutely essential for a thriving and innovative team.

The primary challenges that truly affirm the worth of this commitment and our mission at SOS Intelligence stem directly from the difficulties our clients have encountered. These difficulties manifest in various forms: dissatisfaction with existing providers, a feeling of being priced out of the market, or simply a glaring lack of visibility into their digital exposure and inherent risks.

It is incredibly rewarding when we frequently receive feedback from clients indicating that we have informed them of a critical exposure significantly earlier than any third-party entities. This early warning capability is a testament to the effectiveness of our platform and our proactive approach.

For me, the definition of success at SOS Intelligence is predicated upon our collective ability to operate with sufficient agility and responsiveness. In a landscape where threats and environmental shifts are constantly evolving, our capacity to adapt quickly is paramount.

By maintaining this agility and responsiveness, we are empowered to consistently assist our clients in identifying and mitigating the ever-present digital threats to their organizations. Our success is inextricably linked to our clients' security and peace of mind in the digital realm.

Vishwa: What emerging cyber threats to businesses have you identified on the dark web? Which threat actors are currently planning attacks against corporate targets? Can you provide early warnings about their tactics, tools, and potential targets?

Amir: We’ve been incredibly successful at quickly and efficiently gathering information around business information leakage - through primarily the data leakage of a 3rd party where our customer’s information was impacted and leaked. 

We monitor hundreds of ransomware victim shaming blogs or DLS “data leak site” as they are referred to, we go layers deeper to identify leaked files and file tree listing and use these to alert our clients of unexpected data exposure. 

We monitor not only DLS, but crawl over 20 million onions as well and thousands of cyber crime forums and adversary communication sources. We can see when people are talking about us - but also any planning they may be doing. We are able to observe in real-time threat actors collecting stolen credentials through the use of Telegram search bots and can alert our customers to any of their exposure. 

Our CTI team provides regular customer reports on TTPs and other key resources and in addition, we also issue Flash Alerts to our customers for any developing serious threats and vulnerabilities. 

Vishwa: What types of cyber threats are currently targeting the UK government and its agencies, such as intelligence services, defense departments, or civil infrastructure bodies? Which threat groups are attempting to breach these platforms? Are they focusing on specific sectors like defense, healthcare, energy, or public administration? 

Amir: The UK government and its agencies continue to face a steady stream of cyber threats, primarily from state-aligned actors and advanced cybercriminal groups. Intelligence services, defence departments, and civil infrastructure bodies are frequent targets, with the threat landscape shaped largely by geopolitical tensions and strategic interests.

Nation-state actors—particularly from Russia, China, Iran, and North Korea—remain the most persistent. These groups are typically focused on espionage, disruption, or pre-positioning within critical systems. APT29 (linked to Russia) and APT40 (linked to China) have both been observed attempting to breach UK government-linked platforms in recent years, often using spear phishing, credential harvesting, and exploiting edge vulnerabilities.

In terms of sectors, defence and energy remain high-value targets due to their strategic significance. Public administration and civil infrastructure, including local councils and transport systems, are also under pressure, often targeted through supply chain compromises or vulnerabilities in legacy systems. 

Healthcare has emerged as a secondary focus, not just for data theft, but for potential disruption during periods of national strain.

What’s notable is the growing use of living-off-the-land techniques, making intrusions harder to detect. Many campaigns aim for long-term persistence and data exfiltration, rather than quick hits.

To stay ahead, agencies are investing more in proactive threat hunting, cross-sector information sharing, and improved supply chain assurance. The emphasis is shifting from perimeter defence to detection, resilience, and intelligence-led security.

Vishwa: What operational shifts are currently observed among hacktivist groups, and how are their targeting priorities evolving? Are there identifiable patterns in their tactics or campaign planning that indicate emerging threats to specific sectors or geographies?

Amir: We’re seeing a clear shift in how hacktivist groups operate. Many have moved beyond simple website defacements or DDoS attacks and are now engaging in more coordinated, politically motivated campaigns. There’s a growing trend of hacktivist activity aligning with geopolitical flashpoints, with operations often timed to coincide with elections, conflicts, or international sanctions.

Targeting priorities have also evolved. While government and military domains remain common targets, we’re increasingly seeing critical infrastructure, media outlets, and financial services pulled into the spotlight, particularly those seen to support one side of a conflict. Healthcare and education sectors have also seen increased attention, likely due to their high public visibility and typically weaker defences.

In terms of tactics, many groups now mimic the structure of nation-state campaigns, using staged leaks, social media amplification, and even false-flag operations to maximise disruption. There’s also a growing use of publicly available tools and OSINT to identify soft targets, often with a view to reputational damage rather than data theft.

Geographically, much of the activity is focused around Eastern Europe, the Middle East, and South Asia, but we're also seeing spill-over targeting in Western nations perceived as politically aligned or supportive of rival governments.

These shifts suggest that organisations—particularly those in politically sensitive sectors—need to treat hacktivism as a strategic risk, not just a nuisance. Early threat monitoring, geopolitical awareness, and cross-sector intelligence sharing are all key to anticipating and mitigating these emerging threats.

Vishwa: What have you uncovered about the knowledge ecosystems cybercriminals leverage to adopt advanced technologies? Specifically, which malware families, variants, or frameworks have your team observed across platforms like dark web forums, encrypted channels, or developer communities where adversaries exchange tooling and training materials??

Amir: We’re seeing a marked evolution in how cybercriminals build and share knowledge, particularly with the adoption of more advanced tooling and collaborative development practices. These actors increasingly operate within structured ecosystems—primarily across dark web forums, encrypted messaging apps like Telegram, and even fringe developer communities—where they exchange malware, frameworks, and detailed tradecraft.

Our monitoring has identified ongoing discussions and code exchanges involving malware families such as RedLine Stealer, Lumma, Vidar, and IcedID, often integrated into broader malware-as-a-service (MaaS) offerings. Ransomware groups are also leveraging modular loaders like Amadey or SmokeLoader, which are easily adapted and frequently updated through community input.

In terms of frameworks, there’s growing use of .NET, Python, and Go, largely due to their accessibility and cross-platform flexibility. We’ve also observed adoption of offensive security tools—like Cobalt Strike, Sliver, and Mythic—being repurposed and customised in underground spaces. These tools are often bundled with tutorials, obfuscation scripts, and even staged “apprenticeship” programmes for less experienced actors.

Training materials are widespread, with threat actors actively sharing guides on EDR evasion, sandbox bypass, and encryption routines. These are sometimes accompanied by cracked versions of commercial red-teaming tools or bespoke loaders designed to avoid common YARA signatures.

What’s emerging is a professionalised cybercrime ecosystem that mirrors legitimate software development, complete with user support, versioning, and peer reviews. This level of collaboration is accelerating threat development and lowering the barrier to entry, making advanced capabilities accessible to a broader range of threat actors. It underscores the importance of proactive threat intelligence that tracks these communities closely and anticipates how tradecraft evolves before it’s deployed in the wild.

Vishwa: Reports say the massive password leak was compiled from earlier breaches, with SOS Intelligence detecting and alerting clients within two days. Can you share how many verified credentials your team identified, and any stats or attribution tied to third-party supplier breaches?

Amir: SOS Intelligence operates at the forefront of cybersecurity, meticulously processing an immense volume of leaked credentials, often reaching into the many millions of rows weekly. Our sophisticated ingestion pipeline handles two primary categories of these compromised data sets, each requiring specialized processing and analysis.

The first, and most frequent, category originates from "first-party Stealer products." These are typically malicious software, often delivered as "Stealer Zip bundles" from "Stealer Clouds," which are essentially repositories where stolen data is aggregated. These bundles contain a rich tapestry of compromised information, including not only credentials but often also system information, browser data, and various other sensitive files. 

From these, we extract "second-party products" such as ULP (URL, Login, Password) lists. These ULP lists are systematically derived from the initial Stealer products, with the credentials meticulously extracted from within the zipped archives. Subsequently, these extracted credentials are often aggregated and de-duplicated across various text files, forming extensive datasets. 

A crucial aspect of our processing involves rigorous de-duplication. We frequently observe significant overlap and redundancy within these datasets, and our advanced filtering mechanisms are designed to eliminate this repetition. The rationale is simple: presenting a customer with the same set of compromised credentials for a specific URL multiple times as an active alert offers no additional value and can lead to alert fatigue. Our aim is to provide actionable intelligence, ensuring that each alert represents a unique and relevant threat.

The second significant load of ingestion we perform comes from "bulk sources," primarily comprising database dumps obtained from hacked websites. These incidents are inherently more ad-hoc and unpredictable in nature. Their size can vary dramatically, ranging from relatively small breaches impacting a few thousand records to catastrophic compromises involving millions of user accounts. 

Consequently, the potential impact of these bulk sources also varies widely, from localized concerns to widespread data exposure that could affect a significant portion of internet users. Each bulk ingestion requires a tailored approach to ensure efficient and accurate extraction of relevant credential data, followed by thorough analysis to ascertain the scope and severity of the breach. 

Our agile processing capabilities allow us to adapt rapidly to the diverse characteristics of these ad-hoc data dumps, transforming raw compromised data into vital intelligence for our clients.

Vishwa: Following the recent CoinMarketCap compromise, where malicious code was quickly neutralized, what did investigations reveal about the attackers’ initial access vector and injection technique? Were there indicators like payload structure, obfuscation, or evasion that link to known threat families? What enabled such rapid containment, and what strategic or technical lessons can others apply around remediation, lateral movement, and early compromise detection?

Amir: The recent compromise of CoinMarketCap originated from an abuse of a homepage “doodle” graphic, which pulled JSON from a backend API. Attackers manipulated this response to include malicious JavaScript that injected a fake “Verify Wallet” prompt into the site. This wasn’t a deep technical breach but a clever use of client-side deception aimed at phishing wallet credentials.

There was no advanced malware involved—no obfuscation, persistence, or ties to known threat actors. It appeared opportunistic, relying on trust in the platform’s UI.

CoinMarketCap’s response was fast. The malicious asset was removed within minutes, likely due to strong front-end monitoring, tight deployment controls, and alerts from third parties like wallet providers. Their layered detection and clear response playbook made the difference.

For others, the lessons are clear: treat frontend assets as part of your attack surface, monitor client-side behaviour closely, and have processes in place to quickly disable or roll back compromised content. Visibility, validation, and speed are critical at every stage of defence.

Vishwa: What are the core security tools and capabilities that enable SOS Intelligence to serve as an early warning system, particularly for detecting dark web activity, threat actor coordination, and other indicators of emerging cyber risks before or during an attack?

Amir: At the heart of our operational prowess lies our wholly bespoke platform, a testament to our commitment to innovation and adaptability. This proprietary system is not merely a tool but a dynamic ecosystem designed for unparalleled real-time information collection. A cornerstone of its capability is the rapid deployment of new information collection pipelines, typically achievable in under 15 minutes for any novel source. This agility is paramount in the ever-evolving landscape of cyber threats, allowing us to continuously adapt and maintain pace with changes in threat actor methodologies and the emergence of new malicious online venues.

Furthermore, we possess a unique and highly specialized capability within the market: the ability to bypass human verification systems, commonly known as CAPTCHA cracking. This sophisticated technology enables us to maintain persistent access and a continuous foothold on critical intelligence sources that frequently employ periodic CAPTCHA verification to deter automated access. Our methods are designed to be robust and resilient against evolving CAPTCHA challenges, ensuring uninterrupted data flow from these crucial sources.

Complementing these technical strengths is our extensive global proxy infrastructure. This distributed network is instrumental in our ability to gather information comprehensively and establish a virtual presence worldwide. This infrastructure is critical for overcoming geographical restrictions, such as forums or dark web sites that may restrict access based on country of origin. 

Moreover, it facilitates our presence on and collection from highly clandestine networks like Tor and I2P, which are often utilized by threat actors for anonymity and covert communication. The combination of our bespoke platform, rapid pipeline deployment, CAPTCHA bypass capabilities, and global proxy network provides us with a distinct advantage in intelligence gathering, ensuring we can access and analyze information from even the most challenging and restricted online environments.

Vishwa: How are these tools integrated to deliver actionable intelligence, and what response or automation mechanisms are in place to help organizations accelerate containment, initiate mitigation steps, or prevent escalation once a threat is detected?

Amir: Our platform is designed with a keen understanding of modularity, ensuring that every component, from the initial stages of early domain registration monitoring to the intricate pipelines siphoning data from dark web forums, operates in seamless integration. This tight-knit architecture is not merely for technical elegance; it is fundamentally geared towards exceptional ease of use for our customers. With just a few intuitive clicks, a user can establish real-time alerting for any keyword of interest, transforming complex cybersecurity monitoring into a remarkably straightforward process.

The scalability of our platform is a core tenet of its design, catering to a spectrum of user needs and technical proficiencies. At its simplest, users can leverage the platform for straightforward keyword alerting, receiving immediate notifications on mentions of their specified terms across our vast datasets. For those requiring a deeper dive, the platform facilitates sophisticated topic searches across specified time frames and diverse collection pipelines, allowing for granular analysis of emerging trends and historical data.

The true power of our platform, however, extends to highly specialized and advanced investigative capabilities. Users can effortlessly extract critical intelligence such as Bitcoin addresses or favicon hashes. What truly distinguishes our offering is the platform's innate ability to cross-reference these extracted details with our extensive suite of third-party datasets and APIs. 

This interconnectedness provides a holistic view, enriching isolated pieces of information with broader context and enabling comprehensive threat intelligence analysis. This multi-layered approach ensures that our customers are equipped with not just data, but actionable insights, empowering them to proactively defend against evolving cyber threats.

Vishwa: Given the accelerating pace of threat actor innovation from AI-assisted phishing to modular malware how does SOS Intelligence adapt its collection methods and analytical models to stay anticipatory rather than reactive? Are there emerging threat vectors you’re already watching that aren’t widely on the radar yet?

Amir: At SOS Intelligence, our robust collection capability is the cornerstone of our threat intelligence operations. We continuously monitor emerging and evolving sources of information, leveraging a sophisticated, automated system that constantly scours the digital landscape. This includes everything from tracking newly mentioned Telegram Channels, where threat actors often convene and share intelligence, to meticulously extracting and crawling previously unseen Onion Addresses, which significantly expands our deep and dark web index.

These highly efficient and automated "feedback loops" are critical to our operational success. They allow our dedicated Cyber Threat Intelligence (CTI) team to optimize their invaluable time and energy, redirecting it from repetitive data collection tasks towards more complex and high-value activities.

Our analysts can then concentrate on deep dives into discussions, uncovering nuanced insights, and actively collaborating with external threat researchers to enrich our understanding of the evolving threat landscape.

The integration of Artificial Intelligence (AI) marks a significant advancement in our platform. We firmly believe in the power of Agentic AI to augment the capabilities of our human analysts, not to replace them. Our AI models are designed to act as intelligent assistants, sifting through vast amounts of data, tightly integrated into our platform, identifying patterns, and highlighting critical information that might otherwise be missed.

This synergistic approach allows our CTI team to operate with unparalleled efficiency and precision, delivering comprehensive and timely threat intelligence to our clients.