{ "Event": { "analysis": "1", "date": "2026-03-28", "extends_uuid": "", "info": "[Threat Intel] BreachForums Data Leaks: Technical Analysis and Timeline Attribution (2022\u20132026)", "protected": false, "publish_timestamp": "1775900435", "published": true, "threat_level_id": "3", "timestamp": "1775900435", "uuid": "cf21d66b-0307-40eb-9059-8ac921038ea9", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#fb3bcd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Host Information - T1592\"", "relationship_type": "" }, { "colour": "#f28fb8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#65d24c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Identity Information - T1589\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#454726", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"", "relationship_type": "" }, { "colour": "#b206a3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Accounts - T1586\"", "relationship_type": "" }, { "colour": "#2da3e8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Network Information - T1590\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"data-breach\"", "relationship_type": "" }, { "colour": "#120046", "local": false, "name": "rectifyq:sub-category=\"infra-profile\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774868408", "to_ids": false, "type": "link", "uuid": "0fc32a80-9b5e-4244-83e6-ade28b527852", "value": "https://www.d3lab.net/breachforums-data-leaks-technical-analysis-and-timeline-attribution-2022-2026/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774868408", "to_ids": false, "type": "text", "uuid": "65bdc498-4be7-4c0a-a927-99b2519ddc13", "value": "This analysis examines multiple data leaks attributed to BreachForums between 2022 and 2026, focusing on distinguishing between leak publication dates and actual data timelines. The study covers four datasets associated with different domain names (.vc, .co, .hn, .bf) used by the platform. Each dataset is analyzed based on publication date, format, database structure, and the 'lastactive' field in the user table. The analysis reveals that the domain associated with a leak does not necessarily indicate the timing of the compromise, but rather the context of data collection. The article emphasizes the importance of differentiating between publication date and actual data timeline to avoid misattribution in cyber threat intelligence activities." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774868408", "to_ids": false, "type": "text", "uuid": "8ee1e2a5-07dd-4d32-8d53-73e260d6af76", "value": "Name: BreachForums Data Leaks: Technical Analysis and Timeline Attribution (2022\u20132026)\nAuthor: AlienVault\nAdversary: BreachForums\nTags: [\"timeline attribution\", \"data leaks\", \"mybb\", \"forum infrastructure\", \"database dumps\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1592\", \"T1003\", \"T1589\", \"T1087\", \"T1584\", \"T1586\", \"T1590\", \"T1078\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1774868408", "to_ids": false, "type": "threat-actor", "uuid": "f4067b0a-47a9-4db2-9e29-a979ad243951", "value": "BreachForums" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775884387", "to_ids": true, "type": "md5", "uuid": "bdc597ef-8dde-43e3-8299-2a4f72c535be", "value": "36117bdf2096b3233d78d889c44bcc59", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775884388", "to_ids": true, "type": "md5", "uuid": "37e5b4ce-6006-4afd-b564-02181b4d872b", "value": "f280d678e83099db8c3539764d212ccf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775884389", "to_ids": true, "type": "sha256", "uuid": "58f1c153-c626-46cc-adf4-512e50b18777", "value": "5496517861f3d3b16759ff63d6c3a54250f0aa42ce7a0b989d2c4e223424fc62", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775884390", "to_ids": true, "type": "sha256", "uuid": "2873b687-95cf-4937-8037-ec5c573084f8", "value": "790f3595850e4d8c212a35a40eb69fe0431fda6abcfbbf4592126bf636df2088", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775888762", "to_ids": true, "type": "domain", "uuid": "1e2b76d4-0b8a-4ac0-8420-947e4bca6555", "value": "breachforums.co", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775888784", "to_ids": true, "type": "domain", "uuid": "cce7f282-6217-4a72-b0e7-2ff12a053679", "value": "breachforums.hn", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775888805", "to_ids": true, "type": "domain", "uuid": "1f821585-8586-4075-ac90-0e33815eabfa", "value": "breachforums.vc", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775888826", "to_ids": true, "type": "domain", "uuid": "9ad2e4b6-ec07-42b6-825b-d6460bdabbf4", "value": "cronos.li", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775888847", "to_ids": true, "type": "domain", "uuid": "244a674b-aaf3-432c-8bc0-b3bd89e9e096", "value": "shinyhunte.rs", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775888868", "to_ids": true, "type": "hostname", "uuid": "36341ba5-d38d-49cb-8b35-a65523ff8a20", "value": "cdn.breachforums.bf", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775888889", "to_ids": true, "type": "hostname", "uuid": "2e9b2e4d-ddeb-4654-9510-7bf387a3cb4e", "value": "escrow.breachforums.bf", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775888910", "to_ids": true, "type": "domain", "uuid": "4a0ff2a0-352a-4db3-b110-d5b368b72d8f", "value": "breachforums.bf", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775888931", "uuid": "075e0ef2-4271-4d43-95c1-f095b804c8c7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775888931", "to_ids": true, "type": "md5", "uuid": "a9424bfd-2f56-433c-8e68-18c17ab1316e", "value": "416896dcc1d9a8975702d897535dd8c2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884386", "to_ids": true, "type": "sha1", "uuid": "c80a7e7c-4be5-401a-9ee6-b19f33ec1518", "value": "2b33944577a8a853c41e6ae219482a1fe241043d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884386", "to_ids": true, "type": "sha256", "uuid": "0b25eab6-a755-42ca-b780-29d2abf3b5f5", "value": "6d6b506693dbc7a19d65771f9869361fd8b639e40012049411c43c418df73d45", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775883917", "to_ids": true, "type": "ssdeep", "uuid": "5e8f59be-50f5-48a3-9f4b-97de0541f1e8", "value": "24576:M+r+pKryv2cugGPEdl7ry++mkDPZjCSPyr+zrrojNhsUUfWlal:QvZZ00eorRRm" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775883917", "to_ids": false, "type": "size-in-bytes", "uuid": "e5f3b48a-8b89-4131-8d98-ef6a87069e4a", "value": "2555664" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775883917", "to_ids": true, "type": "filename", "uuid": "bcc456e5-66c0-41e1-b186-143301c3b231", "value": "6fo3po.sql" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 06/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775883917", "to_ids": false, "type": "text", "uuid": "c0065248-88d4-4ad8-9f81-cb25c498db2b", "value": "Type Description: Structured Query Language\nMicrosoft: None\nVT Total Detection:0/62\nFirst Submission:2023-06-19T10:50:25.000000+00:00\nLast Submission:2026-01-13T14:15:04.000000+00:00" } ] } ] } }