A significant cybersecurity breach has been uncovered involving the hacker group known as “Daisy Cloud,” which has exposed more than 30,000 login credentials spanning numerous digital services.
.webp)
The threat actors have been operating a sophisticated credential marketplace on Telegram since October 18, 2023, selling access to financial platforms, cloud services, government portals, and personal accounts at alarmingly accessible prices.
.webp)
The exposed credentials appear to be harvested through information-stealing malware, potentially linked to the notorious RedLine Stealer family, which has been a persistent threat in the cybercrime ecosystem.
The breach represents an extensive cross-section of digital services, with 25,693 unique websites and applications affected across 108 countries.
The stolen credentials grant access to high-value targets including cryptocurrency exchanges like Binance and Coinbase, personal services such as Facebook and Netflix, and critical infrastructure including government portals from multiple nations.
This diverse targeting strategy demonstrates the threat actor’s intent to maximize monetization opportunities across multiple sectors rather than focusing on a single vertical.
Veriti researchers identified several instances of server-level compromise that showcase the sophisticated nature of the attack.
Analysis of the exposed data dump
During their analysis of the exposed data dump, they discovered administrative access to cloud and on-premise servers spanning multiple geographic regions.
.webp)
The researchers noted that many of these servers lacked proper security controls, with some missing antivirus protection entirely, creating an ideal environment for malware propagation and persistence.
The server-level exposure represents perhaps the most concerning aspect of this breach.
In one documented case, a server in Southeast Asia, likely belonging to an educational institution, was compromised with full administrative privileges.
The configuration suggested it was used for development purposes, making it a potential staging ground for deeper network penetration.
Without the appropriate endpoint protection mechanisms, the server remained vulnerable to a range of attack vectors.
// Simplified infection chain pseudocode
function infectionChain() {
initialAccess = deployPhishingCampaign();
if (initialAccess) {
stageOnePayload = downloadInfostealer();
harvestedCredentials = stageOnePayload.execute();
uploadToC2Server(harvestedCredentials);
if (detectsHighValueTarget()) {
deployLateralMovementTools();
compromiseAdditionalSystems();
}
}
}
The Daisy Cloud incident demonstrates the evolution of credential theft operations from opportunistic attacks to sophisticated, multi-stage campaigns with potential for lateral movement.
Veriti researchers observed evidence of coordinated infections across entire network segments in several countries, including Poland, the Netherlands, the UK, and the United States.
This suggests that initial credential theft serves as merely the first stage in a broader access operation potentially leading to ransomware deployment or data exfiltration.
Are You from SOC/DFIR Team? – Try Free Malware Research with ANY.RUN – Start Now
