Cyb3rjerry
Lead SOC and DFIR analyst
My first blogpost on threat hunting & #xworm malware is out! Huge shoutout to @Huntio for their great tool!
Justin Elze
CTO @TrustedSec
PSA: I have been spending a lot of time this year hunting open directories with @Huntio On four separate occasions, I had to contact pentesters/pentesting companies to take down a shared home folder via python HTTP.server that were directly attributable to them. It wasn't CTF people or hobbyists. It was people doing their day jobs. Couple fun facts changing the port doesn't matter and only doing it for a couple hours doesn't matter the internet is a hostile place that is constantly scanned and scraped.
Michael Koczwara
Founder @Intel_Ops_io
Using @Huntio to hunt for Lazarus/APT38 clusters is an effective way to understand which crypto-related companies are targeted by this threat actor. For example, we've observed a DPRK threat actor using the host 104.168.165.165 to create fake Hack VC subdomains, such as. /hack-vc.online-meets.xyz /hack-vc.video-meets.pro /xyzhack-vc.video-meets.xyz /video-meets.xyzhack-vc.video-meets.xyz /hack-vc.video-meets.xyzhack-vc.video-meets.xyz /hack-vc.video-meets.xyz /hack-vc.video-meets.site to impersonate/target the company.
Moonlock
Cybersecurity division @macpaw
New macOS malware targeting The Unarchiver! Stay safe, Mac users. Full report by @Moonlock_Lab with insights from @HuntIO https://moonlock.com/macos-malware-the-unarchiver… #Cybersecurity #MacOS #TheUnarchiver #Malware
Magnus Jacobsen
Computer aficionado
http://7.2.6.finish.py and http://exp.7.2.6.py look to be variants of a POC for CVE-2024-21762 (based on Assetsnote's writeup). The IP also hosted some likely Rekoobe backdoor variants, among other things. Thanks @Huntio https://github.com/h4x0r-dz/CVE-2024-21762… https://assetnote.io/resources/research/two-bytes-is-plenty-fortigate-rce-with-cve-2024-21762
Michael R
Threat (Adversary Infrastructure) Researcher
#IcePeony 1/n Using @Huntio Code Search, I located the opendir (165.22.211[.]62:80) from @nao_sec 's latest post by searching for a line of code from a bash script. This led to 2 more servers (172.233.1[.]11:80 & 128.199.70[.]91:8080) hosting the same CobaltStrike4.8 file.
Yury Sergeev
RST Cloud - Founder | Threat Intel Engineer
From month to month, I see a lot of cool stuff shared by companies in the threat hunting space, including http://Hunt.io - Hunt Intelligence, Inc.
Demon
APT Infrastructure Hunter I CTI Expert
Using @Huntio, I crafted the the HuntSQL query to track recent phishing attempt reported over Linkedin and found 9 unique webpages.
Virus Bulletin
Security information portal
http://hunt.io publishes a technical analysis of the ERMAC 3.0 source leak. The detailed report highlights operational weaknesses and active infrastructure that defenders can use to interrupt campaign activity.
Joseph Harrisson
Threat Operations Lead @ EY
Here’s the full attack chain I dissected from a malicious Apple config profile to a PAC file that silently reroutes traffic through an attacker’s proxy... Shout out to Hunt Intelligence, Inc., their platform enabled this investigation.
Magnus Jacobsen
Computer aficionado
http://7.2.6.finish.py and http://exp.7.2.6.py look to be variants of a POC for CVE-2024-21762 (based on Assetsnote's writeup). The IP also hosted some likely Rekoobe backdoor variants, among other things. Thanks @Huntio https://github.com/h4x0r-dz/CVE-2024-21762… https://assetnote.io/resources/research/two-bytes-is-plenty-fortigate-rce-with-cve-2024-21762
Michael R
Threat (Adversary Infrastructure) Researcher
#IcePeony 1/n Using @Huntio Code Search, I located the opendir (165.22.211[.]62:80) from @nao_sec 's latest post by searching for a line of code from a bash script. This led to 2 more servers (172.233.1[.]11:80 & 128.199.70[.]91:8080) hosting the same CobaltStrike4.8 file.
Michael Koczwara
Founder @Intel_Ops_io
Code search feature from @Huntio is excellent for monitoring threat actor OPSEC activities. For instance, it's well-known that Havoc C2 contains the specific header string "X-Havoc: true" making it relatively easy to detect. However what if the threat actor removes the "X-Havoc: true" header and sets up/adds a Cloudflare infrastructure/certificate to make detection harder to detect like an example here: /finances-news.com (0/94 VT) In that case, you can check the bash history, "havoc.yaotl," and "http_smb.yaotl" files to see how it's set up. From there, you can create a hunting rule to detect Havoc C2 even when the header string "X-Havoc: true," is removed, custom certificates are used and infra is behind CloudFlare. Happy hunting!
Andrew Morris
Founder/Chief Architect of GreyNoise Intelligence
I broke into OSQuery's house to steal their TV and I couldn't because Hunt already stole it. Nice work @Huntio :) great feature.
Tony Perez
Founder @ CleanBrowsing, NOC, Trunc | Security Professional, Board Advisor
Always enjoy this kind of research.. just pull the thread and see where it takes you.. :).. nice Chris Ueland and the Hunt Intelligence, Inc. team.. #security #research
Scott Kupferschmid
Lead SOC and DFIR analyst
Great read regarding SuperShell from the Hunt Intelligence, Inc. team. https://lnkd.in/drPSyuqa
Intel-Ops
CTI, Threat Intelligence, Hunting Adversary Infrastructure Training.
Using Hunt Intelligence, Inc. to hunt for 🇰🇵 Lazarus/APT38 clusters is an effective way to understand which crypto-related companies are targeted by this threat actor.
blinkz
From Call Center Agent to Operation Centre Analyst 24/7 Shift Worker
Access to @Huntio has already paid off
@JAMESWT_WT @500mk500 Maybe something for you guys
#opendir
lnk -> tar -> bat -> several .zip files
bat includes a search for pdf files, see screenshot
In addition, attempts are made to download base64-encoded zip files.
David Greenwood
Founder Dogesec
The Hunt Intelligence, Inc. team consistently delivers groundbreaking threat research on their blog that you won’t find anywhere else.
Virus Bulletin
Security information portal
Hunt.io researchers analyse TinyLoader, which usually spreads through USB drives, network shares & fake shortcuts. For persistence it modifies the registry so that when a .txt file is opened the malware runs before the file opens normally