A threat actor on a dark web forum has claimed control over a botnet that includes a device from a well-known US cosmetics company. The attacker alleges that they have access to this specific device through their botnet and can issue PowerShell commands via a Command and Control (C2) interface. They also suspect that Cisco AnyConnect is being used for domain connectivity.
The attacker is offering to sell control of the bot to interested buyers, providing access through a web-based control panel. Once sold, the threat actor promises to remove their software from the system, leaving the device fully under the buyer’s control.
While they offer limited extras, including a Chrome browser log containing two passwords, no additional network access or guarantees are provided. The starting price for access to the device is $6,000, with incremental bids of $1,000, and a “blitz” price of $12,000 for immediate purchase.
The attacker claims they will only share more detailed information with serious buyers.