A financially motivated menace actor often called Lionishackers has emerged as a major participant within the illicit market for company information in latest months.
Leveraging opportunistic focusing on and a desire for Asian-based victims, the group employs automated SQL injection instruments to breach database servers, exfiltrate delicate information, and checklist them on the market on underground boards and Telegram channels.
Although not overtly ransomware-based, their mannequin displays a type of “double extortion” by monetizing stolen information straight quite than encrypting and demanding fee for decryption.
Outpost24 analysts famous that Lionishackers initially surfaced in September 2024, rapidly establishing a fame by means of proof-of-compromise screenshots and pattern excerpts shared throughout a number of underground platforms.
The group’s communication technique entails sustaining quite a few discussion board aliases—every tied to similar Telegram contact info—thereby evading long-term attribution whereas preserving purchaser outreach.
Their companies have diversified past company information to incorporate social media and electronic mail credential databases, in addition to ancillary choices resembling DDoS botnets and discussion board internet hosting tasks.
As Lionishackers’ exercise accelerated, their affect on focused organizations grew to become more and more obvious. Victims span authorities our bodies, telecommunications corporations, pharmaceutical firms, instructional establishments, retail chains, and notably, playing websites.
Information units exfiltrated have included personally identifiable info (PII), monetary information, and authentication credentials—components readily exploited for identification theft, account takeover, or company espionage.
The group’s ways underscore the rising efficiency of database-focused cybercrime, which might inflict profound reputational and monetary hurt with out deploying conventional ransomware.
Outpost24 researchers recognized that the group’s specialization in SQL-based assaults and reliance on extensively accessible automation frameworks allow fast compromise and scaling.
The transition from remoted database gross sales to extra choices—such because the Ghost botnet for network-layer DDoS—demonstrates their evolving prison enterprise.
Lionishackers commercializing the Ghost botnet in Telegram (Supply – Outpost24)
A Telegram commercial showcasing Ghost’s capabilities. Whereas the short-lived “Pressured Boards” challenge launched amid legislation enforcement scrutiny of BreachForums.
Lionishackers selling the creation of the Pressured Boards (Supply – Outpost24)
An infection Mechanism and Persistence Ways
A more in-depth examination reveals that Lionishackers primarily exploit SQL injection vulnerabilities in poorly configured internet purposes.
By leveraging instruments like SQLmap, they automate reconnaissance and payload supply.
A typical injection sequence noticed by Outpost24 follows:-
sqlmap -u ”
–batch –dbs –threads=5
–tamper=space2comment –time-sec=10
This command probes for injectable parameters, enumerates databases, and extracts desk contents.
As soon as credentials are retrieved, the attackers typically reuse legitimate login info to pivot deeper into inside networks.
Lionishackers utilizing the alias Captain Fen present desire in compromising on line casino websites (Supply – Outpost24)
Persistence is achieved by means of the deployment of light-weight backdoors—continuously easy internet shells—hidden in momentary directories or disguised as innocuous replace scripts.
Submit on Telegram itemizing a number of the nations that Lionishackers can be specialised in (Supply – Outpost24)
These shells facilitate ongoing information pulls and function fallback entry factors if the preliminary vulnerability is patched.
By understanding Lionishackers’ automation-driven SQL injection workflow and their nimble alias rotation throughout boards, defenders can prioritize software firewall guidelines, improve question parameterization, and implement steady monitoring for anomalous database entry patterns.
Combine ANY.RUN TI Lookup together with your SIEM or SOAR To Analyses Superior Threats -> Strive 50 Free Trial Searches
