Zack Korman

Introduction

Self-proclaimed ethical hacker who publishes detailed breach guides for profit. Operates under the guise of security research while selling access to compromised data on forums. Known for aggressive marketing of his courses.

Activities and Tactics

Targeted Sectors: Education, Technology, AI/ML Platforms, Cloud Infrastructure, Security Awareness Vendors

Country of Origin: 🇺🇸 US

Risk Level: Medium

First Seen: 2023

Last Activity: 2026

Suspected Victims: Small Businesses, Nonprofits, Norway (based), United Kingdom

Notable Campaigns

• Zackware Tutorial Empire
• BreachBro Data Store
• Copilot Research - Microsoft 365 Copilot compromise
• Vercel Skills Campaign - npx supply chain research
• AI Awareness Disruption - Social media amplification

Tactics, Techniques, and Procedures (TTPs)

• T1566 - Phishing
• T1078 - Valid Accounts
• T1082 - System Information Discovery
• T1083 - File and Directory Discovery
• T1056 - Keylogging
• T1566 - Prompt Injection
• T1565 - Social Media C2 via X
• T1078 - Account takeover research
• T1485 - Data exfiltration
• T1190 - Supply chain research
• T1629 - Product development as lateral movement

Notable Indicators of Compromise (IOCs)

Domains

• zackware.net
• breachbro.io
• zkorman.com

URLs

• https://zackware.net/tutorials
• https://zkorman.com
• https://github.com/zackkorman

Malware and Tools

• Analyst: ZackStealer - Custom info-stealer sold in “courses”
• Analyst: ForgeMail - Email hacking tool marketed as “educational”
• Analyst: Custom Skill Collections - GitHub-hosted persistence lures

Attribution and Evidence

Country of Origin: US Additional attribution information pending cataloguing.

Analyst Notes

Zack Korman is a controversial figure in the “threat actor” space. Despite claiming to be an ethical security researcher, he monetizes detailed breach guides and compromised data through “educational courses.”

His business model involves:

1. Free Discord server with “teasers”
2. Paid courses ($500-2000) covering specific attack types
3. Direct sales of “anonymized” breach data

He rebranded multiple times (Zackware → BreachBro) after previous sites were taken down.

PARODY/PERSONA TEST ACTOR

Zack Korman is a Norway-based independent operator and startup founder active since at least 2023, primarily targeting the AI agent and security awareness ecosystems.

BACKGROUND:

• Leverages legal training (Edinburgh/Oxford) and prompt engineering

• Conducts high-visibility “research operations” via X threads and YouTube

• Associated with Embroidery collective (nascent AI threat detection)

• Linked to Pistachio group

NOTABLE OPERATIONS:

• Microsoft 365 Copilot compromise through crafted prompts enabling unauthorized file access without logging

• Abused npx skills add mechanisms in Vercel environments

• Exposed weaknesses in third-party skill repositories (ClawHub, Skills.sh)

MOTIVATION:

• Financially driven (promotion of defensive AI products)

• Secondary hacktivist elements disrupting “AI security hype”

TARGETS:

• Big-tech AI platforms

• Security awareness vendors

• Organizations adopting autonomous agents

OBSERVATIONS:

• No confirmed destructive payloads

• Focus on data exfiltration of vendor shortcomings

• Amplifies findings via X and YouTube (social media C2)

• Operations blend red-team with legal/compliance analysis

INFRASTRUCTURE:

• zkorman.com blog

• Personal GitHub

• High-engagement X account for C2

This is a test/parody persona for system validation purposes.

References

References pending cataloguing.