dk0m is an underground cybercrime actor described by CyberHUB-AM as a data broker active since at least 2024, advertising and selling government-related datasets and access on underground forums. In the Armenia-related case, dk0m advertised for sale (~$2,500) nearly 8 million alleged government records purportedly taken from a government notification system used to distribute official legal/administrative communications; Armenian authorities denied a compromise of government email infrastructure and preliminarily assessed the data may have originated from the electronic civil litigation platform, with an investigation ongoing. CyberHUB-AM assessed dk0m commonly uses information-stealing malware (infostealers) to harvest saved credentials and session cookies from infected devices, then uses those to identify access to sensitive government portals before repackaging and reselling data; the actor may provide samples or database structures to bolster credibility. The advertised Armenian dataset was described as including police and judiciary communications and screenshots dated August 2024, and researchers warned that if authentic it could materially increase social-engineering risk via highly convincing scam messages referencing real case numbers, fines, or enforcement actions. CyberHUB-AM also attributed to dk0m prior advertisements of government-related data tied to ministries in Argentina, Ukraine, and Brazil; separate reporting cited dk0m offering Ukrainian confidential justice/court data and selling access to a Ukrainian court account containing law-enforcement data.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Advertised the sale of a large dataset (~8 million) of allegedly stolen Armenian government records, reportedly using information-stealing malware to validate/obtain access to government portals and then repackaging and reselling the data; activity increases downstream social-engineering/scam risk using real case numbers/fines/enforcement details.
Underground forum data broker offering for sale an alleged trove of ~8 million Armenian government-related notification/civil litigation records; reportedly uses infostealer malware to harvest credentials/session cookies, identify access to government portals, and resell obtained datasets. Previously advertised government-related data tied to ministries in Argentina, Ukraine, and Brazil.
dk0m is an underground forum actor selling access to Ukrainian confidential data, including justice and court data, and access to a Ukrainian court account.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.