Sponsored by Hudson Rock Use Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are leading to ransomware attacks


Group D1r
Discovered 2026-07-13 11:33 UTC
Est. attack date 2026-07-13
Country GB

Description:

Thanks to leaked database by Synopsys, a roadmap was provided Many other group leaks were cross-referenced and thoroughly analyzed One of the leaked companies gave our team access to ARM center Severely incapacitated by 2FA email/sms-code required by ARM on every step, we were still able to download an interesting tool: Athena Download Manager That requires an SSL certificate of a company that owns ARM products, and downloading by means of Athena allows to bypass multiple 2FA checks that are required when downloading same files from www.arm.com This is now free for download to any reverse engineer on Earth and beyond, thanks to Synopsys company data negligence:

Infostealer activity detected by HudsonRock

Compromised Employees: 14

Compromised Users: 3633

Third Party Employee Credentials: 62


External Attack Surface: 125


Infostealer Distribution

DNS Records:

The following DNS records were found for the victim's domain.

WHOIS Emails
  • arm.com-Registrantanonymised.email
  • arm.com-Adminanonymised.email
  • arm.com-Techanonymised.email
  • abusecomlaude.com
MX Records
  • arm-com.mail.protection.outlook.com. Microsoft 365
TXT Records
  • docusign=4354edae-504a-4b6b-87e6-1e4ff8faa4b4
  • wZESOmeviH35RYkJm+jmvdFq3S4s8LaNfUvlocmmFcg=
  • jamf-site-verification=N8SpeAd-0sZd-eq7yo86tw
  • Dynatrace-site-verification=83ffa8fa-73e2-4d46-878a-734e3bbfbc8c__tuevt2jng9172hnkapd2ilpf5n
  • facebook-domain-verification=p9lo864qhly23ne718q7xpx8ou5en5
  • loom-site-verification=0c5ca6a1e0644cad80e3dabbae38bce3
  • atlassian-domain-verification=Kab7/mjw4dDUOKLoQrDFRANUr861TeImKTyMXKzs4qtnFUEpg+nnzNad4rnaS9Pr
  • apple-domain-verification=BSBEa0gMuEQAMKLR
  • _globalsign-domain-verification=xl_zUjAb5e-087Hw3oq00POA4DNbyJcyjKUUQtmymv
  • parallels-domain-verification=63113f27e7e54ff1b08f85e406ae405970a0957b720046d4b2845035a5b6e264
  • v=spf1 include:_spf-a.arm.com include:_spf-b.arm.com include:_spf-c.arm.com -all
  • MS=ms75314990
  • 00de0000000l5gtmak
  • arm.com.00DE0000000L5GtMAK.live.siteforce.com
  • sitecore-domain-verification=bbcb1c51864649aa942224a73711a109
  • pTXUqVOFDgvKujvb2YneVrgSMs4HO2L3QY/DBptqMX0=
  • scnv-verification=2dc0c3db9aeb6cc6cbc4d01b352a776a:304298b8f07d069b4fe822ae05fa4998:958046c5754042a68cfdc62a99423941
  • miro-verification=519a170e96753c702023321610d10cf2564c2fb6
  • atlassian-sending-domain-verification=dbd0283e-6213-4e44-a9e0-d105d0798424
  • remarkable-domain-verification=0e104644-0823-47c1-8207-e6f8cfc4b56d
  • _globalsign-domain-verification=RW5XFgbr6HEWfe8ifSSAodFQYdy3tAqZ-Pza5nYpFu
  • docker-verification=44a6692b-6e77-44fd-8701-071d06f9f319
  • 6lGRnuRk8kC0MPI/1xxIjEKbcbRHL5yBXKoXofWbiXQ=
  • arm.com Globalsign validation
  • google-site-verification=tHuC5YTqt9gYnORmLQokkO-KBiiM86U1qvCrTb2Zh_w
  • 7Ms7HXWIVBFZt8rbhyvRZj1SjMLKHUGxpBcwH2lfQV8=
  • t6keBVEiT94PQwcYb3UwyLUpkWVpEfUR+GHpHBd6L24=
  • docusign=3378549e-e22d-4ebb-a1fc-13cd3e7657cd
  • mongodb-site-verification=xXRygrrDunBRlVKK2gclJFnFrCmNa7vJ
  • MS=ms99651240
  • 75mg2wb15tKXyadX7ubMPLg5fJz9kISG9XOX1+1aTMA=
  • docusign=1b941d60-18db-4bc0-893a-9f050c6ff220
  • 7hH07yiIUzNg+lhbIbS2I+qoyXam+XYjZQphd30oy2s=
  • google-site-verification=wAP0CMj1e4ykhDl5tvr_TRJDLTQCRu2Ssi_lN5XBdns
  • e880bd87-df0f-4092-a5ec-5d2355aadfbb
  • asv=73e72696310a7c875d617954c2c2380b
  • google-site-verification=sFxb2VJWasr0bcA0AfiCwrxNInZ_BwXA0kQf1w9WmSI
  • Validity-Domain-Verification=+fvuyK4xGf8IYtdYiPEHhu+B90A=
Cloud / SaaS Services Detected
Apple Atlassian Docker Global Sign Microsoft 365 Miro Parallels JamF DocuSign