Fake Homebrew Typosquats Used to Deliver Cuckoo Stealer via ClickFix

Learn More

Hunt.io

Product

Features

OEM

Pricing

About

Blog

Login

Get a Demo

Fake Homebrew Typosquats Used to Deliver Cuckoo Stealer via ClickFix

Learn More

Hunt.io

Fake Homebrew Typosquats Used to Deliver Cuckoo Stealer via ClickFix

Learn More

Hunt.io

Product

Features

OEM

Pricing

About

Blog

Login

Get a Demo

Fake Homebrew Typosquats Used to Deliver Cuckoo Stealer via ClickFix

Learn More

Hunt.io

Product

Features

OEM

Pricing

About

Blog

Login

Get a Demo

Threat Research

& Product Updates

Threat Research

& Product Updates

Threat Research

& Product Updates

Practical threat hunting research from real investigations powered by Hunt.io.

Practical threat hunting research from real investigations powered by Hunt.io.

Threat Research

Inside China’s Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs

Threat Intelligence Team

Jan 14, 2026

15

min read

Read Article

Threat Research

Inside China’s Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs

Threat Intelligence Team

Jan 14, 2026

15

min read

Read Article

Threat Research

Inside China’s Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs

Threat Intelligence Team

Jan 14, 2026

15

min read

Read Article

Threat Research

Inside China’s Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs

Discover how we mapped over 18,000 active malware C2 servers across Chinese ISPs and cloud providers using host-centric telemetry. See which providers are most frequently abused and what it means for global threat monitoring.

Jan 14, 2026

13

min read

Read Article

Threat Research

Threat Research

Inside China’s Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs

Discover how we mapped over 18,000 active malware C2 servers across Chinese ISPs and cloud providers using host-centric telemetry. See which providers are most frequently abused and what it means for global threat monitoring.

Jan 14, 2026

13

min read

Read Article

Threat Research

Filters

Filters

Filters

Type

Victim Region

Malware

Attack Technique

Release Date

Threat Research

Exposed Open Directory Leaks a Full BYOB Deployment Across Windows, Linux, and macOS

Jan 28, 2026

26

min read

Read Article

Threat Research

BYOB

Command & Control (C2)

Jan 2026

Threat Research

Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns

Dec 17, 2025

19

min read

Read Article

Threat Research

Backdoor Installer

FRP/Rakshasa

Command & Control (C2)

Threat Research

Odyssey Stealer and AMOS Campaign Targets macOS Developers Through Fake Tools

Oct 16, 2025

17

min read

Read Article

Threat Research

🇪🇺 Europe

🌎 North America

Odyssey Stealer

AMOS Spyware

Malware Delivery

Odyssey

AMOS

Oct 2025

Threat Research

AdaptixC2 Uncovered: Capabilities, Tactics & Hunting Strategies

Oct 9, 2025

17

min read

Read Article

Threat Research

🌏 Asia

AdaptixC2

Command & Control (C2)

AdaptixC2

Oct 2025

Threat Research

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

Oct 1, 2025

20

min read

Read Article

Threat Research

🌏 Asia

SideWinder

Phishing & Social Engineering

APT Sidewinder

Oct 2025

Threat Research

Hunting C2 Panels: Beginner’s Guide for Identifying Command and Control Dashboards

Sep 25, 2025

16

min read

Read Article

Threat Research

🌍 Global

Command & Control (C2)

Sep 2025

Threat Research

Tracking AsyncRAT via Trojanized ScreenConnect and Open Directories

Sep 18, 2025

24

min read

Read Article

Threat Research

🌍 Global

AsyncRAT

Command & Control (C2)

Sep 2025

Threat Research

Inside the 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66

Sep 11, 2025

29

min read

Read Article

Threat Research

🌎 North America

MaaS

Phishing & Social Engineering

Sep 2025

Threat Research

From Panel to Payload: Inside the TinyLoader Malware Operation

Sep 2, 2025

13

min read

Read Article

Threat Research

🌍 Global

TinyLoader

RedLine Stealer

Malware Delivery

Sep 2025

Threat Research

APT MuddyWater Deploys Multi-Stage Phishing to Target CFOs

Aug 20, 2025

16

min read

Read Article

Threat Research

🌍 Middle East

PowGoop

MuddyWater RAT

Malware Delivery

MuddyWater

Aug 2025

Threat Research

Hunt.io Exposes and Analyzes ERMAC V3.0 Banking Trojan Full Source Code Leak

Aug 14, 2025

16

min read

Read Article

Threat Research

🌍 Global

ERMAC v3

Malware Delivery

Aug 2025

Threat Research

APT36 Expands Beyond Military: New Attacks Hit Indian Railways, Oil & Government Systems

Jul 31, 2025

13

min read

Read Article

Threat Research

🇮🇳 India

Poseidon

Malware Delivery

APT36

Jul 2025

Threat Research

Clickfix on macOS: AppleScript Malware Campaign Uses Terminal Prompts to Steal Data

Jul 22, 2025

17

min read

Read Article

Threat Research

🇮🇳 India

🌏 Asia

Phishing & Social Engineering

Malware Delivery

APT36

Jul 2025

Threat Research

Widespread gov.br Subdomain Abuse: 630k+ URLs Leveraged for Black Hat SEO Redirects

Jul 17, 2025

13

min read

Read Article

Threat Research

🌎 South America

Poseidon

GhostRAT

Jul 2025

Threat Research

Cobalt Strike Operators Leverage PowerShell Loaders Across Chinese, Russian, and Global Infrastructure

Jun 19, 2025

12

min read

Read Article

Threat Research

🌍 Global

Cobalt Strike

Malware Delivery

Jun 2025

Threat Research

Abusing Paste.ee to Deploy XWorm and AsyncRAT Across Global C2 Infrastructure

Jun 5, 2025

10

min read

Read Article

Threat Research

🌍 Global

AsyncRAT

XWorm

Malware Delivery

Jun 2025

Threat Research

How to Track Threat Actors Through Real-World IOC Pivoting

May 29, 2025

8

min read

Read Article

Threat Research

🌍 Global

IOC Pivoting

May 2025

Threat Research

Shared SSH Keys Expose Coordinated Phishing Campaign Targeting Kuwaiti Fisheries and Telecom Sectors

May 15, 2025

7

min read

Read Article

Threat Research

🌍 Middle East

Phishing & Social Engineering

May 2025

Threat Research

Unmasking Proxy Infrastructure: How to Detect IOX, FRP, Rakshasa Proxies with Hunt.io

May 8, 2025

8

min read

Read Article

Threat Research

🌏 Asia

FRP/Rakshasa

Command & Control (C2)

May 2025

Threat Research

APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux

May 5, 2025

8

min read

Read Article

Threat Research

🇮🇳 India

Phishing & Social Engineering

APT36

May 2025

Threat Research

Track APT34-Like Infrastructure Before It Strikes

Apr 22, 2025

9

min read

Read Article

Threat Research

🌍 Middle East

Karkoff

SideTwist

PowBAT

Command & Control (C2)

APT34

Apr 2025

Threat Research

KeyPlug-Linked Server Briefly Exposes Fortinet Exploits, Webshells, and Recon Activity Targeting a Major Japanese Company

Apr 17, 2025

12

min read

Read Article

Threat Research

🌍 Global

KEYPLUG

Tool & Infrastructure Exposure

Chinese APT

Apr 2025

Threat Research

Server-Side Phishing: How Credential Theft Campaigns Are Hiding in Plain Sight

Apr 15, 2025

10

min read

Read Article

Threat Research

🌍 Global

Pterodo

ShadowPad

Phishing & Social Engineering

Gamaredon

ShadowPad ecosystem

Apr 2025

Threat Research

GoPhish Framework Leveraged to Target Polish Government Regulator and Energy Sector

Apr 10, 2025

7

min read

Read Article

Threat Research

🇪🇺 Europe

Gopish

Phishing & Social Engineering

Apr 2025

Threat Research

State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure

Apr 8, 2025

11

min read

Read Article

Threat Research

🇪🇺 Europe

🌏 Asia

ShadowPad

Command & Control (C2)

Apr 2025

Threat Research

Identifying ClickFix Exploits: A Case Study in Proactive Threat Hunting

Apr 3, 2025

9

min read

Read Article

Threat Research

🌏 Asia

ClickFix

Phishing & Social Engineering

APT36

Apr 2025

Threat Research

A Practical Guide to Uncovering Malicious Infrastructure With Hunt.io

Mar 25, 2025

11

min read

Read Article

Threat Research

🌍 Global

Malware Delivery

Mar 2025

Threat Research

South Korean Organizations Targeted by Cobalt Strike ‘Cat’ Delivered by a Rust Beacon

Mar 18, 2025

8

min read

Read Article

Threat Research

🇰🇷 South Korea

Cobalt Strike

Malware Delivery

DPRK (North Korea)

Mar 2025

Threat Research

JSPSpy and ‘filebroser’: A Custom File Management Tool in Webshell Infrastructure

Mar 11, 2025

6

min read

Read Article

Threat Research

JSPSpy

FileBrowser

Malware Delivery

Lazarus Group

Mar 2025

Threat Research

Exposing Russian EFF Impersonators: The Inside Story on Stealc & Pyramid C2

Mar 4, 2025

12

min read

Read Article

Threat Research

🌍 Global

Stealc

Pyramid

Phishing & Social Engineering

Malware Delivery

Russian APT

Mar 2025

Threat Research

Uncovering Joker’s C2 Network: How Hunt’s SSL History Exposed Its Infrastructure

Feb 27, 2025

11

min read

Read Article

Threat Research

🌍 Global

Joker

Certificate & TLS Abuse

Feb 2025

Threat Research

LightSpy Expands Command List to Include Social Media Platforms

Feb 20, 2025

11

min read

Read Article

Threat Research

🌏 Asia

LightSpy

Data Theft & Exfiltration

Chinese APT

Feb 2025

Threat Research

Backdoored Executables for Signal, Line, and Gmail Target Chinese-Speaking Users

Feb 18, 2025

7

min read

Read Article

Threat Research

🇨🇳 China

Backdoor Installer

Malware Delivery

Feb 2025

Threat Research

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

Feb 12, 2025

6

min read

Read Article

Threat Research

Pyramid

Reconnaissance & Scanning

Feb 2025

Threat Research

GreenSpot APT Targets 163.com Users with Fake Download Pages & Spoofed Domains

Feb 4, 2025

6

min read

Read Article

Threat Research

🌏 Asia

Phishing & Social Engineering

GreenSpot APT

Feb 2025

Threat Research

SparkRAT: Server Detection, macOS Activity, and Malicious Connections

Jan 28, 2025

9

min read

Read Article

Threat Research

🌏 Asia

SparkRAT

Command & Control (C2)

DPRK (North Korea)

Jan 2025

Threat Research

Mapping Suspected KEYPLUG Infrastructure: TLS Certificates, GhostWolf, and RedGolf/APT41 Activity

Jan 23, 2025

15

min read

Read Article

Threat Research

🌏 Asia

KEYPLUG

Certificate & TLS Abuse

APT41

GhostWolf

Jan 2025

Threat Research

Malicious VS Code Extension Impersonating Zoom Steals Chrome Cookies

Jan 21, 2025

8

min read

Read Article

Threat Research

🌍 Global

Malicious Extension

Malware Delivery

Jan 2025

Threat Research

‘JustJoin’ Landing Page Linked to Suspected DPRK Activity Resurfaces

Jan 14, 2025

5

min read

Read Article

Threat Research

🇰🇷 South Korea

Credential Reuse

DPRK (North Korea)

Jan 2025

Threat Research

Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure

Jan 9, 2025

7

min read

Read Article

Threat Research

🌍 Global

Malicious Extension

Certificate & TLS Abuse

Jan 2025

Threat Research

Golang Beacons and VS Code Tunnels: Tracking a Cobalt Strike Server Leveraging Trusted Infrastructure

Jan 7, 2025

9

min read

Read Article

Threat Research

🌍 Global

Cobalt Strike

Command & Control (C2)

Jan 2025

Threat Research

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors

Dec 12, 2024

6

min read

Read Article

Threat Research

🇪🇺 Europe

🌎 North America

Oyster

IOC Pivoting

Vanilla Tempest

Dec 2024

Threat Research

“Million OK !!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure

Dec 10, 2024

6

min read

Read Article

Threat Research

🇰🇷 South Korea

Beacon Reuse

Kimsuky

Dec 2024

Threat Research

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Devices

Dec 5, 2024

7

min read

Read Article

Threat Research

🌏 Asia

MoqHao

Phishing & Social Engineering

Dec 2024

Threat Research

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity

Dec 3, 2024

8

min read

Read Article

Threat Research

🌍 Global

Cobalt Strike

Command & Control (C2)

Dec 2024

Threat Research

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure

Nov 21, 2024

7

min read

Read Article

Threat Research

🌏 Asia

🇪🇺 Europe

DarkPeony

Certificate & TLS Abuse

Nov 2024

Threat Research

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method

Nov 19, 2024

6

min read

Read Article

Threat Research

🌍 Global

XenoRAT

Evasion & Obfuscation

DPRK (North Korea)

Nov 2024

Threat Research

Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator

Nov 12, 2024

7

min read

Read Article

Threat Research

🌎 North America

Sliver

Ligolo-ng

Command & Control (C2)

Nov 2024

Threat Research

RunningRAT’s Next Move: From Remote Access to Crypto Mining for Profit

Nov 5, 2024

9

min read

Read Article

Threat Research

🌍 Global

RunningRAT

XMRig

Botnet Activity, Cryptomining

Nov 2024

Threat Research

Tricks, Treats, and Threats: Cobalt Strike & the Goblin Lurking in Plain Sight

Oct 31, 2024

7

min read

Read Article

Threat Research

Cobalt Strike

BrowserGhost

Tool & Infrastructure Exposure

Oct 2024

Threat Research

Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified

Oct 29, 2024

11

min read

Read Article

Threat Research

🇰🇷 South Korea

Phishing & Social Engineering

DPRK (North Korea)

Oct 2024

Threat Research

Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users

Oct 24, 2024

6

min read

Read Article

Threat Research

🌍 Global

Rekoobe

Malware Delivery

Oct 2024

Threat Research

From Warm to Burned: Shedding Light on Updated WarmCookie Infrastructure

Oct 17, 2024

6

min read

Read Article

Threat Research

WarmCookie

Command & Control (C2)

Oct 2024

Threat Research

Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity

Oct 10, 2024

8

min read

Read Article

Threat Research

🌏 Asia

PlugX

Tool & Infrastructure Exposure

Earth Baxia

Oct 2024

Threat Research

Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Pages

Oct 8, 2024

8

min read

Read Article

Threat Research

🌍 Global

SpyNote

DDoS Scripts

Tool & Infrastructure Exposure

Oct 2024

Product News

Announcing Hunt SQL

Oct 3, 2024

1

min read

Read Article

Product News

Oct 2024

Threat Research

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection

Oct 1, 2024

8

min read

Read Article

Threat Research

Packed Python Script

Evasion & Obfuscation

Oct 2024

Threat Research

Echoes of Stargazer Goblin: Analyzing Shared TTPs from an Open Directory

Sep 24, 2024

12

min read

Read Article

Threat Research

Initial Access & Exploitation

Sep 2024

Product News

Announcing Hunt APIs

Sep 17, 2024

1

min read

Read Article

Product News

Sep 2024

Threat Research

Decoy Docs and Malicious Browser Extensions: A Closer Look at a Multi-Layered Threat

Sep 10, 2024

11

min read

Read Article

Threat Research

🇰🇷 South Korea

Malicious Extension

Phishing & Social Engineering

Kimsuky

Sep 2024

Threat Research

ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit

Sep 3, 2024

10

min read

Read Article

Threat Research

🌍 Global

ToneShell

Phishing & Social Engineering

Mustang Panda

Sep 2024

Threat Research

Latrodectus Malware Masquerades as AhnLab Security Software to Infect Victims

Aug 29, 2024

7

min read

Read Article

Threat Research

🇰🇷 South Korea

Latrodectus

Fake Installer

Malware Delivery

Aug 2024

Product News

Announcing AttackCapture by Hunt.io

Aug 23, 2024

1

min read

Read Article

Product News

Aug 2024

Threat Research

EvilGophish Unhooked: Insights Into the Infrastructure and Notable Domains

Aug 13, 2024

6

min read

Read Article

Threat Research

Gophish

Phishing & Social Engineering

Aug 2024

Threat Research

MacOS Malware Impersonates The Unarchiver App to Steal User Data

Jul 30, 2024

7

min read

Read Article

Threat Research

🌍 Global

CryptoTrade

Malware Delivery

Jul 2024

Threat Research

A Simple Approach to Discovering Oyster Backdoor Infrastructure

Jul 23, 2024

6

min read

Read Article

Threat Research

Oyster

IOC Pivoting

Jul 2024

Threat Research

SEO Poisoning Campaigns Target Browser Installers and Crypto Sites, Spreading Poseidon, GhostRAT & More

Jul 16, 2024

7

min read

Read Article

Threat Research

🌍 Global

Poseidon

Gh0st RAT

Malware Delivery

Jul 2024

Threat Research

The Secret Ingredient: Unearthing Suspected SpiceRAT Infrastructure via HTML Response

Jul 11, 2024

5

min read

Read Article

Threat Research

🇪🇺 Europe

🌏 Asia

SpiceRAT

Malware Delivery

Jul 2024

Threat Research

ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America

Jul 2, 2024

9

min read

Read Article

Threat Research

🌏 Asia

🇪🇺 Europe

🌎 South America

Initial Access & Exploitation

Jul 2024

Threat Research

Geacon and Geacon_Pro: A Constant Menace to Linux and Windows Systems

Jun 27, 2024

10

min read

Read Article

Threat Research

🌍 Global

Geacon

Command & Control (C2)

Chinese APT

Jun 2024

Threat Research

Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub

Jun 25, 2024

8

min read

Read Article

Threat Research

🌍 Global

XenoRAT

DPRK (North Korea)

Jun 2024

Threat Research

Caught in the Act: Uncovering SpyNote in Unexpected Places

Jun 20, 2024

6

min read

Read Article

Threat Research

SpyNote

Malware Delivery

Jun 2024

Threat Research

Open Directories Expose Publicly Available Tools Targeting Asian Organizations

Jun 18, 2024

7

min read

Read Article

Threat Research

🌏 Asia

Tool & Infrastructure Exposure

Chinese APT

Jun 2024

Threat Research

Gh0st and Pantegana: Two RATs that Refuse to Fade Away

Jun 12, 2024

7

min read

Read Article

Threat Research

🌍 Global

Gh0st RAT

Pantegana RAT

Malware Delivery

DriftingCloud

Jun 2024

Threat Research

Tracking LightSpy: Certificates as Windows into Adversary Behavior

Jun 6, 2024

7

min read

Read Article

Threat Research

🌏 Asia

LightSpy

Certificate & TLS Abuse

Jun 2024

Threat Research

Legacy Threat: PlugX Builder/Controller Discovered in Open Directory

Jun 5, 2024

9

min read

Read Article

Threat Research

PlugX

Tool & Infrastructure Exposure

Chinese APT

Jun 2024

Threat Research

SolarMarker: Hunt Insights and Findings

May 30, 2024

7

min read

Read Article

Threat Research

🌎 North America

🇪🇺 Europe

SolarMarker

Malware Delivery

Multi-Stage Infection

May 2024

Threat Research

Tales from the Hunt: A Look at Yakit Security Tool

May 28, 2024

5

min read

Read Article

Threat Research

Yakit

May 2024

Threat Research

Spotting SparkRAT: Detection Tactics & Sandbox Findings

Apr 23, 2024

5

min read

Read Article

Threat Research

SparkRAT

Lateral Movement & Persistence

Apr 2024

Threat Research

In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory

Apr 16, 2024

5

min read

Read Article

Threat Research

SuperShell

Cobalt Strike

Tool & Infrastructure Exposure

Apr 2024

Threat Research

BlueShell: Four Years On, Still A Formidable Threat

Apr 9, 2024

6

min read

Read Article

Threat Research

BlueShell

Malware Delivery

Apr 2024

Threat Research

A Hunt How-To: Detecting RedGuard C2 Redirector

Apr 2, 2024

7

min read

Read Article

Threat Research

RedGuard

Command & Control (C2)

Apr 2024

Threat Research

Coin Miner and Mozi Botnet

Mar 28, 2024

7

min read

Read Article

Threat Research

Mozi

XMRig

Botnet Activity, Cryptomining

May 2024

Threat Research

A Treasure Trove of Trouble: Open Directory Exposes Red Team Tools

Mar 21, 2024

5

min read

Read Article

Threat Research

Mimikatz

Tool & Infrastructure Exposure

May 2024

Threat Research

One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials

Mar 19, 2024

4

min read

Read Article

Threat Research

🌍 Global

W3LL

Phishing & Social Engineering

May 2024

Threat Research

Hunting PrismX: Techniques for Network Discovery

Mar 12, 2024

5

min read

Read Article

Threat Research

PrismX

Reconnaissance & Scanning

May 2024

Threat Research

Open Directory Exposes Phishing Campaign Targeting Google & Naver Credentials

Mar 5, 2024

11

min read

Read Article

Threat Research

🇰🇷 South Korea

🌍 Global

Phishing & Social Engineering

DPRK (North Korea)

May 2024

Threat Research

Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram

Feb 28, 2024

7

min read

Read Article

Threat Research

🌍 Global

Pyramid

NK Dropper

Phishing & Social Engineering

DPRK (North Korea)

Feb 2024

Threat Research

Tracking ShadowPad Infrastructure Via Non-Standard Certificates

Feb 9, 2024

8

min read

Read Article

Threat Research

🌏 Asia

ShadowPad

Certificate & TLS Abuse

Feb 2024

Threat Research

Introducing Hunt Advanced Search

Jan 30, 2024

3

min read

Read Article

Threat Research

Jan 2024

Product News

Introducing the Hunt.io C2 Feed

Jan 15, 2024

8

min read

Read Article

Product News

Jan 2024

Product News

Announcing IOC-Hunter

Nov 14, 2023

3

min read

Read Article

Product News

Nov 2023

Threat Research

Gateway to Intrusion: Malware Delivery Via Open Directories

Oct 31, 2023

4

min read

Read Article

Threat Research

Malware Delivery

Oct 2023

Threat Research

JA4: Decoding Cyber Shadows

Sep 28, 2023

10

min read

Read Article

Threat Research

Sep 2023

Threat Research

Hunt Platform Statistics Launch

Sep 19, 2023

3

min read

Read Article

Threat Research

Sep 2023

Threat Research

Let's go Hunting

Aug 1, 2023

5

min read

Read Article

Threat Research

Threat Research

Fake Homebrew Pages Deliver Cuckoo Stealer via ClickFix | macOS Threat Hunting Analysis

Fake Homebrew Typosquats Used to Deliver Cuckoo Stealer via ClickFix

Technical analysis of a ClickFix campaign delivering Cuckoo Stealer through fake Homebrew typosquat domains. Includes infrastructure pivots, HuntSQL queries, C2 details, persistence, and more.

Feb 17, 2026

20

min read

Read Article

Threat Research

Threat Research

Hunting OpenClaw Exposures: CVE-2026-25253 in Internet-Facing AI Agent Gateways

Our research team identified over 17,500 internet-exposed OpenClaw, Clawdbot, and Moltbot instances vulnerable to CVE-2026-25253. This report documents detection methods and infrastructure analysis using Hunt.io.

Feb 3, 2026

19

min read

Read Article

Threat Research

Threat Research

Exposed Open Directory Leaks a Full BYOB Deployment Across Windows, Linux, and macOS

Analysis of an exposed BYOB command-and-control server revealing droppers, stagers, payloads, persistence mechanisms, and supporting infrastructure uncovered through proactive threat hunting

Jan 28, 2026

26

min read

Read Article

Threat Research

BYOB

Command & Control (C2)

Threat Research

ClickFix Campaign Hijacks Facebook Sessions at Scale by Abusing Verification and Appeal Workflows

An in-depth analysis of a ClickFix phishing campaign hijacking Facebook sessions at scale. Learn how attackers abuse verification workflows, steal session cookies, bypass MFA, and target creators using cloud-hosted infrastructure.

Jan 21, 2026

27

min read

Read Article

Threat Research

Threat Research

Inside China’s Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs

Discover how we mapped over 18,000 active malware C2 servers across Chinese ISPs and cloud providers using host-centric telemetry. See which providers are most frequently abused and what it means for global threat monitoring.

Jan 14, 2026

15

min read

Read Article

Threat Research

Threat Research

The Complete Guide to Hunting Cobalt Strike - Part 3: Automated C2 Infrastructure Discovery

See how automated detection, certificate analysis, and structured queries map Cobalt Strike C2 clusters and expose long-running infrastructure. Learn more.

Jan 6, 2026

13

min read

Read Article

Threat Research

Threat Research

2025: Year in Review Key Product Updates, Guides, and Threat Research

A look back at Hunt.io’s 2025 product releases, platform scale, and the threat research our community engaged with most throughout the year.

Dec 23, 2025

6

min read

Read Article

Threat Research

Product News

Announcing Hunt 2.8: Sharper IOC Hunter Workflows, Smarter Provider Visibility, and Easier C2 Filtering

Hunt 2.8 brings major improvements across IOC Hunter, AttackCapture™, IP search, and more accurate Reputation & Risk signals for domains and IPs.

Dec 18, 2025

4

min read

Read Article

Product News

Threat Research

Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns

Deep investigation into DPRK activity, revealing new Lazarus and Kimsuky infrastructure through multi-stage hunts and exposed operational patterns.

Dec 17, 2025

19

min read

Read Article

Threat Research

Backdoor Installer

FRP/Rakshasa

Command & Control (C2)

Threat Research

React2Shell (CVE-2025-55182): Dissecting a Node.js RCE Against a Production Next.js App

A detailed analysis of how React2Shell (CVE-2025-55182) was used to launch a multi-stage attack against a production Next.js app, exposing Node.js systems to real-world exploitation techniques and operational C2 infrastructure.

Dec 10, 2025

32

min read

Read Article

Threat Research

Threat Research

Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT

A fake VSCode extension triggered a multi-stage attack deploying the Anivia loader and OctoRAT. Learn how the chain worked and where defenders can detect it. Learn more.

Dec 3, 2025

21

min read

Read Article

Threat Research

Threat Research

The Complete Guide to Hunting Cobalt Strike - Part 2: 10+ HuntSQL Recipes to Find Cobalt Strike

Turn Part 1’s clues into action with 10+ HuntSQL™ recipes. Pivot on cert reuse, beacon traits, and enrichment to expose Cobalt Strike clusters. Learn more.

Nov 19, 2025

23

min read

Read Article

Threat Research

Threat Research

The Complete Guide to Hunting Cobalt Strike - Part 1: Detecting Cobalt Strike in Open Directories

Learn how to detect Cobalt Strike in open directories using AttackCapture™. We analyzed real files, SSL certificates, and servers to uncover live C2 infrastructure.

Nov 13, 2025

24

min read

Read Article

Threat Research

Product News

Hunt 2.7 is Here: New Domain Risk, AttackCapture™ Filters, and Threat Actor Insights

Hunt 2.7 delivers faster C2 listings, new hostname and TLD search options, multi-value filtering, and IOC Hunter threat actor visibility on IP and domain searches. Explore what’s new in the latest release.

Nov 6, 2025

4

min read

Read Article

Product News

Threat Research

Multilingual ZIP Phishing Campaigns Targeting Financial and Government Organizations Across Asia

Hunt.io maps phishing campaigns using shared ZIP payload infrastructure targeting financial institutions and government organizations across Asia. Learn more.

Oct 29, 2025

21

min read

Read Article

Threat Research

Threat Research

From Munitions to Malware: Interview with Joseph Harrison About His Path to Threat Intelligence

In this interview, Joseph Harrison shares how his Air Force-minted discipline fuels his work in threat detection and digital forensics, and how he leverages Hunt.io’s data (especially JA4) to catch adversaries others miss.

Oct 23, 2025

15

min read

Read Article

Threat Research

Product News

Introducing Hunt 2.6: IP Risk & Reputation, Smarter IOC Hunting, and Faster Integrations

Hunt 2.6 launches with IP Risk & Reputation, SQL download via API, integration upgrades, enhanced IP search, and much more. Keep reading.

Oct 20, 2025

4

min read

Read Article

Product News

Threat Research

Odyssey Stealer and AMOS Campaign Targets macOS Developers Through Fake Tools

A large-scale macOS malware campaign mimics trusted dev tools to spread Odyssey Stealer and AMOS via fake Homebrew sites. Learn more.

Oct 16, 2025

17

min read

Read Article

Threat Research

🇪🇺 Europe

🌎 North America

Odyssey Stealer

AMOS Spyware

Malware Delivery

Odyssey

AMOS

Threat Research

AdaptixC2 Uncovered: Capabilities, Tactics & Hunting Strategies

A deep dive into AdaptixC2: modular architecture, multi-protocol communication, evasion tactics, IOCs, and defense strategies.

Oct 9, 2025

17

min read

Read Article

Threat Research

🌏 Asia

AdaptixC2

Command & Control (C2)

AdaptixC2

Threat Research

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

SideWinder’s Operation SouthNet: South Asia phishing on Netlify/pages.dev, Zimbra/Outlook lures, and open directories. Maritime focus. IOCs included. Learn more.

Oct 1, 2025

20

min read

Read Article

Threat Research

🌏 Asia

SideWinder

Phishing & Social Engineering

APT Sidewinder

Threat Research

Hunting C2 Panels: Beginner’s Guide for Identifying Command and Control Dashboards

Beginner’s guide to hunting exposed C2 dashboards like Supershell, HookBot, Chaos, Unam, Mythic, and Metasploit using paths, titles, and hashes

Sep 25, 2025

16

min read

Read Article

Threat Research

🌍 Global

Command & Control (C2)

Threat Research

Tracking AsyncRAT via Trojanized ScreenConnect and Open Directories

Research on AsyncRAT campaigns using trojanized ScreenConnect installers and open directories, exposing resilient attacker infrastructure and C2 tactics. Learn more.

Sep 18, 2025

24

min read

Read Article

Threat Research

🌍 Global

AsyncRAT

Command & Control (C2)

Threat Research

Inside the 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66

Hunt.io uncovers the 2025 Energy Phishing Wave, with Chevron, Conoco, PBF, and Phillips 66 targeted by large-scale cloning and brand abuse. Learn more.

Sep 11, 2025

29

min read

Read Article

Threat Research

🌎 North America

MaaS

Phishing & Social Engineering

Threat Research

From Malpedia to Metalcore: Daniel Plohmann Talks Malware Research and Music

Daniel Plohmann discusses building Malpedia, advancing malware research with MCRIT, and how metalcore and music inspire his work beyond security.

Sep 9, 2025

13

min read

Read Article

Threat Research

Threat Research

From Panel to Payload: Inside the TinyLoader Malware Operation

Investigation into TinyLoader malware stealing cryptocurrency via Redline Stealer, USB spread, and C2 infrastructure.

Sep 2, 2025

13

min read

Read Article

Threat Research

🌍 Global

TinyLoader

RedLine Stealer

Malware Delivery

Product News

Announcing Hunt 2.5 Powerful Pivots for Better Threat Hunting

Hunt 2.5 introduces IP pivots, faster HuntSQL queries, a full-screen app view, and a refreshed IP database. Explore the latest improvements.

Aug 21, 2025

4

min read

Read Article

Product News

Threat Research

APT MuddyWater Deploys Multi-Stage Phishing to Target CFOs

Hunt.io uncovers MuddyWater phishing campaigns using Firebase lures, VBS payloads, and NetBird for persistent remote access. Learn more.

Aug 20, 2025

16

min read

Read Article

Threat Research

🌍 Middle East

PowGoop

MuddyWater RAT

Malware Delivery

MuddyWater

Threat Research

Hunt.io Exposes and Analyzes ERMAC V3.0 Banking Trojan Full Source Code Leak

Hunt.io uncovers the complete ERMAC V3.0 source code, revealing its infrastructure, vulnerabilities, and expanded form injection capabilities.

Aug 14, 2025

16

min read

Read Article

Threat Research

🌍 Global

ERMAC v3

Malware Delivery

Threat Research

APT Sidewinder Spoofs Government and Military Institutions to Target South Asian Countries with Credential Harvesting Techniques

APT Sidewinder targets South Asian government and military portals using Netlify-hosted phishing pages to harvest credentials. Learn more.

Aug 8, 2025

21

min read

Read Article

Threat Research

🌏 Asia

Phishing & Social Engineering

APT Sidewinder

Threat Research

APT36 Expands Beyond Military: New Attacks Hit Indian Railways, Oil & Government Systems

APT36 expands its campaign beyond defense, using phishing, .desktop lures, and the Poseidon backdoor to target Indian infrastructure.

Jul 31, 2025

13

min read

Read Article

Threat Research

🇮🇳 India

Poseidon

Malware Delivery

APT36

Threat Research

Clickfix on macOS: AppleScript Malware Campaign Uses Terminal Prompts to Steal Data

Phishing campaign targets macOS with fake prompts that run AppleScript via terminal, stealing wallets, cookies, and sensitive files.

Jul 22, 2025

17

min read

Read Article

Threat Research

🇮🇳 India

🌏 Asia

Phishing & Social Engineering

Malware Delivery

APT36

Threat Research

Widespread gov.br Subdomain Abuse: 630k+ URLs Leveraged for Black Hat SEO Redirects

Over 630K hijacked gov.br subdomains were exploited in a black hat SEO campaign using cloaking, keyword stuffing, and redirect techniques. Learn more.

Jul 17, 2025

13

min read

Read Article

Threat Research

🌎 South America

Poseidon

GhostRAT

Product News

Announcing Hunt 2.4 Smarter Data and Better Views

Hunt 2.4 adds archive-aware search, deeper SQL visibility, and improved phishing intel to make threat hunting faster, clearer, and more powerful.

Jul 15, 2025

4

min read

Read Article

Product News

Threat Research

Eggs, Alerts, and Adversaries: Talking with Jose Hernandez from Splunk

Splunk’s Jose Hernandez talks building detections, curious hires, Hunt.io in action, and balancing threat research with chickens and family life.

Jul 8, 2025

17

min read

Read Article

Threat Research

Threat Research

Threat Hunting Across 10.6B URLs: Find Payloads, C2s, and Exposed Assets with URLx

Explore 10.6B structured URLs with URLx. Find malware payloads, C2 paths, phishing campaigns, and exposed assets, fast.

Jun 26, 2025

16

min read

Read Article

Threat Research

Product News

Announcing Hunt 2.3: Improved Threat Hunting Experience & SSO Availability

Hunt 2.3 is here: analyst-driven insights, easier pivots, better phishing workflows, and full SSO support for enterprise teams.

Jun 25, 2025

5

min read

Read Article

Product News

Threat Research

Cobalt Strike Operators Leverage PowerShell Loaders Across Chinese, Russian, and Global Infrastructure

Our threat hunters uncovered a PowerShell loader hosted by Chinese and Russian providers, linked to active Cobalt Strike infrastructure.

Jun 19, 2025

12

min read

Read Article

Threat Research

🌍 Global

Cobalt Strike

Malware Delivery

Threat Research

Fast and Curious: From Red Teams to Race Cars A Conversation with TrustedSec CTO Justin Elze

TrustedSec CTO Justin Elze shares red teaming insights, offensive tooling tips, and how he uses Hunt.io and AttackCapture™, plus his passion for race car data.

Jun 17, 2025

11

min read

Read Article

Threat Research

Product News

Introducing Hunt 2.2 AttackCapture™ Zip Extraction, Smarter SQL, IP History Consolidation, and more

Explore Hunt 2.2: Auto-unpack zips in AttackCapture™, smarter SQL with WHOIS and Nmap, and full IP history consolidation, track abused hosting with Host Radar, and more.

Jun 12, 2025

5

min read

Read Article

Product News

Threat Research

Abusing Paste.ee to Deploy XWorm and AsyncRAT Across Global C2 Infrastructure

See how attackers abuse paste.ee to deliver XWorm and AsyncRAT, using obfuscated scripts and globally distributed C2 infrastructure.

Jun 5, 2025

10

min read

Read Article

Threat Research

🌍 Global

AsyncRAT

XWorm

Malware Delivery

Threat Research

How to Track Threat Actors Through Real-World IOC Pivoting

Track attacker infrastructure with Hunt.io’s real-time IOC pivoting and threat actor intelligence. Learn more.

May 29, 2025

8

min read

Read Article

Threat Research

🌍 Global

IOC Pivoting

Product News

Introducing Hunt 2.1: Refinements to the Threat Hunting Experience

Discover the new Hunt.io updates: deep text assisted analysis, IOC feed improvements, improved threat actor data, and faster advanced search. Learn more.

May 21, 2025

7

min read

Read Article

Product News

Threat Research

Shared SSH Keys Expose Coordinated Phishing Campaign Targeting Kuwaiti Fisheries and Telecom Sectors

Shared SSH keys expose coordinated phishing targeting Kuwaiti fisheries, telecoms, and insurers with cloned login portals and mobile payment lures. Learn more.

May 15, 2025

7

min read

Read Article

Threat Research

🌍 Middle East

Phishing & Social Engineering

Threat Research

Unmasking Proxy Infrastructure: How to Detect IOX, FRP, Rakshasa Proxies with Hunt.io

This post explores open-source proxy tools commonly used in attacker and red team infrastructure, and shows how defenders can detect IOX, FRP, Rakshasa, and Stowaway at scale using Hunt.io.

May 8, 2025

8

min read

Read Article

Threat Research

🌏 Asia

FRP/Rakshasa

Command & Control (C2)

Threat Research

APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux

APT36-style phishing campaign mimics India’s Ministry of Defence to drop malware on Windows and Linux via spoofed press releases and HTA payloads.

May 5, 2025

8

min read

Read Article

Threat Research

🇮🇳 India

Phishing & Social Engineering

APT36

Threat Research

Track APT34-Like Infrastructure Before It Strikes

APT34-like infrastructure mimicking an Iraqi academic institute and fake UK tech firms reveals early-stage staging on M247 servers. Learn what to track

Apr 22, 2025

9

min read

Read Article

Threat Research

🌍 Middle East

Karkoff

SideTwist

PowBAT

Command & Control (C2)

APT34

Threat Research

KeyPlug-Linked Server Briefly Exposes Fortinet Exploits, Webshells, and Recon Activity Targeting a Major Japanese Company

Briefly exposed KeyPlug infrastructure revealed Fortinet exploits, encrypted webshells, and recon scripts targeting Shiseido, a major Japanese enterprise. Learn more..

Apr 17, 2025

12

min read

Read Article

Threat Research

🌍 Global

KEYPLUG

Tool & Infrastructure Exposure

Chinese APT

Threat Research

Server-Side Phishing: How Credential Theft Campaigns Are Hiding in Plain Sight

Phishing campaign evades detection with server-side logic. See how employee portals are targeted—and how defenders can uncover them. Learn more.

Apr 15, 2025

10

min read

Read Article

Threat Research

🌍 Global

Pterodo

ShadowPad

Phishing & Social Engineering

Gamaredon

ShadowPad ecosystem

Threat Research

GoPhish Framework Leveraged to Target Polish Government Regulator and Energy Sector

Explore how the GoPhish framework was leveraged to stage infrastructure and domains spoofing Polish government and energy entities.

Apr 10, 2025

7

min read

Read Article

Threat Research

🇪🇺 Europe

Gopish

Phishing & Social Engineering

Threat Research

State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure

Explore Gamaredon’s flux-like DNS and ShadowPad malware infrastructure, with insights into how these attacker networks are configured, rotated, and maintained.

Apr 8, 2025

11

min read

Read Article

Threat Research

🇪🇺 Europe

🌏 Asia

ShadowPad

Command & Control (C2)

Threat Research

Identifying ClickFix Exploits: A Case Study in Proactive Threat Hunting

Learn how Hunt.io identifies early-stage ClickFix delivery pages across the web using advanced search capabilities to stay ahead of exploitation attempts.

Apr 3, 2025

9

min read

Read Article

Threat Research

🌏 Asia

ClickFix

Phishing & Social Engineering

APT36

Threat Research

Same Russian-Speaking Threat Actor, New Tactics: Abuse of Cloudflare Services for Phishing and Telegram to Filter Victim IPs

Learn how a Russian-speaking threat actor has evolved from impersonating EFF to now deploying Cloudflare-themed phishing with Telegram-based C2.

Apr 1, 2025

9

min read

Read Article

Threat Research

🌍 Global

Product News

URLx Just Got Bigger: 10.6B URLs for Recon and Malicious Infrastructure Hunting

Explore exposed infrastructure with URLx: 10.6B+ URLs, HTTPx integration, and advanced filtering - now live in Hunt.io.

Mar 27, 2025

3

min read

Read Article

Product News

Threat Research

A Practical Guide to Uncovering Malicious Infrastructure With Hunt.io

Learn how to track and map adversary infrastructure using Hunt, pivoting from a single IP to uncover hidden connections through infrastructure overlaps and key intelligence indicators.

Mar 25, 2025

11

min read

Read Article

Threat Research

🌍 Global

Malware Delivery

Product News

Product Update: Introducing IOC Hunter Feed & Attribution in our C2 Feed

Track threat actors and malicious infrastructure with Hunt.io’s IOC Hunter Feed and C2 Attribution. Get deeper visibility and context for better threat intelligence.

Mar 20, 2025

7

min read

Read Article

Product News

Threat Research

South Korean Organizations Targeted by Cobalt Strike ‘Cat’ Delivered by a Rust Beacon

Discover how threat actors used a Rust loader to deploy Cobalt Strike ‘Cat’ against South Korean targets. Learn more.

Mar 18, 2025

8

min read

Read Article

Threat Research

🇰🇷 South Korea

Cobalt Strike

Malware Delivery

DPRK (North Korea)

Threat Research

JSPSpy and ‘filebroser’: A Custom File Management Tool in Webshell Infrastructure

Discover how threat actors deploy a rebranded File Browser alongside JSPSpy for stealth file management on compromised servers.

Mar 11, 2025

6

min read

Read Article

Threat Research

JSPSpy

FileBrowser

Malware Delivery

Lazarus Group

Product News

Introducing Hunt 2.0 Deeper Threat Analysis & Enhanced Data for Cyber Intelligence

Our latest release delivers deeper threat analysis with improved threat actor, C2, malware data, and new integrations for robust cyber intelligence.

Mar 6, 2025

6

min read

Read Article

Product News

Threat Research

Exposing Russian EFF Impersonators: The Inside Story on Stealc & Pyramid C2

Discover how an open directory exposed a threat actor impersonating EFF to target gamers and how we mapped their infrastructure to Stealc & Pyramid C2.

Mar 4, 2025

12

min read

Read Article

Threat Research

🌍 Global

Stealc

Pyramid

Phishing & Social Engineering

Malware Delivery

Russian APT

Threat Research

Uncovering Joker’s C2 Network: How Hunt’s SSL History Exposed Its Infrastructure

Discover Joker malware infrastructure with Hunt SSL History, mapping its C2 network through certificate tracking of recent and past activity.

Feb 27, 2025

11

min read

Read Article

Threat Research

🌍 Global

Joker

Certificate & TLS Abuse

Threat Research

LightSpy Expands Command List to Include Social Media Platforms

A new LightSpy server expands its attack scope, targeting Facebook and Instagram database files. Explore its evolving capabilities and infrastructure.

Feb 20, 2025

11

min read

Read Article

Threat Research

🌏 Asia

LightSpy

Data Theft & Exfiltration

Chinese APT

Threat Research

Backdoored Executables for Signal, Line, and Gmail Target Chinese-Speaking Users

Read how attackers distribute backdoored Signal, Line, and Gmail installers through fraudulent download pages and how to defend against this campaign.

Feb 18, 2025

7

min read

Read Article

Threat Research

🇨🇳 China

Backdoor Installer

Malware Delivery

Product News

Advanced Threat Hunting with New SSL Features: Unlocking HuntSQL™ Anomaly Flags for Deeper Detection

Hunt.io enhances SSL threat hunting with new anomaly flags in HuntSQL™, improving the detection of misconfigurations, expired certificates, and malware infrastructure.

Feb 13, 2025

7

min read

Read Article

Product News

Threat Research

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

Discover how Pyramid, an open-source tool, enables post-exploitation. Learn detection methods using HTTP headers and recent findings in Hunt.

Feb 12, 2025

6

min read

Read Article

Threat Research

Pyramid

Reconnaissance & Scanning

Threat Research

SmokeLoader Malware Found in Open Directories Targeting Ukraine’s Auto & Banking Industries

Attackers used open directories to spread SmokeLoader malware, luring Ukraine’s auto and banking sectors. Explore findings, execution, and tactics.

Feb 6, 2025

7

min read

Read Article

Threat Research

🇪🇺 Europe

SmokeLoader

Threat Research

GreenSpot APT Targets 163.com Users with Fake Download Pages & Spoofed Domains

GreenSpot APT targets 163.com users via fake download pages and domain spoofing. Learn their tactics, risks, and how to protect your email accounts.

Feb 4, 2025

6

min read

Read Article

Threat Research

🌏 Asia

Phishing & Social Engineering

GreenSpot APT

Threat Research

How SSL Intelligence and SSL History Can Supercharge Threat Hunting

Explore how SSL intelligence and SSL history empower proactive threat hunting. Learn tools, real-world examples, and strategies to track cyber threats.

Jan 30, 2025

9

min read

Read Article

Threat Research

Threat Research

SparkRAT: Server Detection, macOS Activity, and Malicious Connections

Explore SparkRAT detection tactics, macOS targeting, and insights into recent DPRK-linked campaigns with actionable research findings.

Jan 28, 2025

9

min read

Read Article

Threat Research

🌏 Asia

SparkRAT

Command & Control (C2)

DPRK (North Korea)

Threat Research

Mapping Suspected KEYPLUG Infrastructure: TLS Certificates, GhostWolf, and RedGolf/APT41 Activity

Uncover how Hunt’s TLS records reveal patterns in suspected KEYPLUG infrastructure, linking GhostWolf and RedGolf/APT41 to ongoing activity.

Jan 23, 2025

15

min read

Read Article

Threat Research

🌏 Asia

KEYPLUG

Certificate & TLS Abuse

APT41

GhostWolf

Threat Research

Malicious VS Code Extension Impersonating Zoom Steals Chrome Cookies

Uncover a deceptive VS Code extension, masquerading as Zoom, that pilfers your Google Chrome cookies. Join us as we expose the techniques behind this alarming supply chain campaign.

Jan 21, 2025

8

min read

Read Article

Threat Research

🌍 Global

Malicious Extension

Malware Delivery

Threat Research

‘JustJoin’ Landing Page Linked to Suspected DPRK Activity Resurfaces

Learn how a landing page mimicking “JustJoin,” tied to suspected DPRK cyber activity, has reappeared with new infrastructure linked through SSH key overlaps.

Jan 14, 2025

5

min read

Read Article

Threat Research

🇰🇷 South Korea

Credential Reuse

DPRK (North Korea)

Threat Research

Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure

Read more about connections through a TLS certificate linking reported and unreported infrastructure tied to the Cyberhaven extension compromise.

Jan 9, 2025

7

min read

Read Article

Threat Research

🌍 Global

Malicious Extension

Certificate & TLS Abuse

Threat Research

Golang Beacons and VS Code Tunnels: Tracking a Cobalt Strike Server Leveraging Trusted Infrastructure

Learn how a Cobalt Strike server with a TLS certificate and prominent watermark showed a Golang-compiled beacon communicating with Visual Studio Code tunnels.

Jan 7, 2025

9

min read

Read Article

Threat Research

🌍 Global

Cobalt Strike

Command & Control (C2)

Product News

Hunt.io 2024 Year in Review Key Product & Research Highlights

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Dec 20, 2024

7

min read

Read Article

Product News

Threat Research

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

Dec 12, 2024

6

min read

Read Article

Threat Research

🇪🇺 Europe

🌎 North America

Oyster

IOC Pivoting

Vanilla Tempest

Threat Research

“Million OK !!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

Dec 10, 2024

6

min read

Read Article

Threat Research

🇰🇷 South Korea

Beacon Reuse

Kimsuky

Threat Research

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Devices

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Dec 5, 2024

7

min read

Read Article

Threat Research

🌏 Asia

MoqHao

Phishing & Social Engineering

Threat Research

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Dec 3, 2024

8

min read

Read Article

Threat Research

🌍 Global

Cobalt Strike

Command & Control (C2)

Threat Research

Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

Nov 28, 2024

6

min read

Read Article

Threat Research

🌍 Global

XWorm

Malware Delivery

Threat Research

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

Nov 21, 2024

7

min read

Read Article

Threat Research

🌏 Asia

🇪🇺 Europe

DarkPeony

Certificate & TLS Abuse

Threat Research

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Nov 19, 2024

6

min read

Read Article

Threat Research

🌍 Global

XenoRAT

Evasion & Obfuscation

DPRK (North Korea)

Threat Research

Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator

Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.

Nov 12, 2024

7

min read

Read Article

Threat Research

🌎 North America

Sliver

Ligolo-ng

Command & Control (C2)

Threat Research

One Font, Countless Frauds: Exposing Large-Scale Phishing Activity Abusing Cloudflare

Discover how a shared Font Awesome kit on Cloudflare platforms exposes over 60,000 phishing links targeting Microsoft, DHL, and more. Learn more.

Nov 7, 2024

7

min read

Read Article

Threat Research

Threat Research

RunningRAT’s Next Move: From Remote Access to Crypto Mining for Profit

RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.

Nov 5, 2024

9

min read

Read Article

Threat Research

🌍 Global

RunningRAT

XMRig

Botnet Activity, Cryptomining

Threat Research

Tricks, Treats, and Threats: Cobalt Strike & the Goblin Lurking in Plain Sight

Discover an open directory of red team tools fit for Halloween, from Cobalt Strike to BrowserGhost.

Oct 31, 2024

7

min read

Read Article

Threat Research

Cobalt Strike

BrowserGhost

Tool & Infrastructure Exposure

Threat Research

Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified

Explore a suspected North Korean-linked phishing campaign targeting Naver and how unknown actors use distinct TLS certificates to spoof Apple domains.

Oct 29, 2024

11

min read

Read Article

Threat Research

🇰🇷 South Korea

Phishing & Social Engineering

DPRK (North Korea)

Threat Research

Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users

Discover how an open directory of Rekoobe malware samples led to different domains resembling trading platforms, posing risks for traders and investors.

Oct 24, 2024

6

min read

Read Article

Threat Research

🌍 Global

Rekoobe

Malware Delivery

Threat Research

From Warm to Burned: Shedding Light on Updated WarmCookie Infrastructure

Get an inside look at Warmcookie’s updated C2 infrastructure linked to its latest update. We reveal insights into newly identified servers that can assist defenders in identifying related servers.

Oct 17, 2024

6

min read

Read Article

Threat Research

WarmCookie

Command & Control (C2)

Threat Research

Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More

Read how CodeSearch helps security professionals to identify exploit code, reverse shells, and C2 configs across open directories, enhancing threat detection.

Oct 15, 2024

7

min read

Read Article

Threat Research

Threat Research

Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity

Learn how basic tracking techniques using unusual certificates and redirects helped uncover Earth Baxia and a hidden cyber threat, providing practical insights for network defense.

Oct 10, 2024

8

min read

Read Article

Threat Research

🌏 Asia

PlugX

Tool & Infrastructure Exposure

Earth Baxia

Threat Research

Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Pages

Explore our in-depth analysis of a cybercriminal’s server, revealing DDoS tools, SpyNote spyware, phishing sites, and ransomware tactics.

Oct 8, 2024

8

min read

Read Article

Threat Research

🌍 Global

SpyNote

DDoS Scripts

Tool & Infrastructure Exposure

Product News

Announcing Hunt SQL

We’re excited to release Hunt SQL and to provide the power and flexibility of SQL to researchers, analysts and threat hunters alike. 

Oct 3, 2024

1

min read

Read Article

Product News

Threat Research

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection | Hunt.io

Oct 1, 2024

8

min read

Read Article

Threat Research

Packed Python Script

Evasion & Obfuscation

Threat Research

Echoes of Stargazer Goblin: Analyzing Shared TTPs from an Open Directory

Check out our new blog post on exposed files found in an open directory that reveal an attack with overlapping TTPs linked to the Stargazers network.

Sep 24, 2024

12

min read

Read Article

Threat Research

Initial Access & Exploitation

Product News

Announcing Hunt APIs

Today Hunt is announcing our IP Enrichment API. You can get detailed data on every IPv4 Address and enrich any existing system.

Sep 17, 2024

1

min read

Read Article

Product News

Threat Research

Decoy Docs and Malicious Browser Extensions: A Closer Look at a Multi-Layered Threat

Compromising a browser can be a goldmine for attackers, offering extensive access to sensitive user data ...

Sep 10, 2024

11

min read

Read Article

Threat Research

🇰🇷 South Korea

Malicious Extension

Phishing & Social Engineering

Kimsuky

Threat Research

ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit

The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta...

Sep 3, 2024

10

min read

Read Article

Threat Research

🌍 Global

ToneShell

Phishing & Social Engineering

Mustang Panda

Threat Research

Latrodectus Malware Masquerades as AhnLab Security Software to Infect Victims

During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...

Aug 29, 2024

7

min read

Read Article

Threat Research

🇰🇷 South Korea

Latrodectus

Fake Installer

Malware Delivery

Product News

Announcing AttackCapture by Hunt.io

We originally launched our "Open Directory" feature in Hunt a year ago.  The premise behind it was to get into the mind of the attacker by get a backstage view into their attacks.  What we learned was that there was a ton of information that could be correlated and indexed.  Today, we're reaffirming our commitment to getting into the tooling of attackers by launching AttackCapture™ by Hunt.io.

Aug 23, 2024

1

min read

Read Article

Product News

Threat Research

EvilGophish Unhooked: Insights Into the Infrastructure and Notable Domains

In late 2023, Hunt Research published a blog post detailing how we uncover emerging and previously unknown Gophish infrastructure.

Aug 13, 2024

6

min read

Read Article

Threat Research

Gophish

Phishing & Social Engineering

Threat Research

Pentester or Threat Actor? Open Directory Exposes Test Results and Possible Targeting of Government Organizations

During routine research of newly identified open directories, the Hunt Research Team made a startling discovery: a...

Aug 7, 2024

7

min read

Read Article

Threat Research

Tool & Infrastructure Exposure

Threat Research

MacOS Malware Impersonates The Unarchiver App to Steal User Data

Discover how macOS malware tricks users into downloading an app disguised as The Unarchiver app. The app contains a binary named “CryptoTrade” designed to steal sensitive user information.

Jul 30, 2024

7

min read

Read Article

Threat Research

🌍 Global

CryptoTrade

Malware Delivery

Threat Research

A Simple Approach to Discovering Oyster Backdoor Infrastructure

Oyster backdoor, also known as Broomstick (IBM) and CleanUpLoader (RussianPanda – X), has been linked to...

Jul 23, 2024

6

min read

Read Article

Threat Research

Oyster

IOC Pivoting

Threat Research

SEO Poisoning Campaigns Target Browser Installers and Crypto Sites, Spreading Poseidon, GhostRAT & More

The Hunt Research Team recently stumbled upon Search Engine Optimization (SEO) poisoning campaigns posing as ...

Jul 16, 2024

7

min read

Read Article

Threat Research

🌍 Global

Poseidon

Gh0st RAT

Malware Delivery

Threat Research

The Secret Ingredient: Unearthing Suspected SpiceRAT Infrastructure via HTML Response

Reports on new malware families often leave subtle clues that lead researchers to uncover additional infrastructure not...

Jul 11, 2024

5

min read

Read Article

Threat Research

🇪🇺 Europe

🌏 Asia

SpiceRAT

Malware Delivery

Threat Research

ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America

Nearly three years after ProxyLogon and ProxyShell wreaked widespread havoc on Microsoft Exchange servers, the Hunt

Jul 2, 2024

9

min read

Read Article

Threat Research

🌏 Asia

🇪🇺 Europe

🌎 South America

Initial Access & Exploitation

Threat Research

Geacon and Geacon_Pro: A Constant Menace to Linux and Windows Systems

The red-teaming tool Cobalt Strike has long been a staple for simulating attacks, predominantly targeting Windows ...

Jun 27, 2024

10

min read

Read Article

Threat Research

🌍 Global

Geacon

Command & Control (C2)

Chinese APT

Threat Research

Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub

XenoRAT, an open-source malware available on GitHub, has been linked to a North Korean hacking group and unnamed...

Jun 25, 2024

8

min read

Read Article

Threat Research

🌍 Global

XenoRAT

DPRK (North Korea)

Threat Research

Caught in the Act: Uncovering SpyNote in Unexpected Places

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

Jun 20, 2024

6

min read

Read Article

Threat Research

SpyNote

Malware Delivery

Threat Research

Open Directories Expose Publicly Available Tools Targeting Asian Organizations

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...

Jun 18, 2024

7

min read

Read Article

Threat Research

🌏 Asia

Tool & Infrastructure Exposure

Chinese APT

Threat Research

Gh0st and Pantegana: Two RATs that Refuse to Fade Away

Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable...

Jun 12, 2024

7

min read

Read Article

Threat Research

🌍 Global

Gh0st RAT

Pantegana RAT

Malware Delivery

DriftingCloud

Threat Research

Tracking LightSpy: Certificates as Windows into Adversary Behavior

In this post, we'll detail the infrastructure of the LightSpy spyware framework and highlight the unique TLS certificate...

Jun 6, 2024

7

min read

Read Article

Threat Research

🌏 Asia

LightSpy

Certificate & TLS Abuse

Threat Research

Legacy Threat: PlugX Builder/Controller Discovered in Open Directory

The threat actor(s) built and controlled at least one of the binaries on the same server, granting us access to numerous..

Jun 5, 2024

9

min read

Read Article

Threat Research

PlugX

Tool & Infrastructure Exposure

Chinese APT

Threat Research

SolarMarker: Hunt Insights and Findings

Following Recorded Future's (RF) report, "Exploring the Depths of SolarMarker's Multi-tiered Infrastructure," the Hunt Research Team leveraged the IOCs provided to discover a method of identifying clusters of SolarMarker servers in the wild.

May 30, 2024

7

min read

Read Article

Threat Research

🌎 North America

🇪🇺 Europe

SolarMarker

Malware Delivery

Multi-Stage Infection

Threat Research

Tales from the Hunt: A Look at Yakit Security Tool

In our previous post on the Viper framework, we briefly covered the Yakit Security tool, which is publicly available on GitHub. In this post, we'll discuss its features and cover additional red team tools co-hosted with the project, as discovered during our internet-wide scans.

May 28, 2024

5

min read

Read Article

Threat Research

Yakit

Threat Research

Unearthing New Infrastructure by Revisiting Past Threat Reports

Suppose you know David Bianco’s “Pyramid of Pain” model. In that case, you know that IP addresses are among the lower indicators of compromise due to their short lifespan and ease of change to legitimate purposes.

May 21, 2024

5

min read

Read Article

Threat Research

Threat Research

Into the Viper’s Nest: Observations from Hunt’s Scanning

From initial access and privilege escalation to lateral movement and data collection, the open-source platform Viper...

May 8, 2024

7

min read

Read Article

Threat Research

Threat Research

Spotting SparkRAT: Detection Tactics & Sandbox Findings

The Hunt Research Team vigilantly monitors GitHub, sifts through the IOC sections of threat intelligence reports, and scours various online forums for emerging threats, ensuring our detections stay practical and current for our customers. Our focus frequently turns to lesser-known threats that can still wreak havoc on the networks of uninformed defenders.

Apr 23, 2024

5

min read

Read Article

Threat Research

SparkRAT

Lateral Movement & Persistence

Threat Research

In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory

Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through...

Apr 16, 2024

5

min read

Read Article

Threat Research

SuperShell

Cobalt Strike

Tool & Infrastructure Exposure

Threat Research

BlueShell: Four Years On, Still A Formidable Threat

Platforms like GitHub offer a valuable resource for developers and the open-source community. However, these sites also create a potential...

Apr 9, 2024

6

min read

Read Article

Threat Research

BlueShell

Malware Delivery

Threat Research

A Hunt How-To: Detecting RedGuard C2 Redirector

If you’re like me, you’ve likely read multiple reports on network intrusions involving a “standard” deployment...

Apr 2, 2024

7

min read

Read Article

Threat Research

RedGuard

Command & Control (C2)

Threat Research

Coin Miner and Mozi Botnet

Open directories can sometimes contain unexpected dangers in the hidden parts of the internet. Our recent investigation...

Mar 28, 2024

7

min read

Read Article

Threat Research

Mozi

XMRig

Botnet Activity, Cryptomining

Threat Research

A Treasure Trove of Trouble: Open Directory Exposes Red Team Tools

While open directories are often seen as a goldmine for security researchers and blue teams searching for malware...

Mar 21, 2024

5

min read

Read Article

Threat Research

Mimikatz

Tool & Infrastructure Exposure

Threat Research

One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials

The W3LL Phishing Kit, a phishing-as-a-service (PAaS) tool, was identified by Group-IB in 2022. What makes the kit...

Mar 19, 2024

4

min read

Read Article

Threat Research

🌍 Global

W3LL

Phishing & Social Engineering

Threat Research

Hunting PrismX: Techniques for Network Discovery

Described on its GitHub README as an "Integrated lightweight cross-platform penetration system," PrismX goe...

Mar 12, 2024

5

min read

Read Article

Threat Research

PrismX

Reconnaissance & Scanning

Threat Research

Open Directory Exposes Phishing Campaign Targeting Google & Naver Credentials

Over the past month, Hunt has tracked an ongoing phishing campaign by a likely North Korean threat actor focused on...

Mar 5, 2024

11

min read

Read Article

Threat Research

🇰🇷 South Korea

🌍 Global

Phishing & Social Engineering

DPRK (North Korea)

Threat Research

Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram

Hunt is tracking an ongoing sophisticated phishing campaign targeting individuals in the Telegram groups focused on...

Feb 28, 2024

7

min read

Read Article

Threat Research

🌍 Global

Pyramid

NK Dropper

Phishing & Social Engineering

DPRK (North Korea)

Threat Research

Unveiling the Power of Tag Cloud: Navigating the Digital Landscape with Precision

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with ...

Feb 14, 2024

3

min read

Read Article

Threat Research

Threat Research

Tracking ShadowPad Infrastructure Via Non-Standard Certificates

This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity...

Feb 9, 2024

8

min read

Read Article

Threat Research

🌏 Asia

ShadowPad

Certificate & TLS Abuse

Threat Research

Beyond Headlines & Borders: An Overview of Advanced Threats You Should Know

Where national interests, strategic ambitions, and sometimes personal gain intertwine, state-linked cyber threat actors...

Feb 6, 2024

7

min read

Read Article

Threat Research

Threat Research

The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1)

This post will serve as the first in a long series of articles on using the platform to identify malicious infrastructure and hunt...

Feb 1, 2024

4

min read

Read Article

Threat Research

Threat Research

Introducing Hunt Advanced Search

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with ...

Jan 30, 2024

3

min read

Read Article

Threat Research

Threat Research

How We Identify Malicious Infrastructure At Hunt.io

ShadowPad, Quasar RAT, HeadLace, Emotet, and SIGNBT (to name a few) often grab headlines and captivate readers...

Jan 24, 2024

5

min read

Read Article

Threat Research

Product News

Introducing the Hunt.io C2 Feed

It’s been a while since we announced a new feature, and with 2024 already in full swing, it is time to highlight what’s...

Jan 15, 2024

8

min read

Read Article

Product News

Product News

Announcing IOC-Hunter

As the end of the year approaches, we continue to enhance our feature set by building on well-established threat-...

Nov 14, 2023

3

min read

Read Article

Product News

Threat Research

Gateway to Intrusion: Malware Delivery Via Open Directories

Attackers constantly devise new and sophisticated methods of delivering malware to infiltrate systems and exfiltrate...

Oct 31, 2023

4

min read

Read Article

Threat Research

Malware Delivery

Threat Research

How Hunt.io Identifies Services on Non-Standard Ports

The term “threat hunting” is generally associated with detecting malicious behavior on endpoints manually...

Oct 25, 2023

4

min read

Read Article

Threat Research

Threat Research

Phish No More: A Hunt.io Guide to Gophish Detection

Phishing is more than a social engineering technique; it's a harrowing threat landscape where deception, innovation, and vigilance collide.

Oct 12, 2023

5

min read

Read Article

Threat Research

Threat Research

JA4: Decoding Cyber Shadows

In the ever-evolving world of cybersecurity, few individuals embody the spirit of innovation and exploration as profoundly as John Althouse.

Sep 28, 2023

10

min read

Read Article

Threat Research

Threat Research

Hunt Platform Statistics Launch

Learn about the Hunt.io massive observation collection platform.

Sep 19, 2023

3

min read

Read Article

Threat Research

Threat Research

Discovering & Disrupting Malicious Infrastructure

Michael showcases how the Hunt platform can be leveraged to proactively identify infrastructure not yet publicly reported on from recent malware campaigns.

Sep 12, 2023

5

min read

Read Article

Threat Research

Threat Research

Transparency of Attacker Tooling

How Open Directories Help with Threat Hunting and Incident Response.

Aug 17, 2023

4

min read

Read Article

Threat Research

Threat Research

Let's go Hunting

We are excited to unveil Hunt.io, a cutting-edge threat hunting solution that is set to transform the landscape of cybersecurity.

Aug 1, 2023

5

min read

Read Article

Threat Research

Threat Research

Fake Homebrew Pages Deliver Cuckoo Stealer via ClickFix | macOS Threat Hunting Analysis

Fake Homebrew Typosquats Used to Deliver Cuckoo Stealer via ClickFix

Technical analysis of a ClickFix campaign delivering Cuckoo Stealer through fake Homebrew typosquat domains. Includes infrastructure pivots, HuntSQL queries, C2 details, persistence, and more.

Feb 17, 2026

20

min read

Read Article

Threat Research

Threat Research

Hunting OpenClaw Exposures: CVE-2026-25253 in Internet-Facing AI Agent Gateways

Our research team identified over 17,500 internet-exposed OpenClaw, Clawdbot, and Moltbot instances vulnerable to CVE-2026-25253. This report documents detection methods and infrastructure analysis using Hunt.io.

Feb 3, 2026

19

min read

Read Article

Threat Research

Threat Research

Exposed Open Directory Leaks a Full BYOB Deployment Across Windows, Linux, and macOS

Analysis of an exposed BYOB command-and-control server revealing droppers, stagers, payloads, persistence mechanisms, and supporting infrastructure uncovered through proactive threat hunting

Jan 28, 2026

26

min read

Read Article

Threat Research

BYOB

Command & Control (C2)

Threat Research

ClickFix Campaign Hijacks Facebook Sessions at Scale by Abusing Verification and Appeal Workflows

An in-depth analysis of a ClickFix phishing campaign hijacking Facebook sessions at scale. Learn how attackers abuse verification workflows, steal session cookies, bypass MFA, and target creators using cloud-hosted infrastructure.

Jan 21, 2026

27

min read

Read Article

Threat Research

Threat Research

Inside China’s Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs

Discover how we mapped over 18,000 active malware C2 servers across Chinese ISPs and cloud providers using host-centric telemetry. See which providers are most frequently abused and what it means for global threat monitoring.

Jan 14, 2026

15

min read

Read Article

Threat Research

Threat Research

The Complete Guide to Hunting Cobalt Strike - Part 3: Automated C2 Infrastructure Discovery

See how automated detection, certificate analysis, and structured queries map Cobalt Strike C2 clusters and expose long-running infrastructure. Learn more.

Jan 6, 2026

13

min read

Read Article

Threat Research

Threat Research

2025: Year in Review Key Product Updates, Guides, and Threat Research

A look back at Hunt.io’s 2025 product releases, platform scale, and the threat research our community engaged with most throughout the year.

Dec 23, 2025

6

min read

Read Article

Threat Research

Product News

Announcing Hunt 2.8: Sharper IOC Hunter Workflows, Smarter Provider Visibility, and Easier C2 Filtering

Hunt 2.8 brings major improvements across IOC Hunter, AttackCapture™, IP search, and more accurate Reputation & Risk signals for domains and IPs.

Dec 18, 2025

4

min read

Read Article

Product News

Threat Research

Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns

Deep investigation into DPRK activity, revealing new Lazarus and Kimsuky infrastructure through multi-stage hunts and exposed operational patterns.

Dec 17, 2025

19

min read

Read Article

Threat Research

Backdoor Installer

FRP/Rakshasa

Command & Control (C2)

Threat Research

React2Shell (CVE-2025-55182): Dissecting a Node.js RCE Against a Production Next.js App

A detailed analysis of how React2Shell (CVE-2025-55182) was used to launch a multi-stage attack against a production Next.js app, exposing Node.js systems to real-world exploitation techniques and operational C2 infrastructure.

Dec 10, 2025

32

min read

Read Article

Threat Research

Threat Research

Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT

A fake VSCode extension triggered a multi-stage attack deploying the Anivia loader and OctoRAT. Learn how the chain worked and where defenders can detect it. Learn more.

Dec 3, 2025

21

min read

Read Article

Threat Research

Threat Research

The Complete Guide to Hunting Cobalt Strike - Part 2: 10+ HuntSQL Recipes to Find Cobalt Strike

Turn Part 1’s clues into action with 10+ HuntSQL™ recipes. Pivot on cert reuse, beacon traits, and enrichment to expose Cobalt Strike clusters. Learn more.

Nov 19, 2025

23

min read

Read Article

Threat Research

Threat Research

The Complete Guide to Hunting Cobalt Strike - Part 1: Detecting Cobalt Strike in Open Directories

Learn how to detect Cobalt Strike in open directories using AttackCapture™. We analyzed real files, SSL certificates, and servers to uncover live C2 infrastructure.

Nov 13, 2025

24

min read

Read Article

Threat Research

Product News

Hunt 2.7 is Here: New Domain Risk, AttackCapture™ Filters, and Threat Actor Insights

Hunt 2.7 delivers faster C2 listings, new hostname and TLD search options, multi-value filtering, and IOC Hunter threat actor visibility on IP and domain searches. Explore what’s new in the latest release.

Nov 6, 2025

4

min read

Read Article

Product News

Threat Research

Multilingual ZIP Phishing Campaigns Targeting Financial and Government Organizations Across Asia

Hunt.io maps phishing campaigns using shared ZIP payload infrastructure targeting financial institutions and government organizations across Asia. Learn more.

Oct 29, 2025

21

min read

Read Article

Threat Research

Threat Research

From Munitions to Malware: Interview with Joseph Harrison About His Path to Threat Intelligence

In this interview, Joseph Harrison shares how his Air Force-minted discipline fuels his work in threat detection and digital forensics, and how he leverages Hunt.io’s data (especially JA4) to catch adversaries others miss.

Oct 23, 2025

15

min read

Read Article

Threat Research

Product News

Introducing Hunt 2.6: IP Risk & Reputation, Smarter IOC Hunting, and Faster Integrations

Hunt 2.6 launches with IP Risk & Reputation, SQL download via API, integration upgrades, enhanced IP search, and much more. Keep reading.

Oct 20, 2025

4

min read

Read Article

Product News

Threat Research

Odyssey Stealer and AMOS Campaign Targets macOS Developers Through Fake Tools

A large-scale macOS malware campaign mimics trusted dev tools to spread Odyssey Stealer and AMOS via fake Homebrew sites. Learn more.

Oct 16, 2025

17

min read

Read Article

Threat Research

🇪🇺 Europe

🌎 North America

Odyssey Stealer

AMOS Spyware

Malware Delivery

Odyssey

AMOS

Threat Research

AdaptixC2 Uncovered: Capabilities, Tactics & Hunting Strategies

A deep dive into AdaptixC2: modular architecture, multi-protocol communication, evasion tactics, IOCs, and defense strategies.

Oct 9, 2025

17

min read

Read Article

Threat Research

🌏 Asia

AdaptixC2

Command & Control (C2)

AdaptixC2

Threat Research

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

SideWinder’s Operation SouthNet: South Asia phishing on Netlify/pages.dev, Zimbra/Outlook lures, and open directories. Maritime focus. IOCs included. Learn more.

Oct 1, 2025

20

min read

Read Article

Threat Research

🌏 Asia

SideWinder

Phishing & Social Engineering

APT Sidewinder

Threat Research

Hunting C2 Panels: Beginner’s Guide for Identifying Command and Control Dashboards

Beginner’s guide to hunting exposed C2 dashboards like Supershell, HookBot, Chaos, Unam, Mythic, and Metasploit using paths, titles, and hashes

Sep 25, 2025

16

min read

Read Article

Threat Research

🌍 Global

Command & Control (C2)

Threat Research

Tracking AsyncRAT via Trojanized ScreenConnect and Open Directories

Research on AsyncRAT campaigns using trojanized ScreenConnect installers and open directories, exposing resilient attacker infrastructure and C2 tactics. Learn more.

Sep 18, 2025

24

min read

Read Article

Threat Research

🌍 Global

AsyncRAT

Command & Control (C2)

Threat Research

Inside the 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66

Hunt.io uncovers the 2025 Energy Phishing Wave, with Chevron, Conoco, PBF, and Phillips 66 targeted by large-scale cloning and brand abuse. Learn more.

Sep 11, 2025

29

min read

Read Article

Threat Research

🌎 North America

MaaS

Phishing & Social Engineering

Threat Research

From Malpedia to Metalcore: Daniel Plohmann Talks Malware Research and Music

Daniel Plohmann discusses building Malpedia, advancing malware research with MCRIT, and how metalcore and music inspire his work beyond security.

Sep 9, 2025

13

min read

Read Article

Threat Research

Threat Research

From Panel to Payload: Inside the TinyLoader Malware Operation

Investigation into TinyLoader malware stealing cryptocurrency via Redline Stealer, USB spread, and C2 infrastructure.

Sep 2, 2025

13

min read

Read Article

Threat Research

🌍 Global

TinyLoader

RedLine Stealer

Malware Delivery

Product News

Announcing Hunt 2.5 Powerful Pivots for Better Threat Hunting

Hunt 2.5 introduces IP pivots, faster HuntSQL queries, a full-screen app view, and a refreshed IP database. Explore the latest improvements.

Aug 21, 2025

4

min read

Read Article

Product News

Threat Research

APT MuddyWater Deploys Multi-Stage Phishing to Target CFOs

Hunt.io uncovers MuddyWater phishing campaigns using Firebase lures, VBS payloads, and NetBird for persistent remote access. Learn more.

Aug 20, 2025

16

min read

Read Article

Threat Research

🌍 Middle East

PowGoop

MuddyWater RAT

Malware Delivery

MuddyWater

Threat Research

Hunt.io Exposes and Analyzes ERMAC V3.0 Banking Trojan Full Source Code Leak

Hunt.io uncovers the complete ERMAC V3.0 source code, revealing its infrastructure, vulnerabilities, and expanded form injection capabilities.

Aug 14, 2025

16

min read

Read Article

Threat Research

🌍 Global

ERMAC v3

Malware Delivery

Threat Research

APT Sidewinder Spoofs Government and Military Institutions to Target South Asian Countries with Credential Harvesting Techniques

APT Sidewinder targets South Asian government and military portals using Netlify-hosted phishing pages to harvest credentials. Learn more.

Aug 8, 2025

21

min read

Read Article

Threat Research

🌏 Asia

Phishing & Social Engineering

APT Sidewinder

Threat Research

APT36 Expands Beyond Military: New Attacks Hit Indian Railways, Oil & Government Systems

APT36 expands its campaign beyond defense, using phishing, .desktop lures, and the Poseidon backdoor to target Indian infrastructure.

Jul 31, 2025

13

min read

Read Article

Threat Research

🇮🇳 India

Poseidon

Malware Delivery

APT36

Threat Research

Clickfix on macOS: AppleScript Malware Campaign Uses Terminal Prompts to Steal Data

Phishing campaign targets macOS with fake prompts that run AppleScript via terminal, stealing wallets, cookies, and sensitive files.

Jul 22, 2025

17

min read

Read Article

Threat Research

🇮🇳 India

🌏 Asia

Phishing & Social Engineering

Malware Delivery

APT36

Threat Research

Widespread gov.br Subdomain Abuse: 630k+ URLs Leveraged for Black Hat SEO Redirects

Over 630K hijacked gov.br subdomains were exploited in a black hat SEO campaign using cloaking, keyword stuffing, and redirect techniques. Learn more.

Jul 17, 2025

13

min read

Read Article

Threat Research

🌎 South America

Poseidon

GhostRAT

Product News

Announcing Hunt 2.4 Smarter Data and Better Views

Hunt 2.4 adds archive-aware search, deeper SQL visibility, and improved phishing intel to make threat hunting faster, clearer, and more powerful.

Jul 15, 2025

4

min read

Read Article

Product News

Threat Research

Eggs, Alerts, and Adversaries: Talking with Jose Hernandez from Splunk

Splunk’s Jose Hernandez talks building detections, curious hires, Hunt.io in action, and balancing threat research with chickens and family life.

Jul 8, 2025

17

min read

Read Article

Threat Research

Threat Research

Threat Hunting Across 10.6B URLs: Find Payloads, C2s, and Exposed Assets with URLx

Explore 10.6B structured URLs with URLx. Find malware payloads, C2 paths, phishing campaigns, and exposed assets, fast.

Jun 26, 2025

16

min read

Read Article

Threat Research

Product News

Announcing Hunt 2.3: Improved Threat Hunting Experience & SSO Availability

Hunt 2.3 is here: analyst-driven insights, easier pivots, better phishing workflows, and full SSO support for enterprise teams.

Jun 25, 2025

5

min read

Read Article

Product News

Threat Research

Cobalt Strike Operators Leverage PowerShell Loaders Across Chinese, Russian, and Global Infrastructure

Our threat hunters uncovered a PowerShell loader hosted by Chinese and Russian providers, linked to active Cobalt Strike infrastructure.

Jun 19, 2025

12

min read

Read Article

Threat Research

🌍 Global

Cobalt Strike

Malware Delivery

Threat Research

Fast and Curious: From Red Teams to Race Cars A Conversation with TrustedSec CTO Justin Elze

TrustedSec CTO Justin Elze shares red teaming insights, offensive tooling tips, and how he uses Hunt.io and AttackCapture™, plus his passion for race car data.

Jun 17, 2025

11

min read

Read Article

Threat Research

Product News

Introducing Hunt 2.2 AttackCapture™ Zip Extraction, Smarter SQL, IP History Consolidation, and more

Explore Hunt 2.2: Auto-unpack zips in AttackCapture™, smarter SQL with WHOIS and Nmap, and full IP history consolidation, track abused hosting with Host Radar, and more.

Jun 12, 2025

5

min read

Read Article

Product News

Threat Research

Abusing Paste.ee to Deploy XWorm and AsyncRAT Across Global C2 Infrastructure

See how attackers abuse paste.ee to deliver XWorm and AsyncRAT, using obfuscated scripts and globally distributed C2 infrastructure.

Jun 5, 2025

10

min read

Read Article

Threat Research

🌍 Global

AsyncRAT

XWorm

Malware Delivery

Threat Research

How to Track Threat Actors Through Real-World IOC Pivoting

Track attacker infrastructure with Hunt.io’s real-time IOC pivoting and threat actor intelligence. Learn more.

May 29, 2025

8

min read

Read Article

Threat Research

🌍 Global

IOC Pivoting

Product News

Introducing Hunt 2.1: Refinements to the Threat Hunting Experience

Discover the new Hunt.io updates: deep text assisted analysis, IOC feed improvements, improved threat actor data, and faster advanced search. Learn more.

May 21, 2025

7

min read

Read Article

Product News

Threat Research

Shared SSH Keys Expose Coordinated Phishing Campaign Targeting Kuwaiti Fisheries and Telecom Sectors

Shared SSH keys expose coordinated phishing targeting Kuwaiti fisheries, telecoms, and insurers with cloned login portals and mobile payment lures. Learn more.

May 15, 2025

7

min read

Read Article

Threat Research

🌍 Middle East

Phishing & Social Engineering

Threat Research

Unmasking Proxy Infrastructure: How to Detect IOX, FRP, Rakshasa Proxies with Hunt.io

This post explores open-source proxy tools commonly used in attacker and red team infrastructure, and shows how defenders can detect IOX, FRP, Rakshasa, and Stowaway at scale using Hunt.io.

May 8, 2025

8

min read

Read Article

Threat Research

🌏 Asia

FRP/Rakshasa

Command & Control (C2)

Threat Research

APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux

APT36-style phishing campaign mimics India’s Ministry of Defence to drop malware on Windows and Linux via spoofed press releases and HTA payloads.

May 5, 2025

8

min read

Read Article

Threat Research

🇮🇳 India

Phishing & Social Engineering

APT36

Threat Research

Track APT34-Like Infrastructure Before It Strikes

APT34-like infrastructure mimicking an Iraqi academic institute and fake UK tech firms reveals early-stage staging on M247 servers. Learn what to track

Apr 22, 2025

9

min read

Read Article

Threat Research

🌍 Middle East

Karkoff

SideTwist

PowBAT

Command & Control (C2)

APT34

Threat Research

KeyPlug-Linked Server Briefly Exposes Fortinet Exploits, Webshells, and Recon Activity Targeting a Major Japanese Company

Briefly exposed KeyPlug infrastructure revealed Fortinet exploits, encrypted webshells, and recon scripts targeting Shiseido, a major Japanese enterprise. Learn more..

Apr 17, 2025

12

min read

Read Article

Threat Research

🌍 Global

KEYPLUG

Tool & Infrastructure Exposure

Chinese APT

Threat Research

Server-Side Phishing: How Credential Theft Campaigns Are Hiding in Plain Sight

Phishing campaign evades detection with server-side logic. See how employee portals are targeted—and how defenders can uncover them. Learn more.

Apr 15, 2025

10

min read

Read Article

Threat Research

🌍 Global

Pterodo

ShadowPad

Phishing & Social Engineering

Gamaredon

ShadowPad ecosystem

Threat Research

GoPhish Framework Leveraged to Target Polish Government Regulator and Energy Sector

Explore how the GoPhish framework was leveraged to stage infrastructure and domains spoofing Polish government and energy entities.

Apr 10, 2025

7

min read

Read Article

Threat Research

🇪🇺 Europe

Gopish

Phishing & Social Engineering

Threat Research

State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure

Explore Gamaredon’s flux-like DNS and ShadowPad malware infrastructure, with insights into how these attacker networks are configured, rotated, and maintained.

Apr 8, 2025

11

min read

Read Article

Threat Research

🇪🇺 Europe

🌏 Asia

ShadowPad

Command & Control (C2)

Threat Research

Identifying ClickFix Exploits: A Case Study in Proactive Threat Hunting

Learn how Hunt.io identifies early-stage ClickFix delivery pages across the web using advanced search capabilities to stay ahead of exploitation attempts.

Apr 3, 2025

9

min read

Read Article

Threat Research

🌏 Asia

ClickFix

Phishing & Social Engineering

APT36

Threat Research

Same Russian-Speaking Threat Actor, New Tactics: Abuse of Cloudflare Services for Phishing and Telegram to Filter Victim IPs

Learn how a Russian-speaking threat actor has evolved from impersonating EFF to now deploying Cloudflare-themed phishing with Telegram-based C2.

Apr 1, 2025

9

min read

Read Article

Threat Research

🌍 Global

Product News

URLx Just Got Bigger: 10.6B URLs for Recon and Malicious Infrastructure Hunting

Explore exposed infrastructure with URLx: 10.6B+ URLs, HTTPx integration, and advanced filtering - now live in Hunt.io.

Mar 27, 2025

3

min read

Read Article

Product News

Threat Research

A Practical Guide to Uncovering Malicious Infrastructure With Hunt.io

Learn how to track and map adversary infrastructure using Hunt, pivoting from a single IP to uncover hidden connections through infrastructure overlaps and key intelligence indicators.

Mar 25, 2025

11

min read

Read Article

Threat Research

🌍 Global

Malware Delivery

Product News

Product Update: Introducing IOC Hunter Feed & Attribution in our C2 Feed

Track threat actors and malicious infrastructure with Hunt.io’s IOC Hunter Feed and C2 Attribution. Get deeper visibility and context for better threat intelligence.

Mar 20, 2025

7

min read

Read Article

Product News

Threat Research

South Korean Organizations Targeted by Cobalt Strike ‘Cat’ Delivered by a Rust Beacon

Discover how threat actors used a Rust loader to deploy Cobalt Strike ‘Cat’ against South Korean targets. Learn more.

Mar 18, 2025

8

min read

Read Article

Threat Research

🇰🇷 South Korea

Cobalt Strike

Malware Delivery

DPRK (North Korea)

Threat Research

JSPSpy and ‘filebroser’: A Custom File Management Tool in Webshell Infrastructure

Discover how threat actors deploy a rebranded File Browser alongside JSPSpy for stealth file management on compromised servers.

Mar 11, 2025

6

min read

Read Article

Threat Research

JSPSpy

FileBrowser

Malware Delivery

Lazarus Group

Product News

Introducing Hunt 2.0 Deeper Threat Analysis & Enhanced Data for Cyber Intelligence

Our latest release delivers deeper threat analysis with improved threat actor, C2, malware data, and new integrations for robust cyber intelligence.

Mar 6, 2025

6

min read

Read Article

Product News

Threat Research

Exposing Russian EFF Impersonators: The Inside Story on Stealc & Pyramid C2

Discover how an open directory exposed a threat actor impersonating EFF to target gamers and how we mapped their infrastructure to Stealc & Pyramid C2.

Mar 4, 2025

12

min read

Read Article

Threat Research

🌍 Global

Stealc

Pyramid

Phishing & Social Engineering

Malware Delivery

Russian APT

Threat Research

Uncovering Joker’s C2 Network: How Hunt’s SSL History Exposed Its Infrastructure

Discover Joker malware infrastructure with Hunt SSL History, mapping its C2 network through certificate tracking of recent and past activity.

Feb 27, 2025

11

min read

Read Article

Threat Research

🌍 Global

Joker

Certificate & TLS Abuse

Threat Research

LightSpy Expands Command List to Include Social Media Platforms

A new LightSpy server expands its attack scope, targeting Facebook and Instagram database files. Explore its evolving capabilities and infrastructure.

Feb 20, 2025

11

min read

Read Article

Threat Research

🌏 Asia

LightSpy

Data Theft & Exfiltration

Chinese APT

Threat Research

Backdoored Executables for Signal, Line, and Gmail Target Chinese-Speaking Users

Read how attackers distribute backdoored Signal, Line, and Gmail installers through fraudulent download pages and how to defend against this campaign.

Feb 18, 2025

7

min read

Read Article

Threat Research

🇨🇳 China

Backdoor Installer

Malware Delivery

Product News

Advanced Threat Hunting with New SSL Features: Unlocking HuntSQL™ Anomaly Flags for Deeper Detection

Hunt.io enhances SSL threat hunting with new anomaly flags in HuntSQL™, improving the detection of misconfigurations, expired certificates, and malware infrastructure.

Feb 13, 2025

7

min read

Read Article

Product News

Threat Research

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

Discover how Pyramid, an open-source tool, enables post-exploitation. Learn detection methods using HTTP headers and recent findings in Hunt.

Feb 12, 2025

6

min read

Read Article

Threat Research

Pyramid

Reconnaissance & Scanning

Threat Research

SmokeLoader Malware Found in Open Directories Targeting Ukraine’s Auto & Banking Industries

Attackers used open directories to spread SmokeLoader malware, luring Ukraine’s auto and banking sectors. Explore findings, execution, and tactics.

Feb 6, 2025

7

min read

Read Article

Threat Research

🇪🇺 Europe

SmokeLoader

Threat Research

GreenSpot APT Targets 163.com Users with Fake Download Pages & Spoofed Domains

GreenSpot APT targets 163.com users via fake download pages and domain spoofing. Learn their tactics, risks, and how to protect your email accounts.

Feb 4, 2025

6

min read

Read Article

Threat Research

🌏 Asia

Phishing & Social Engineering

GreenSpot APT

Threat Research

How SSL Intelligence and SSL History Can Supercharge Threat Hunting

Explore how SSL intelligence and SSL history empower proactive threat hunting. Learn tools, real-world examples, and strategies to track cyber threats.

Jan 30, 2025

9

min read

Read Article

Threat Research

Threat Research

SparkRAT: Server Detection, macOS Activity, and Malicious Connections

Explore SparkRAT detection tactics, macOS targeting, and insights into recent DPRK-linked campaigns with actionable research findings.

Jan 28, 2025

9

min read

Read Article

Threat Research

🌏 Asia

SparkRAT

Command & Control (C2)

DPRK (North Korea)

Threat Research

Mapping Suspected KEYPLUG Infrastructure: TLS Certificates, GhostWolf, and RedGolf/APT41 Activity

Uncover how Hunt’s TLS records reveal patterns in suspected KEYPLUG infrastructure, linking GhostWolf and RedGolf/APT41 to ongoing activity.

Jan 23, 2025

15

min read

Read Article

Threat Research

🌏 Asia

KEYPLUG

Certificate & TLS Abuse

APT41

GhostWolf

Threat Research

Malicious VS Code Extension Impersonating Zoom Steals Chrome Cookies

Uncover a deceptive VS Code extension, masquerading as Zoom, that pilfers your Google Chrome cookies. Join us as we expose the techniques behind this alarming supply chain campaign.

Jan 21, 2025

8

min read

Read Article

Threat Research

🌍 Global

Malicious Extension

Malware Delivery

Threat Research

‘JustJoin’ Landing Page Linked to Suspected DPRK Activity Resurfaces

Learn how a landing page mimicking “JustJoin,” tied to suspected DPRK cyber activity, has reappeared with new infrastructure linked through SSH key overlaps.

Jan 14, 2025

5

min read

Read Article

Threat Research

🇰🇷 South Korea

Credential Reuse

DPRK (North Korea)

Threat Research

Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure

Read more about connections through a TLS certificate linking reported and unreported infrastructure tied to the Cyberhaven extension compromise.

Jan 9, 2025

7

min read

Read Article

Threat Research

🌍 Global

Malicious Extension

Certificate & TLS Abuse

Threat Research

Golang Beacons and VS Code Tunnels: Tracking a Cobalt Strike Server Leveraging Trusted Infrastructure

Learn how a Cobalt Strike server with a TLS certificate and prominent watermark showed a Golang-compiled beacon communicating with Visual Studio Code tunnels.

Jan 7, 2025

9

min read

Read Article

Threat Research

🌍 Global

Cobalt Strike

Command & Control (C2)

Product News

Hunt.io 2024 Year in Review Key Product & Research Highlights

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Dec 20, 2024

7

min read

Read Article

Product News

Threat Research

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

Dec 12, 2024

6

min read

Read Article

Threat Research

🇪🇺 Europe

🌎 North America

Oyster

IOC Pivoting

Vanilla Tempest

Threat Research

“Million OK !!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

Dec 10, 2024

6

min read

Read Article

Threat Research

🇰🇷 South Korea

Beacon Reuse

Kimsuky

Threat Research

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Devices

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Dec 5, 2024

7

min read

Read Article

Threat Research

🌏 Asia

MoqHao

Phishing & Social Engineering

Threat Research

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Dec 3, 2024

8

min read

Read Article

Threat Research

🌍 Global

Cobalt Strike

Command & Control (C2)

Threat Research

Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

Nov 28, 2024

6

min read

Read Article

Threat Research

🌍 Global

XWorm

Malware Delivery

Threat Research

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

Nov 21, 2024

7

min read

Read Article

Threat Research

🌏 Asia

🇪🇺 Europe

DarkPeony

Certificate & TLS Abuse

Threat Research

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Nov 19, 2024

6

min read

Read Article

Threat Research

🌍 Global

XenoRAT

Evasion & Obfuscation

DPRK (North Korea)

Threat Research

Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator

Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.

Nov 12, 2024

7

min read

Read Article

Threat Research

🌎 North America

Sliver

Ligolo-ng

Command & Control (C2)

Threat Research

One Font, Countless Frauds: Exposing Large-Scale Phishing Activity Abusing Cloudflare

Discover how a shared Font Awesome kit on Cloudflare platforms exposes over 60,000 phishing links targeting Microsoft, DHL, and more. Learn more.

Nov 7, 2024

7

min read

Read Article

Threat Research

Threat Research

RunningRAT’s Next Move: From Remote Access to Crypto Mining for Profit

RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.

Nov 5, 2024

9

min read

Read Article

Threat Research

🌍 Global

RunningRAT

XMRig

Botnet Activity, Cryptomining

Threat Research

Tricks, Treats, and Threats: Cobalt Strike & the Goblin Lurking in Plain Sight

Discover an open directory of red team tools fit for Halloween, from Cobalt Strike to BrowserGhost.

Oct 31, 2024

7

min read

Read Article

Threat Research

Cobalt Strike

BrowserGhost

Tool & Infrastructure Exposure

Threat Research

Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified

Explore a suspected North Korean-linked phishing campaign targeting Naver and how unknown actors use distinct TLS certificates to spoof Apple domains.

Oct 29, 2024

11

min read

Read Article

Threat Research

🇰🇷 South Korea

Phishing & Social Engineering

DPRK (North Korea)

Threat Research

Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users

Discover how an open directory of Rekoobe malware samples led to different domains resembling trading platforms, posing risks for traders and investors.

Oct 24, 2024

6

min read

Read Article

Threat Research

🌍 Global

Rekoobe

Malware Delivery

Threat Research

From Warm to Burned: Shedding Light on Updated WarmCookie Infrastructure

Get an inside look at Warmcookie’s updated C2 infrastructure linked to its latest update. We reveal insights into newly identified servers that can assist defenders in identifying related servers.

Oct 17, 2024

6

min read

Read Article

Threat Research

WarmCookie

Command & Control (C2)

Threat Research

Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More

Read how CodeSearch helps security professionals to identify exploit code, reverse shells, and C2 configs across open directories, enhancing threat detection.

Oct 15, 2024

7

min read

Read Article

Threat Research

Threat Research

Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity

Learn how basic tracking techniques using unusual certificates and redirects helped uncover Earth Baxia and a hidden cyber threat, providing practical insights for network defense.

Oct 10, 2024

8

min read

Read Article

Threat Research

🌏 Asia

PlugX

Tool & Infrastructure Exposure

Earth Baxia

Threat Research

Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Pages

Explore our in-depth analysis of a cybercriminal’s server, revealing DDoS tools, SpyNote spyware, phishing sites, and ransomware tactics.

Oct 8, 2024

8

min read

Read Article

Threat Research

🌍 Global

SpyNote

DDoS Scripts

Tool & Infrastructure Exposure

Product News

Announcing Hunt SQL

We’re excited to release Hunt SQL and to provide the power and flexibility of SQL to researchers, analysts and threat hunters alike. 

Oct 3, 2024

1

min read

Read Article

Product News

Threat Research

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection | Hunt.io

Oct 1, 2024

8

min read

Read Article

Threat Research

Packed Python Script

Evasion & Obfuscation

Threat Research

Echoes of Stargazer Goblin: Analyzing Shared TTPs from an Open Directory

Check out our new blog post on exposed files found in an open directory that reveal an attack with overlapping TTPs linked to the Stargazers network.

Sep 24, 2024

12

min read

Read Article

Threat Research

Initial Access & Exploitation

Product News

Announcing Hunt APIs

Today Hunt is announcing our IP Enrichment API. You can get detailed data on every IPv4 Address and enrich any existing system.

Sep 17, 2024

1

min read

Read Article

Product News

Threat Research

Decoy Docs and Malicious Browser Extensions: A Closer Look at a Multi-Layered Threat

Compromising a browser can be a goldmine for attackers, offering extensive access to sensitive user data ...

Sep 10, 2024

11

min read

Read Article

Threat Research

🇰🇷 South Korea

Malicious Extension

Phishing & Social Engineering

Kimsuky

Threat Research

ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit

The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta...

Sep 3, 2024

10

min read

Read Article

Threat Research

🌍 Global

ToneShell

Phishing & Social Engineering

Mustang Panda

Threat Research

Latrodectus Malware Masquerades as AhnLab Security Software to Infect Victims

During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...

Aug 29, 2024

7

min read

Read Article

Threat Research

🇰🇷 South Korea

Latrodectus

Fake Installer

Malware Delivery

Product News

Announcing AttackCapture by Hunt.io

We originally launched our "Open Directory" feature in Hunt a year ago.  The premise behind it was to get into the mind of the attacker by get a backstage view into their attacks.  What we learned was that there was a ton of information that could be correlated and indexed.  Today, we're reaffirming our commitment to getting into the tooling of attackers by launching AttackCapture™ by Hunt.io.

Aug 23, 2024

1

min read

Read Article

Product News

Threat Research

EvilGophish Unhooked: Insights Into the Infrastructure and Notable Domains

In late 2023, Hunt Research published a blog post detailing how we uncover emerging and previously unknown Gophish infrastructure.

Aug 13, 2024

6

min read

Read Article

Threat Research

Gophish

Phishing & Social Engineering

Threat Research

Pentester or Threat Actor? Open Directory Exposes Test Results and Possible Targeting of Government Organizations

During routine research of newly identified open directories, the Hunt Research Team made a startling discovery: a...

Aug 7, 2024

7

min read

Read Article

Threat Research

Tool & Infrastructure Exposure

Threat Research

MacOS Malware Impersonates The Unarchiver App to Steal User Data

Discover how macOS malware tricks users into downloading an app disguised as The Unarchiver app. The app contains a binary named “CryptoTrade” designed to steal sensitive user information.

Jul 30, 2024

7

min read

Read Article

Threat Research

🌍 Global

CryptoTrade

Malware Delivery

Threat Research

A Simple Approach to Discovering Oyster Backdoor Infrastructure

Oyster backdoor, also known as Broomstick (IBM) and CleanUpLoader (RussianPanda – X), has been linked to...

Jul 23, 2024

6

min read

Read Article

Threat Research

Oyster

IOC Pivoting

Threat Research

SEO Poisoning Campaigns Target Browser Installers and Crypto Sites, Spreading Poseidon, GhostRAT & More

The Hunt Research Team recently stumbled upon Search Engine Optimization (SEO) poisoning campaigns posing as ...

Jul 16, 2024

7

min read

Read Article

Threat Research

🌍 Global

Poseidon

Gh0st RAT

Malware Delivery

Threat Research

The Secret Ingredient: Unearthing Suspected SpiceRAT Infrastructure via HTML Response

Reports on new malware families often leave subtle clues that lead researchers to uncover additional infrastructure not...

Jul 11, 2024

5

min read

Read Article

Threat Research

🇪🇺 Europe

🌏 Asia

SpiceRAT

Malware Delivery

Threat Research

ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America

Nearly three years after ProxyLogon and ProxyShell wreaked widespread havoc on Microsoft Exchange servers, the Hunt

Jul 2, 2024

9

min read

Read Article

Threat Research

🌏 Asia

🇪🇺 Europe

🌎 South America

Initial Access & Exploitation

Threat Research

Geacon and Geacon_Pro: A Constant Menace to Linux and Windows Systems

The red-teaming tool Cobalt Strike has long been a staple for simulating attacks, predominantly targeting Windows ...

Jun 27, 2024

10

min read

Read Article

Threat Research

🌍 Global

Geacon

Command & Control (C2)

Chinese APT

Threat Research

Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub

XenoRAT, an open-source malware available on GitHub, has been linked to a North Korean hacking group and unnamed...

Jun 25, 2024

8

min read

Read Article

Threat Research

🌍 Global

XenoRAT

DPRK (North Korea)

Threat Research

Caught in the Act: Uncovering SpyNote in Unexpected Places

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

Jun 20, 2024

6

min read

Read Article

Threat Research

SpyNote

Malware Delivery

Threat Research

Open Directories Expose Publicly Available Tools Targeting Asian Organizations

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...

Jun 18, 2024

7

min read

Read Article

Threat Research

🌏 Asia

Tool & Infrastructure Exposure

Chinese APT

Threat Research

Gh0st and Pantegana: Two RATs that Refuse to Fade Away

Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable...

Jun 12, 2024

7

min read

Read Article

Threat Research

🌍 Global

Gh0st RAT

Pantegana RAT

Malware Delivery

DriftingCloud

Threat Research

Tracking LightSpy: Certificates as Windows into Adversary Behavior

In this post, we'll detail the infrastructure of the LightSpy spyware framework and highlight the unique TLS certificate...

Jun 6, 2024

7

min read

Read Article

Threat Research

🌏 Asia

LightSpy

Certificate & TLS Abuse

Threat Research

Legacy Threat: PlugX Builder/Controller Discovered in Open Directory

The threat actor(s) built and controlled at least one of the binaries on the same server, granting us access to numerous..

Jun 5, 2024

9

min read

Read Article

Threat Research

PlugX

Tool & Infrastructure Exposure

Chinese APT

Threat Research

SolarMarker: Hunt Insights and Findings

Following Recorded Future's (RF) report, "Exploring the Depths of SolarMarker's Multi-tiered Infrastructure," the Hunt Research Team leveraged the IOCs provided to discover a method of identifying clusters of SolarMarker servers in the wild.

May 30, 2024

7

min read

Read Article

Threat Research

🌎 North America

🇪🇺 Europe

SolarMarker

Malware Delivery

Multi-Stage Infection

Threat Research

Tales from the Hunt: A Look at Yakit Security Tool

In our previous post on the Viper framework, we briefly covered the Yakit Security tool, which is publicly available on GitHub. In this post, we'll discuss its features and cover additional red team tools co-hosted with the project, as discovered during our internet-wide scans.

May 28, 2024

5

min read

Read Article

Threat Research

Yakit

Threat Research

Unearthing New Infrastructure by Revisiting Past Threat Reports

Suppose you know David Bianco’s “Pyramid of Pain” model. In that case, you know that IP addresses are among the lower indicators of compromise due to their short lifespan and ease of change to legitimate purposes.

May 21, 2024

5

min read

Read Article

Threat Research

Threat Research

Into the Viper’s Nest: Observations from Hunt’s Scanning

From initial access and privilege escalation to lateral movement and data collection, the open-source platform Viper...

May 8, 2024

7

min read

Read Article

Threat Research

Threat Research

Spotting SparkRAT: Detection Tactics & Sandbox Findings

The Hunt Research Team vigilantly monitors GitHub, sifts through the IOC sections of threat intelligence reports, and scours various online forums for emerging threats, ensuring our detections stay practical and current for our customers. Our focus frequently turns to lesser-known threats that can still wreak havoc on the networks of uninformed defenders.

Apr 23, 2024

5

min read

Read Article

Threat Research

SparkRAT

Lateral Movement & Persistence

Threat Research

In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory

Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through...

Apr 16, 2024

5

min read

Read Article

Threat Research

SuperShell

Cobalt Strike

Tool & Infrastructure Exposure

Threat Research

BlueShell: Four Years On, Still A Formidable Threat

Platforms like GitHub offer a valuable resource for developers and the open-source community. However, these sites also create a potential...

Apr 9, 2024

6

min read

Read Article

Threat Research

BlueShell

Malware Delivery

Threat Research

A Hunt How-To: Detecting RedGuard C2 Redirector

If you’re like me, you’ve likely read multiple reports on network intrusions involving a “standard” deployment...

Apr 2, 2024

7

min read

Read Article

Threat Research

RedGuard

Command & Control (C2)

Threat Research

Coin Miner and Mozi Botnet

Open directories can sometimes contain unexpected dangers in the hidden parts of the internet. Our recent investigation...

Mar 28, 2024

7

min read

Read Article

Threat Research

Mozi

XMRig

Botnet Activity, Cryptomining

Threat Research

A Treasure Trove of Trouble: Open Directory Exposes Red Team Tools

While open directories are often seen as a goldmine for security researchers and blue teams searching for malware...

Mar 21, 2024

5

min read

Read Article

Threat Research

Mimikatz

Tool & Infrastructure Exposure

Threat Research

One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials

The W3LL Phishing Kit, a phishing-as-a-service (PAaS) tool, was identified by Group-IB in 2022. What makes the kit...

Mar 19, 2024

4

min read

Read Article

Threat Research

🌍 Global

W3LL

Phishing & Social Engineering

Threat Research

Hunting PrismX: Techniques for Network Discovery

Described on its GitHub README as an "Integrated lightweight cross-platform penetration system," PrismX goe...

Mar 12, 2024

5

min read

Read Article

Threat Research

PrismX

Reconnaissance & Scanning

Threat Research

Open Directory Exposes Phishing Campaign Targeting Google & Naver Credentials

Over the past month, Hunt has tracked an ongoing phishing campaign by a likely North Korean threat actor focused on...

Mar 5, 2024

11

min read

Read Article

Threat Research

🇰🇷 South Korea

🌍 Global

Phishing & Social Engineering

DPRK (North Korea)

Threat Research

Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram

Hunt is tracking an ongoing sophisticated phishing campaign targeting individuals in the Telegram groups focused on...

Feb 28, 2024

7

min read

Read Article

Threat Research

🌍 Global

Pyramid

NK Dropper

Phishing & Social Engineering

DPRK (North Korea)

Threat Research

Unveiling the Power of Tag Cloud: Navigating the Digital Landscape with Precision

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with ...

Feb 14, 2024

3

min read

Read Article

Threat Research

Threat Research

Tracking ShadowPad Infrastructure Via Non-Standard Certificates

This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity...

Feb 9, 2024

8

min read

Read Article

Threat Research

🌏 Asia

ShadowPad

Certificate & TLS Abuse

Threat Research

Beyond Headlines & Borders: An Overview of Advanced Threats You Should Know

Where national interests, strategic ambitions, and sometimes personal gain intertwine, state-linked cyber threat actors...

Feb 6, 2024

7

min read

Read Article

Threat Research

Threat Research

The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1)

This post will serve as the first in a long series of articles on using the platform to identify malicious infrastructure and hunt...

Feb 1, 2024

4

min read

Read Article

Threat Research

Threat Research

Introducing Hunt Advanced Search

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with ...

Jan 30, 2024

3

min read

Read Article

Threat Research

Threat Research

How We Identify Malicious Infrastructure At Hunt.io

ShadowPad, Quasar RAT, HeadLace, Emotet, and SIGNBT (to name a few) often grab headlines and captivate readers...

Jan 24, 2024

5

min read

Read Article

Threat Research

Product News

Introducing the Hunt.io C2 Feed

It’s been a while since we announced a new feature, and with 2024 already in full swing, it is time to highlight what’s...

Jan 15, 2024

8

min read

Read Article

Product News

Product News

Announcing IOC-Hunter

As the end of the year approaches, we continue to enhance our feature set by building on well-established threat-...

Nov 14, 2023

3

min read

Read Article

Product News

Threat Research

Gateway to Intrusion: Malware Delivery Via Open Directories

Attackers constantly devise new and sophisticated methods of delivering malware to infiltrate systems and exfiltrate...

Oct 31, 2023

4

min read

Read Article

Threat Research

Malware Delivery

Threat Research

How Hunt.io Identifies Services on Non-Standard Ports

The term “threat hunting” is generally associated with detecting malicious behavior on endpoints manually...

Oct 25, 2023

4

min read

Read Article

Threat Research

Threat Research

Phish No More: A Hunt.io Guide to Gophish Detection

Phishing is more than a social engineering technique; it's a harrowing threat landscape where deception, innovation, and vigilance collide.

Oct 12, 2023

5

min read

Read Article

Threat Research

Threat Research

JA4: Decoding Cyber Shadows

In the ever-evolving world of cybersecurity, few individuals embody the spirit of innovation and exploration as profoundly as John Althouse.

Sep 28, 2023

10

min read

Read Article

Threat Research

Threat Research

Hunt Platform Statistics Launch

Learn about the Hunt.io massive observation collection platform.

Sep 19, 2023

3

min read

Read Article

Threat Research

Threat Research

Discovering & Disrupting Malicious Infrastructure

Michael showcases how the Hunt platform can be leveraged to proactively identify infrastructure not yet publicly reported on from recent malware campaigns.

Sep 12, 2023

5

min read

Read Article

Threat Research

Threat Research

Transparency of Attacker Tooling

How Open Directories Help with Threat Hunting and Incident Response.

Aug 17, 2023

4

min read

Read Article

Threat Research

Threat Research

Let's go Hunting

We are excited to unveil Hunt.io, a cutting-edge threat hunting solution that is set to transform the landscape of cybersecurity.

Aug 1, 2023

5

min read

Read Article

Threat Research

Threat Research

Fake Homebrew Pages Deliver Cuckoo Stealer via ClickFix | macOS Threat Hunting Analysis

Fake Homebrew Typosquats Used to Deliver Cuckoo Stealer via ClickFix

Technical analysis of a ClickFix campaign delivering Cuckoo Stealer through fake Homebrew typosquat domains. Includes infrastructure pivots, HuntSQL queries, C2 details, persistence, and more.

Feb 17, 2026

20

min read

Read Article

Threat Research

Threat Research

Hunting OpenClaw Exposures: CVE-2026-25253 in Internet-Facing AI Agent Gateways

Our research team identified over 17,500 internet-exposed OpenClaw, Clawdbot, and Moltbot instances vulnerable to CVE-2026-25253. This report documents detection methods and infrastructure analysis using Hunt.io.

Feb 3, 2026

19

min read

Read Article

Threat Research

Threat Research

Exposed Open Directory Leaks a Full BYOB Deployment Across Windows, Linux, and macOS

Analysis of an exposed BYOB command-and-control server revealing droppers, stagers, payloads, persistence mechanisms, and supporting infrastructure uncovered through proactive threat hunting

Jan 28, 2026

26

min read

Read Article

Threat Research

BYOB

Command & Control (C2)

Threat Research

ClickFix Campaign Hijacks Facebook Sessions at Scale by Abusing Verification and Appeal Workflows

An in-depth analysis of a ClickFix phishing campaign hijacking Facebook sessions at scale. Learn how attackers abuse verification workflows, steal session cookies, bypass MFA, and target creators using cloud-hosted infrastructure.

Jan 21, 2026

27

min read

Read Article

Threat Research

Threat Research

Inside China’s Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs

Discover how we mapped over 18,000 active malware C2 servers across Chinese ISPs and cloud providers using host-centric telemetry. See which providers are most frequently abused and what it means for global threat monitoring.

Jan 14, 2026

15

min read

Read Article

Threat Research

Threat Research

The Complete Guide to Hunting Cobalt Strike - Part 3: Automated C2 Infrastructure Discovery

See how automated detection, certificate analysis, and structured queries map Cobalt Strike C2 clusters and expose long-running infrastructure. Learn more.

Jan 6, 2026

13

min read

Read Article

Threat Research

Threat Research

2025: Year in Review Key Product Updates, Guides, and Threat Research

A look back at Hunt.io’s 2025 product releases, platform scale, and the threat research our community engaged with most throughout the year.

Dec 23, 2025

6

min read

Read Article

Threat Research

Product News

Announcing Hunt 2.8: Sharper IOC Hunter Workflows, Smarter Provider Visibility, and Easier C2 Filtering

Hunt 2.8 brings major improvements across IOC Hunter, AttackCapture™, IP search, and more accurate Reputation & Risk signals for domains and IPs.

Dec 18, 2025

4

min read

Read Article

Product News

Threat Research

Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns

Deep investigation into DPRK activity, revealing new Lazarus and Kimsuky infrastructure through multi-stage hunts and exposed operational patterns.

Dec 17, 2025

19

min read

Read Article

Threat Research

Backdoor Installer

FRP/Rakshasa

Command & Control (C2)

Threat Research

React2Shell (CVE-2025-55182): Dissecting a Node.js RCE Against a Production Next.js App

A detailed analysis of how React2Shell (CVE-2025-55182) was used to launch a multi-stage attack against a production Next.js app, exposing Node.js systems to real-world exploitation techniques and operational C2 infrastructure.

Dec 10, 2025

32

min read

Read Article

Threat Research

Threat Research

Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT

A fake VSCode extension triggered a multi-stage attack deploying the Anivia loader and OctoRAT. Learn how the chain worked and where defenders can detect it. Learn more.

Dec 3, 2025

21

min read

Read Article

Threat Research

Threat Research

The Complete Guide to Hunting Cobalt Strike - Part 2: 10+ HuntSQL Recipes to Find Cobalt Strike

Turn Part 1’s clues into action with 10+ HuntSQL™ recipes. Pivot on cert reuse, beacon traits, and enrichment to expose Cobalt Strike clusters. Learn more.

Nov 19, 2025

23

min read

Read Article

Threat Research

Threat Research

The Complete Guide to Hunting Cobalt Strike - Part 1: Detecting Cobalt Strike in Open Directories

Learn how to detect Cobalt Strike in open directories using AttackCapture™. We analyzed real files, SSL certificates, and servers to uncover live C2 infrastructure.

Nov 13, 2025

24

min read

Read Article

Threat Research

Product News

Hunt 2.7 is Here: New Domain Risk, AttackCapture™ Filters, and Threat Actor Insights

Hunt 2.7 delivers faster C2 listings, new hostname and TLD search options, multi-value filtering, and IOC Hunter threat actor visibility on IP and domain searches. Explore what’s new in the latest release.

Nov 6, 2025

4

min read

Read Article

Product News

Threat Research

Multilingual ZIP Phishing Campaigns Targeting Financial and Government Organizations Across Asia

Hunt.io maps phishing campaigns using shared ZIP payload infrastructure targeting financial institutions and government organizations across Asia. Learn more.

Oct 29, 2025

21

min read

Read Article

Threat Research

Threat Research

From Munitions to Malware: Interview with Joseph Harrison About His Path to Threat Intelligence

In this interview, Joseph Harrison shares how his Air Force-minted discipline fuels his work in threat detection and digital forensics, and how he leverages Hunt.io’s data (especially JA4) to catch adversaries others miss.

Oct 23, 2025

15

min read

Read Article

Threat Research

Product News

Introducing Hunt 2.6: IP Risk & Reputation, Smarter IOC Hunting, and Faster Integrations

Hunt 2.6 launches with IP Risk & Reputation, SQL download via API, integration upgrades, enhanced IP search, and much more. Keep reading.

Oct 20, 2025

4

min read

Read Article

Product News

Threat Research

Odyssey Stealer and AMOS Campaign Targets macOS Developers Through Fake Tools

A large-scale macOS malware campaign mimics trusted dev tools to spread Odyssey Stealer and AMOS via fake Homebrew sites. Learn more.

Oct 16, 2025

17

min read

Read Article

Threat Research

🇪🇺 Europe

🌎 North America

Odyssey Stealer

AMOS Spyware

Malware Delivery

Odyssey

AMOS

Threat Research

AdaptixC2 Uncovered: Capabilities, Tactics & Hunting Strategies

A deep dive into AdaptixC2: modular architecture, multi-protocol communication, evasion tactics, IOCs, and defense strategies.

Oct 9, 2025

17

min read

Read Article

Threat Research

🌏 Asia

AdaptixC2

Command & Control (C2)

AdaptixC2

Threat Research

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

SideWinder’s Operation SouthNet: South Asia phishing on Netlify/pages.dev, Zimbra/Outlook lures, and open directories. Maritime focus. IOCs included. Learn more.

Oct 1, 2025

20

min read

Read Article

Threat Research

🌏 Asia

SideWinder

Phishing & Social Engineering

APT Sidewinder

Threat Research

Hunting C2 Panels: Beginner’s Guide for Identifying Command and Control Dashboards

Beginner’s guide to hunting exposed C2 dashboards like Supershell, HookBot, Chaos, Unam, Mythic, and Metasploit using paths, titles, and hashes

Sep 25, 2025

16

min read

Read Article

Threat Research

🌍 Global

Command & Control (C2)

Threat Research

Tracking AsyncRAT via Trojanized ScreenConnect and Open Directories

Research on AsyncRAT campaigns using trojanized ScreenConnect installers and open directories, exposing resilient attacker infrastructure and C2 tactics. Learn more.

Sep 18, 2025

24

min read

Read Article

Threat Research

🌍 Global

AsyncRAT

Command & Control (C2)

Threat Research

Inside the 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66

Hunt.io uncovers the 2025 Energy Phishing Wave, with Chevron, Conoco, PBF, and Phillips 66 targeted by large-scale cloning and brand abuse. Learn more.

Sep 11, 2025

29

min read

Read Article

Threat Research

🌎 North America

MaaS

Phishing & Social Engineering

Threat Research

From Malpedia to Metalcore: Daniel Plohmann Talks Malware Research and Music

Daniel Plohmann discusses building Malpedia, advancing malware research with MCRIT, and how metalcore and music inspire his work beyond security.

Sep 9, 2025

13

min read

Read Article

Threat Research

Threat Research

From Panel to Payload: Inside the TinyLoader Malware Operation

Investigation into TinyLoader malware stealing cryptocurrency via Redline Stealer, USB spread, and C2 infrastructure.

Sep 2, 2025

13

min read

Read Article

Threat Research

🌍 Global

TinyLoader

RedLine Stealer

Malware Delivery

Product News

Announcing Hunt 2.5 Powerful Pivots for Better Threat Hunting

Hunt 2.5 introduces IP pivots, faster HuntSQL queries, a full-screen app view, and a refreshed IP database. Explore the latest improvements.

Aug 21, 2025

4

min read

Read Article

Product News

Threat Research

APT MuddyWater Deploys Multi-Stage Phishing to Target CFOs

Hunt.io uncovers MuddyWater phishing campaigns using Firebase lures, VBS payloads, and NetBird for persistent remote access. Learn more.

Aug 20, 2025

16

min read

Read Article

Threat Research

🌍 Middle East

PowGoop

MuddyWater RAT

Malware Delivery

MuddyWater

Threat Research

Hunt.io Exposes and Analyzes ERMAC V3.0 Banking Trojan Full Source Code Leak

Hunt.io uncovers the complete ERMAC V3.0 source code, revealing its infrastructure, vulnerabilities, and expanded form injection capabilities.

Aug 14, 2025

16

min read

Read Article

Threat Research

🌍 Global

ERMAC v3

Malware Delivery

Threat Research

APT Sidewinder Spoofs Government and Military Institutions to Target South Asian Countries with Credential Harvesting Techniques

APT Sidewinder targets South Asian government and military portals using Netlify-hosted phishing pages to harvest credentials. Learn more.

Aug 8, 2025

21

min read

Read Article

Threat Research

🌏 Asia

Phishing & Social Engineering

APT Sidewinder

Threat Research

APT36 Expands Beyond Military: New Attacks Hit Indian Railways, Oil & Government Systems

APT36 expands its campaign beyond defense, using phishing, .desktop lures, and the Poseidon backdoor to target Indian infrastructure.

Jul 31, 2025

13

min read

Read Article

Threat Research

🇮🇳 India

Poseidon

Malware Delivery

APT36

Threat Research

Clickfix on macOS: AppleScript Malware Campaign Uses Terminal Prompts to Steal Data

Phishing campaign targets macOS with fake prompts that run AppleScript via terminal, stealing wallets, cookies, and sensitive files.

Jul 22, 2025

17

min read

Read Article

Threat Research

🇮🇳 India

🌏 Asia

Phishing & Social Engineering

Malware Delivery

APT36

Threat Research

Widespread gov.br Subdomain Abuse: 630k+ URLs Leveraged for Black Hat SEO Redirects

Over 630K hijacked gov.br subdomains were exploited in a black hat SEO campaign using cloaking, keyword stuffing, and redirect techniques. Learn more.

Jul 17, 2025

13

min read

Read Article

Threat Research

🌎 South America

Poseidon

GhostRAT

Product News

Announcing Hunt 2.4 Smarter Data and Better Views

Hunt 2.4 adds archive-aware search, deeper SQL visibility, and improved phishing intel to make threat hunting faster, clearer, and more powerful.

Jul 15, 2025

4

min read

Read Article

Product News

Threat Research

Eggs, Alerts, and Adversaries: Talking with Jose Hernandez from Splunk

Splunk’s Jose Hernandez talks building detections, curious hires, Hunt.io in action, and balancing threat research with chickens and family life.

Jul 8, 2025

17

min read

Read Article

Threat Research

Threat Research

Threat Hunting Across 10.6B URLs: Find Payloads, C2s, and Exposed Assets with URLx

Explore 10.6B structured URLs with URLx. Find malware payloads, C2 paths, phishing campaigns, and exposed assets, fast.

Jun 26, 2025

16

min read

Read Article

Threat Research

Product News

Announcing Hunt 2.3: Improved Threat Hunting Experience & SSO Availability

Hunt 2.3 is here: analyst-driven insights, easier pivots, better phishing workflows, and full SSO support for enterprise teams.

Jun 25, 2025

5

min read

Read Article

Product News

Threat Research

Cobalt Strike Operators Leverage PowerShell Loaders Across Chinese, Russian, and Global Infrastructure

Our threat hunters uncovered a PowerShell loader hosted by Chinese and Russian providers, linked to active Cobalt Strike infrastructure.

Jun 19, 2025

12

min read

Read Article

Threat Research

🌍 Global

Cobalt Strike

Malware Delivery

Threat Research

Fast and Curious: From Red Teams to Race Cars A Conversation with TrustedSec CTO Justin Elze

TrustedSec CTO Justin Elze shares red teaming insights, offensive tooling tips, and how he uses Hunt.io and AttackCapture™, plus his passion for race car data.

Jun 17, 2025

11

min read

Read Article

Threat Research

Product News

Introducing Hunt 2.2 AttackCapture™ Zip Extraction, Smarter SQL, IP History Consolidation, and more

Explore Hunt 2.2: Auto-unpack zips in AttackCapture™, smarter SQL with WHOIS and Nmap, and full IP history consolidation, track abused hosting with Host Radar, and more.

Jun 12, 2025

5

min read

Read Article

Product News

Threat Research

Abusing Paste.ee to Deploy XWorm and AsyncRAT Across Global C2 Infrastructure

See how attackers abuse paste.ee to deliver XWorm and AsyncRAT, using obfuscated scripts and globally distributed C2 infrastructure.

Jun 5, 2025

10

min read

Read Article

Threat Research

🌍 Global

AsyncRAT

XWorm

Malware Delivery

Threat Research

How to Track Threat Actors Through Real-World IOC Pivoting

Track attacker infrastructure with Hunt.io’s real-time IOC pivoting and threat actor intelligence. Learn more.

May 29, 2025

8

min read

Read Article

Threat Research

🌍 Global

IOC Pivoting

Product News

Introducing Hunt 2.1: Refinements to the Threat Hunting Experience

Discover the new Hunt.io updates: deep text assisted analysis, IOC feed improvements, improved threat actor data, and faster advanced search. Learn more.

May 21, 2025

7

min read

Read Article

Product News

Threat Research

Shared SSH Keys Expose Coordinated Phishing Campaign Targeting Kuwaiti Fisheries and Telecom Sectors

Shared SSH keys expose coordinated phishing targeting Kuwaiti fisheries, telecoms, and insurers with cloned login portals and mobile payment lures. Learn more.

May 15, 2025

7

min read

Read Article

Threat Research

🌍 Middle East

Phishing & Social Engineering

Threat Research

Unmasking Proxy Infrastructure: How to Detect IOX, FRP, Rakshasa Proxies with Hunt.io

This post explores open-source proxy tools commonly used in attacker and red team infrastructure, and shows how defenders can detect IOX, FRP, Rakshasa, and Stowaway at scale using Hunt.io.

May 8, 2025

8

min read

Read Article

Threat Research

🌏 Asia

FRP/Rakshasa

Command & Control (C2)

Threat Research

APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux

APT36-style phishing campaign mimics India’s Ministry of Defence to drop malware on Windows and Linux via spoofed press releases and HTA payloads.

May 5, 2025

8

min read

Read Article

Threat Research

🇮🇳 India

Phishing & Social Engineering

APT36

Threat Research

Track APT34-Like Infrastructure Before It Strikes

APT34-like infrastructure mimicking an Iraqi academic institute and fake UK tech firms reveals early-stage staging on M247 servers. Learn what to track

Apr 22, 2025

9

min read

Read Article

Threat Research

🌍 Middle East

Karkoff

SideTwist

PowBAT

Command & Control (C2)

APT34

Threat Research

KeyPlug-Linked Server Briefly Exposes Fortinet Exploits, Webshells, and Recon Activity Targeting a Major Japanese Company

Briefly exposed KeyPlug infrastructure revealed Fortinet exploits, encrypted webshells, and recon scripts targeting Shiseido, a major Japanese enterprise. Learn more..

Apr 17, 2025

12

min read

Read Article

Threat Research

🌍 Global

KEYPLUG

Tool & Infrastructure Exposure

Chinese APT

Threat Research

Server-Side Phishing: How Credential Theft Campaigns Are Hiding in Plain Sight

Phishing campaign evades detection with server-side logic. See how employee portals are targeted—and how defenders can uncover them. Learn more.

Apr 15, 2025

10

min read

Read Article

Threat Research

🌍 Global

Pterodo

ShadowPad

Phishing & Social Engineering

Gamaredon

ShadowPad ecosystem

Threat Research

GoPhish Framework Leveraged to Target Polish Government Regulator and Energy Sector

Explore how the GoPhish framework was leveraged to stage infrastructure and domains spoofing Polish government and energy entities.

Apr 10, 2025

7

min read

Read Article

Threat Research

🇪🇺 Europe

Gopish

Phishing & Social Engineering

Threat Research

State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure

Explore Gamaredon’s flux-like DNS and ShadowPad malware infrastructure, with insights into how these attacker networks are configured, rotated, and maintained.

Apr 8, 2025

11

min read

Read Article

Threat Research

🇪🇺 Europe

🌏 Asia

ShadowPad

Command & Control (C2)

Threat Research

Identifying ClickFix Exploits: A Case Study in Proactive Threat Hunting

Learn how Hunt.io identifies early-stage ClickFix delivery pages across the web using advanced search capabilities to stay ahead of exploitation attempts.

Apr 3, 2025

9

min read

Read Article

Threat Research

🌏 Asia

ClickFix

Phishing & Social Engineering

APT36

Threat Research

Same Russian-Speaking Threat Actor, New Tactics: Abuse of Cloudflare Services for Phishing and Telegram to Filter Victim IPs

Learn how a Russian-speaking threat actor has evolved from impersonating EFF to now deploying Cloudflare-themed phishing with Telegram-based C2.

Apr 1, 2025

9

min read

Read Article

Threat Research

🌍 Global

Product News

URLx Just Got Bigger: 10.6B URLs for Recon and Malicious Infrastructure Hunting

Explore exposed infrastructure with URLx: 10.6B+ URLs, HTTPx integration, and advanced filtering - now live in Hunt.io.

Mar 27, 2025

3

min read

Read Article

Product News

Threat Research

A Practical Guide to Uncovering Malicious Infrastructure With Hunt.io

Learn how to track and map adversary infrastructure using Hunt, pivoting from a single IP to uncover hidden connections through infrastructure overlaps and key intelligence indicators.

Mar 25, 2025

11

min read

Read Article

Threat Research

🌍 Global

Malware Delivery

Product News

Product Update: Introducing IOC Hunter Feed & Attribution in our C2 Feed

Track threat actors and malicious infrastructure with Hunt.io’s IOC Hunter Feed and C2 Attribution. Get deeper visibility and context for better threat intelligence.

Mar 20, 2025

7

min read

Read Article

Product News

Threat Research

South Korean Organizations Targeted by Cobalt Strike ‘Cat’ Delivered by a Rust Beacon

Discover how threat actors used a Rust loader to deploy Cobalt Strike ‘Cat’ against South Korean targets. Learn more.

Mar 18, 2025

8

min read

Read Article

Threat Research

🇰🇷 South Korea

Cobalt Strike

Malware Delivery

DPRK (North Korea)

Threat Research

JSPSpy and ‘filebroser’: A Custom File Management Tool in Webshell Infrastructure

Discover how threat actors deploy a rebranded File Browser alongside JSPSpy for stealth file management on compromised servers.

Mar 11, 2025

6

min read

Read Article

Threat Research

JSPSpy

FileBrowser

Malware Delivery

Lazarus Group

Product News

Introducing Hunt 2.0 Deeper Threat Analysis & Enhanced Data for Cyber Intelligence

Our latest release delivers deeper threat analysis with improved threat actor, C2, malware data, and new integrations for robust cyber intelligence.

Mar 6, 2025

6

min read

Read Article

Product News

Threat Research

Exposing Russian EFF Impersonators: The Inside Story on Stealc & Pyramid C2

Discover how an open directory exposed a threat actor impersonating EFF to target gamers and how we mapped their infrastructure to Stealc & Pyramid C2.

Mar 4, 2025

12

min read

Read Article

Threat Research

🌍 Global

Stealc

Pyramid

Phishing & Social Engineering

Malware Delivery

Russian APT

Threat Research

Uncovering Joker’s C2 Network: How Hunt’s SSL History Exposed Its Infrastructure

Discover Joker malware infrastructure with Hunt SSL History, mapping its C2 network through certificate tracking of recent and past activity.

Feb 27, 2025

11

min read

Read Article

Threat Research

🌍 Global

Joker

Certificate & TLS Abuse

Threat Research

LightSpy Expands Command List to Include Social Media Platforms

A new LightSpy server expands its attack scope, targeting Facebook and Instagram database files. Explore its evolving capabilities and infrastructure.

Feb 20, 2025

11

min read

Read Article

Threat Research

🌏 Asia

LightSpy

Data Theft & Exfiltration

Chinese APT

Threat Research

Backdoored Executables for Signal, Line, and Gmail Target Chinese-Speaking Users

Read how attackers distribute backdoored Signal, Line, and Gmail installers through fraudulent download pages and how to defend against this campaign.

Feb 18, 2025

7

min read

Read Article

Threat Research

🇨🇳 China

Backdoor Installer

Malware Delivery

Product News

Advanced Threat Hunting with New SSL Features: Unlocking HuntSQL™ Anomaly Flags for Deeper Detection

Hunt.io enhances SSL threat hunting with new anomaly flags in HuntSQL™, improving the detection of misconfigurations, expired certificates, and malware infrastructure.

Feb 13, 2025

7

min read

Read Article

Product News

Threat Research

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

Discover how Pyramid, an open-source tool, enables post-exploitation. Learn detection methods using HTTP headers and recent findings in Hunt.

Feb 12, 2025

6

min read

Read Article

Threat Research

Pyramid

Reconnaissance & Scanning

Threat Research

SmokeLoader Malware Found in Open Directories Targeting Ukraine’s Auto & Banking Industries

Attackers used open directories to spread SmokeLoader malware, luring Ukraine’s auto and banking sectors. Explore findings, execution, and tactics.

Feb 6, 2025

7

min read

Read Article

Threat Research

🇪🇺 Europe

SmokeLoader

Threat Research

GreenSpot APT Targets 163.com Users with Fake Download Pages & Spoofed Domains

GreenSpot APT targets 163.com users via fake download pages and domain spoofing. Learn their tactics, risks, and how to protect your email accounts.

Feb 4, 2025

6

min read

Read Article

Threat Research

🌏 Asia

Phishing & Social Engineering

GreenSpot APT

Threat Research

How SSL Intelligence and SSL History Can Supercharge Threat Hunting

Explore how SSL intelligence and SSL history empower proactive threat hunting. Learn tools, real-world examples, and strategies to track cyber threats.

Jan 30, 2025

9

min read

Read Article

Threat Research

Threat Research

SparkRAT: Server Detection, macOS Activity, and Malicious Connections

Explore SparkRAT detection tactics, macOS targeting, and insights into recent DPRK-linked campaigns with actionable research findings.

Jan 28, 2025

9

min read

Read Article

Threat Research

🌏 Asia

SparkRAT

Command & Control (C2)

DPRK (North Korea)

Threat Research

Mapping Suspected KEYPLUG Infrastructure: TLS Certificates, GhostWolf, and RedGolf/APT41 Activity

Uncover how Hunt’s TLS records reveal patterns in suspected KEYPLUG infrastructure, linking GhostWolf and RedGolf/APT41 to ongoing activity.

Jan 23, 2025

15

min read

Read Article

Threat Research

🌏 Asia

KEYPLUG

Certificate & TLS Abuse

APT41

GhostWolf

Threat Research

Malicious VS Code Extension Impersonating Zoom Steals Chrome Cookies

Uncover a deceptive VS Code extension, masquerading as Zoom, that pilfers your Google Chrome cookies. Join us as we expose the techniques behind this alarming supply chain campaign.

Jan 21, 2025

8

min read

Read Article

Threat Research

🌍 Global

Malicious Extension

Malware Delivery

Threat Research

‘JustJoin’ Landing Page Linked to Suspected DPRK Activity Resurfaces

Learn how a landing page mimicking “JustJoin,” tied to suspected DPRK cyber activity, has reappeared with new infrastructure linked through SSH key overlaps.

Jan 14, 2025

5

min read

Read Article

Threat Research

🇰🇷 South Korea

Credential Reuse

DPRK (North Korea)

Threat Research

Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure

Read more about connections through a TLS certificate linking reported and unreported infrastructure tied to the Cyberhaven extension compromise.

Jan 9, 2025

7

min read

Read Article

Threat Research

🌍 Global

Malicious Extension

Certificate & TLS Abuse

Threat Research

Golang Beacons and VS Code Tunnels: Tracking a Cobalt Strike Server Leveraging Trusted Infrastructure

Learn how a Cobalt Strike server with a TLS certificate and prominent watermark showed a Golang-compiled beacon communicating with Visual Studio Code tunnels.

Jan 7, 2025

9

min read

Read Article

Threat Research

🌍 Global

Cobalt Strike

Command & Control (C2)

Product News

Hunt.io 2024 Year in Review Key Product & Research Highlights

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Dec 20, 2024

7

min read

Read Article

Product News

Threat Research

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

Dec 12, 2024

6

min read

Read Article

Threat Research

🇪🇺 Europe

🌎 North America

Oyster

IOC Pivoting

Vanilla Tempest

Threat Research

“Million OK !!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

Dec 10, 2024

6

min read

Read Article

Threat Research

🇰🇷 South Korea

Beacon Reuse

Kimsuky

Threat Research

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Devices

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Dec 5, 2024

7

min read

Read Article

Threat Research

🌏 Asia

MoqHao

Phishing & Social Engineering

Threat Research

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Dec 3, 2024

8

min read

Read Article

Threat Research

🌍 Global

Cobalt Strike

Command & Control (C2)

Threat Research

Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

Nov 28, 2024

6

min read

Read Article

Threat Research

🌍 Global

XWorm

Malware Delivery

Threat Research

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

Nov 21, 2024

7

min read

Read Article

Threat Research

🌏 Asia

🇪🇺 Europe

DarkPeony

Certificate & TLS Abuse

Threat Research

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Nov 19, 2024

6

min read

Read Article

Threat Research

🌍 Global

XenoRAT

Evasion & Obfuscation

DPRK (North Korea)

Threat Research

Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator

Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.

Nov 12, 2024

7

min read

Read Article

Threat Research

🌎 North America

Sliver

Ligolo-ng

Command & Control (C2)

Threat Research

One Font, Countless Frauds: Exposing Large-Scale Phishing Activity Abusing Cloudflare

Discover how a shared Font Awesome kit on Cloudflare platforms exposes over 60,000 phishing links targeting Microsoft, DHL, and more. Learn more.

Nov 7, 2024

7

min read

Read Article

Threat Research

Threat Research

RunningRAT’s Next Move: From Remote Access to Crypto Mining for Profit

RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.

Nov 5, 2024

9

min read

Read Article

Threat Research

🌍 Global

RunningRAT

XMRig

Botnet Activity, Cryptomining

Threat Research

Tricks, Treats, and Threats: Cobalt Strike & the Goblin Lurking in Plain Sight

Discover an open directory of red team tools fit for Halloween, from Cobalt Strike to BrowserGhost.

Oct 31, 2024

7

min read

Read Article

Threat Research

Cobalt Strike

BrowserGhost

Tool & Infrastructure Exposure

Threat Research

Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified

Explore a suspected North Korean-linked phishing campaign targeting Naver and how unknown actors use distinct TLS certificates to spoof Apple domains.

Oct 29, 2024

11

min read

Read Article

Threat Research

🇰🇷 South Korea

Phishing & Social Engineering

DPRK (North Korea)

Threat Research

Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users

Discover how an open directory of Rekoobe malware samples led to different domains resembling trading platforms, posing risks for traders and investors.

Oct 24, 2024

6

min read

Read Article

Threat Research

🌍 Global

Rekoobe

Malware Delivery

Threat Research

From Warm to Burned: Shedding Light on Updated WarmCookie Infrastructure

Get an inside look at Warmcookie’s updated C2 infrastructure linked to its latest update. We reveal insights into newly identified servers that can assist defenders in identifying related servers.

Oct 17, 2024

6

min read

Read Article

Threat Research

WarmCookie

Command & Control (C2)

Threat Research

Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More

Read how CodeSearch helps security professionals to identify exploit code, reverse shells, and C2 configs across open directories, enhancing threat detection.

Oct 15, 2024

7

min read

Read Article

Threat Research

Threat Research

Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity

Learn how basic tracking techniques using unusual certificates and redirects helped uncover Earth Baxia and a hidden cyber threat, providing practical insights for network defense.

Oct 10, 2024

8

min read

Read Article

Threat Research

🌏 Asia

PlugX

Tool & Infrastructure Exposure

Earth Baxia

Threat Research

Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Pages

Explore our in-depth analysis of a cybercriminal’s server, revealing DDoS tools, SpyNote spyware, phishing sites, and ransomware tactics.

Oct 8, 2024

8

min read

Read Article

Threat Research

🌍 Global

SpyNote

DDoS Scripts

Tool & Infrastructure Exposure

Product News

Announcing Hunt SQL

We’re excited to release Hunt SQL and to provide the power and flexibility of SQL to researchers, analysts and threat hunters alike. 

Oct 3, 2024

1

min read

Read Article

Product News

Threat Research

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection | Hunt.io

Oct 1, 2024

8

min read

Read Article

Threat Research

Packed Python Script

Evasion & Obfuscation

Threat Research

Echoes of Stargazer Goblin: Analyzing Shared TTPs from an Open Directory

Check out our new blog post on exposed files found in an open directory that reveal an attack with overlapping TTPs linked to the Stargazers network.

Sep 24, 2024

12

min read

Read Article

Threat Research

Initial Access & Exploitation

Product News

Announcing Hunt APIs

Today Hunt is announcing our IP Enrichment API. You can get detailed data on every IPv4 Address and enrich any existing system.

Sep 17, 2024

1

min read

Read Article

Product News

Threat Research

Decoy Docs and Malicious Browser Extensions: A Closer Look at a Multi-Layered Threat

Compromising a browser can be a goldmine for attackers, offering extensive access to sensitive user data ...

Sep 10, 2024

11

min read

Read Article

Threat Research

🇰🇷 South Korea

Malicious Extension

Phishing & Social Engineering

Kimsuky

Threat Research

ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit

The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta...

Sep 3, 2024

10

min read

Read Article

Threat Research

🌍 Global

ToneShell

Phishing & Social Engineering

Mustang Panda

Threat Research

Latrodectus Malware Masquerades as AhnLab Security Software to Infect Victims

During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...

Aug 29, 2024

7

min read

Read Article

Threat Research

🇰🇷 South Korea

Latrodectus

Fake Installer

Malware Delivery

Product News

Announcing AttackCapture by Hunt.io

We originally launched our "Open Directory" feature in Hunt a year ago.  The premise behind it was to get into the mind of the attacker by get a backstage view into their attacks.  What we learned was that there was a ton of information that could be correlated and indexed.  Today, we're reaffirming our commitment to getting into the tooling of attackers by launching AttackCapture™ by Hunt.io.

Aug 23, 2024

1

min read

Read Article

Product News

Threat Research

EvilGophish Unhooked: Insights Into the Infrastructure and Notable Domains

In late 2023, Hunt Research published a blog post detailing how we uncover emerging and previously unknown Gophish infrastructure.

Aug 13, 2024

6

min read

Read Article

Threat Research

Gophish

Phishing & Social Engineering

Threat Research

Pentester or Threat Actor? Open Directory Exposes Test Results and Possible Targeting of Government Organizations

During routine research of newly identified open directories, the Hunt Research Team made a startling discovery: a...

Aug 7, 2024

7

min read

Read Article

Threat Research

Tool & Infrastructure Exposure

Threat Research

MacOS Malware Impersonates The Unarchiver App to Steal User Data

Discover how macOS malware tricks users into downloading an app disguised as The Unarchiver app. The app contains a binary named “CryptoTrade” designed to steal sensitive user information.

Jul 30, 2024

7

min read

Read Article

Threat Research

🌍 Global

CryptoTrade

Malware Delivery

Threat Research

A Simple Approach to Discovering Oyster Backdoor Infrastructure

Oyster backdoor, also known as Broomstick (IBM) and CleanUpLoader (RussianPanda – X), has been linked to...

Jul 23, 2024

6

min read

Read Article

Threat Research

Oyster

IOC Pivoting

Threat Research

SEO Poisoning Campaigns Target Browser Installers and Crypto Sites, Spreading Poseidon, GhostRAT & More

The Hunt Research Team recently stumbled upon Search Engine Optimization (SEO) poisoning campaigns posing as ...

Jul 16, 2024

7

min read

Read Article

Threat Research

🌍 Global

Poseidon

Gh0st RAT

Malware Delivery

Threat Research

The Secret Ingredient: Unearthing Suspected SpiceRAT Infrastructure via HTML Response

Reports on new malware families often leave subtle clues that lead researchers to uncover additional infrastructure not...

Jul 11, 2024

5

min read

Read Article

Threat Research

🇪🇺 Europe

🌏 Asia

SpiceRAT

Malware Delivery

Threat Research

ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America

Nearly three years after ProxyLogon and ProxyShell wreaked widespread havoc on Microsoft Exchange servers, the Hunt

Jul 2, 2024

9

min read

Read Article

Threat Research

🌏 Asia

🇪🇺 Europe

🌎 South America

Initial Access & Exploitation

Threat Research

Geacon and Geacon_Pro: A Constant Menace to Linux and Windows Systems

The red-teaming tool Cobalt Strike has long been a staple for simulating attacks, predominantly targeting Windows ...

Jun 27, 2024

10

min read

Read Article

Threat Research

🌍 Global

Geacon

Command & Control (C2)

Chinese APT

Threat Research

Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub

XenoRAT, an open-source malware available on GitHub, has been linked to a North Korean hacking group and unnamed...

Jun 25, 2024

8

min read

Read Article

Threat Research

🌍 Global

XenoRAT

DPRK (North Korea)

Threat Research

Caught in the Act: Uncovering SpyNote in Unexpected Places

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

Jun 20, 2024

6

min read

Read Article

Threat Research

SpyNote

Malware Delivery

Threat Research

Open Directories Expose Publicly Available Tools Targeting Asian Organizations

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...

Jun 18, 2024

7

min read

Read Article

Threat Research

🌏 Asia

Tool & Infrastructure Exposure

Chinese APT

Threat Research

Gh0st and Pantegana: Two RATs that Refuse to Fade Away

Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable...

Jun 12, 2024

7

min read

Read Article

Threat Research

🌍 Global

Gh0st RAT

Pantegana RAT

Malware Delivery

DriftingCloud

Threat Research

Tracking LightSpy: Certificates as Windows into Adversary Behavior

In this post, we'll detail the infrastructure of the LightSpy spyware framework and highlight the unique TLS certificate...

Jun 6, 2024

7

min read

Read Article

Threat Research

🌏 Asia

LightSpy

Certificate & TLS Abuse

Threat Research

Legacy Threat: PlugX Builder/Controller Discovered in Open Directory

The threat actor(s) built and controlled at least one of the binaries on the same server, granting us access to numerous..

Jun 5, 2024

9

min read

Read Article

Threat Research

PlugX

Tool & Infrastructure Exposure

Chinese APT

Threat Research

SolarMarker: Hunt Insights and Findings

Following Recorded Future's (RF) report, "Exploring the Depths of SolarMarker's Multi-tiered Infrastructure," the Hunt Research Team leveraged the IOCs provided to discover a method of identifying clusters of SolarMarker servers in the wild.

May 30, 2024

7

min read

Read Article

Threat Research

🌎 North America

🇪🇺 Europe

SolarMarker

Malware Delivery

Multi-Stage Infection

Threat Research

Tales from the Hunt: A Look at Yakit Security Tool

In our previous post on the Viper framework, we briefly covered the Yakit Security tool, which is publicly available on GitHub. In this post, we'll discuss its features and cover additional red team tools co-hosted with the project, as discovered during our internet-wide scans.

May 28, 2024

5

min read

Read Article

Threat Research

Yakit

Threat Research

Unearthing New Infrastructure by Revisiting Past Threat Reports

Suppose you know David Bianco’s “Pyramid of Pain” model. In that case, you know that IP addresses are among the lower indicators of compromise due to their short lifespan and ease of change to legitimate purposes.

May 21, 2024

5

min read

Read Article

Threat Research

Threat Research

Into the Viper’s Nest: Observations from Hunt’s Scanning

From initial access and privilege escalation to lateral movement and data collection, the open-source platform Viper...

May 8, 2024

7

min read

Read Article

Threat Research

Threat Research

Spotting SparkRAT: Detection Tactics & Sandbox Findings

The Hunt Research Team vigilantly monitors GitHub, sifts through the IOC sections of threat intelligence reports, and scours various online forums for emerging threats, ensuring our detections stay practical and current for our customers. Our focus frequently turns to lesser-known threats that can still wreak havoc on the networks of uninformed defenders.

Apr 23, 2024

5

min read

Read Article

Threat Research

SparkRAT

Lateral Movement & Persistence

Threat Research

In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory

Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through...

Apr 16, 2024

5

min read

Read Article

Threat Research

SuperShell

Cobalt Strike

Tool & Infrastructure Exposure

Threat Research

BlueShell: Four Years On, Still A Formidable Threat

Platforms like GitHub offer a valuable resource for developers and the open-source community. However, these sites also create a potential...

Apr 9, 2024

6

min read

Read Article

Threat Research

BlueShell

Malware Delivery

Threat Research

A Hunt How-To: Detecting RedGuard C2 Redirector

If you’re like me, you’ve likely read multiple reports on network intrusions involving a “standard” deployment...

Apr 2, 2024

7

min read

Read Article

Threat Research

RedGuard

Command & Control (C2)

Threat Research

Coin Miner and Mozi Botnet

Open directories can sometimes contain unexpected dangers in the hidden parts of the internet. Our recent investigation...

Mar 28, 2024

7

min read

Read Article

Threat Research

Mozi

XMRig

Botnet Activity, Cryptomining

Threat Research

A Treasure Trove of Trouble: Open Directory Exposes Red Team Tools

While open directories are often seen as a goldmine for security researchers and blue teams searching for malware...

Mar 21, 2024

5

min read

Read Article

Threat Research

Mimikatz

Tool & Infrastructure Exposure

Threat Research

One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials

The W3LL Phishing Kit, a phishing-as-a-service (PAaS) tool, was identified by Group-IB in 2022. What makes the kit...

Mar 19, 2024

4

min read

Read Article

Threat Research

🌍 Global

W3LL

Phishing & Social Engineering

Threat Research

Hunting PrismX: Techniques for Network Discovery

Described on its GitHub README as an "Integrated lightweight cross-platform penetration system," PrismX goe...

Mar 12, 2024

5

min read

Read Article

Threat Research

PrismX

Reconnaissance & Scanning

Threat Research

Open Directory Exposes Phishing Campaign Targeting Google & Naver Credentials

Over the past month, Hunt has tracked an ongoing phishing campaign by a likely North Korean threat actor focused on...

Mar 5, 2024

11

min read

Read Article

Threat Research

🇰🇷 South Korea

🌍 Global

Phishing & Social Engineering

DPRK (North Korea)

Threat Research

Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram

Hunt is tracking an ongoing sophisticated phishing campaign targeting individuals in the Telegram groups focused on...

Feb 28, 2024

7

min read

Read Article

Threat Research

🌍 Global

Pyramid

NK Dropper

Phishing & Social Engineering

DPRK (North Korea)

Threat Research

Unveiling the Power of Tag Cloud: Navigating the Digital Landscape with Precision

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with ...

Feb 14, 2024

3

min read

Read Article

Threat Research

Threat Research

Tracking ShadowPad Infrastructure Via Non-Standard Certificates

This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity...

Feb 9, 2024

8

min read

Read Article

Threat Research

🌏 Asia

ShadowPad

Certificate & TLS Abuse

Threat Research

Beyond Headlines & Borders: An Overview of Advanced Threats You Should Know

Where national interests, strategic ambitions, and sometimes personal gain intertwine, state-linked cyber threat actors...

Feb 6, 2024

7

min read

Read Article

Threat Research

Threat Research

The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1)

This post will serve as the first in a long series of articles on using the platform to identify malicious infrastructure and hunt...

Feb 1, 2024

4

min read

Read Article

Threat Research

Threat Research

Introducing Hunt Advanced Search

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with ...

Jan 30, 2024

3

min read

Read Article

Threat Research

Threat Research

How We Identify Malicious Infrastructure At Hunt.io

ShadowPad, Quasar RAT, HeadLace, Emotet, and SIGNBT (to name a few) often grab headlines and captivate readers...

Jan 24, 2024

5

min read

Read Article

Threat Research

Product News

Introducing the Hunt.io C2 Feed

It’s been a while since we announced a new feature, and with 2024 already in full swing, it is time to highlight what’s...

Jan 15, 2024

8

min read

Read Article

Product News

Product News

Announcing IOC-Hunter

As the end of the year approaches, we continue to enhance our feature set by building on well-established threat-...

Nov 14, 2023

3

min read

Read Article

Product News

Threat Research

Gateway to Intrusion: Malware Delivery Via Open Directories

Attackers constantly devise new and sophisticated methods of delivering malware to infiltrate systems and exfiltrate...

Oct 31, 2023

4

min read

Read Article

Threat Research

Malware Delivery

Threat Research

How Hunt.io Identifies Services on Non-Standard Ports

The term “threat hunting” is generally associated with detecting malicious behavior on endpoints manually...

Oct 25, 2023

4

min read

Read Article

Threat Research

Threat Research

Phish No More: A Hunt.io Guide to Gophish Detection

Phishing is more than a social engineering technique; it's a harrowing threat landscape where deception, innovation, and vigilance collide.

Oct 12, 2023

5

min read

Read Article

Threat Research

Threat Research

JA4: Decoding Cyber Shadows

In the ever-evolving world of cybersecurity, few individuals embody the spirit of innovation and exploration as profoundly as John Althouse.

Sep 28, 2023

10

min read

Read Article

Threat Research

Threat Research

Hunt Platform Statistics Launch

Learn about the Hunt.io massive observation collection platform.

Sep 19, 2023

3

min read

Read Article

Threat Research

Threat Research

Discovering & Disrupting Malicious Infrastructure

Michael showcases how the Hunt platform can be leveraged to proactively identify infrastructure not yet publicly reported on from recent malware campaigns.

Sep 12, 2023

5

min read

Read Article

Threat Research

Threat Research

Transparency of Attacker Tooling

How Open Directories Help with Threat Hunting and Incident Response.

Aug 17, 2023

4

min read

Read Article

Threat Research

Threat Research

Let's go Hunting

We are excited to unveil Hunt.io, a cutting-edge threat hunting solution that is set to transform the landscape of cybersecurity.

Aug 1, 2023

5

min read

Read Article

Threat Research

Find the threat
before it finds you

Hunt adversary infrastructure in real time. Surface C2 servers, enrich IOCs,
and map attacker activity at scale with our unified threat hunting platform.

Start Hunting

Threat Hunting Platform

©2026 Hunt Intelligence, Inc.

Explore

Product

Features

OEM Partners

Pricing

Integrations

Resources

Blog

Change log

Support docs

Malware Families

Glossary

Company

About us

Use Cases

Testimonials

Branding

Contact Us

Terms and conditions

Privacy Policy

Find the threat
before it finds you

Hunt adversary infrastructure in real time. Surface C2 servers, enrich IOCs,
and map attacker activity at scale with our unified threat hunting platform.

Start Hunting

Threat Hunting Platform

Explore

Product

Features

OEM Partners

Pricing

Integrations

Resources

Blog

Change log

Support docs

Malware Families

Glossary

Company

About us

Use Cases

Testimonials

Branding

Contact Us

Terms and conditions

Privacy Policy

©2025 Hunt Intelligence, Inc.

Find the threat
before it finds you

Hunt adversary infrastructure in real time. Surface C2 servers, enrich IOCs,
and map attacker activity at scale with our unified threat hunting platform.

Start Hunting

Threat Hunting Platform

©2026 Hunt Intelligence, Inc.

Explore

Product

Features

OEM Partners

Pricing

Integrations

Resources

Blog

Change log

Support docs

Malware Families

Glossary

Company

About us

Use Cases

Testimonials

Branding

Contact Us

Terms and conditions

Privacy Policy