Briefly exposed KeyPlug infrastructure revealed Fortinet exploits, encrypted webshells, and recon scripts targeting Shiseido, a major Japanese enterprise. Learn more..

Phishing campaign evades detection with server-side logic. See how employee portals are targeted—and how defenders can uncover them. Learn more.

Explore how the GoPhish framework was leveraged to stage infrastructure and domains spoofing Polish government and energy entities.

Explore Gamaredon’s flux-like DNS and ShadowPad malware infrastructure, with insights into how these attacker networks are configured, rotated, and maintained.

Learn how Hunt.io identifies early-stage ClickFix delivery pages across the web using advanced search capabilities to stay ahead of exploitation attempts.

Learn how a Russian-speaking threat actor has evolved from impersonating EFF to now deploying Cloudflare-themed phishing with Telegram-based C2.

Explore exposed infrastructure with URLx: 10.6B+ URLs, HTTPx integration, and advanced filtering - now live in Hunt.io.

Learn how to track and map adversary infrastructure using Hunt, pivoting from a single IP to uncover hidden connections through infrastructure overlaps and key intelligence indicators.

Track threat actors and malicious infrastructure with Hunt.io’s IOC Hunter Feed and C2 Attribution. Get deeper visibility and context for better threat intelligence.

Discover how threat actors used a Rust loader to deploy Cobalt Strike ‘Cat’ against South Korean targets. Learn more.

Discover how threat actors deploy a rebranded File Browser alongside JSPSpy for stealth file management on compromised servers.

Our latest release delivers deeper threat analysis with improved threat actor, C2, malware data, and new integrations for robust cyber intelligence.

Discover how an open directory exposed a threat actor impersonating EFF to target gamers and how we mapped their infrastructure to Stealc & Pyramid C2.

Discover Joker malware infrastructure with Hunt SSL History, mapping its C2 network through certificate tracking of recent and past activity.

A new LightSpy server expands its attack scope, targeting Facebook and Instagram database files. Explore its evolving capabilities and infrastructure.

Read how attackers distribute backdoored Signal, Line, and Gmail installers through fraudulent download pages and how to defend against this campaign.

Hunt.io enhances SSL threat hunting with new anomaly flags in HuntSQL™, improving the detection of misconfigurations, expired certificates, and malware infrastructure.

Discover how Pyramid, an open-source tool, enables post-exploitation. Learn detection methods using HTTP headers and recent findings in Hunt.

Attackers used open directories to spread SmokeLoader malware, luring Ukraine’s auto and banking sectors. Explore findings, execution, and tactics.

GreenSpot APT targets 163.com users via fake download pages and domain spoofing. Learn their tactics, risks, and how to protect your email accounts.

Explore how SSL intelligence and SSL history empower proactive threat hunting. Learn tools, real-world examples, and strategies to track cyber threats.

Explore SparkRAT detection tactics, macOS targeting, and insights into recent DPRK-linked campaigns with actionable research findings.

Uncover how Hunt’s TLS records reveal patterns in suspected KEYPLUG infrastructure, linking GhostWolf and RedGolf/APT41 to ongoing activity.

Uncover a deceptive VS Code extension, masquerading as Zoom, that pilfers your Google Chrome cookies. Join us as we expose the techniques behind this alarming supply chain campaign.

Learn how a landing page mimicking “JustJoin,” tied to suspected DPRK cyber activity, has reappeared with new infrastructure linked through SSH key overlaps.

Read more about connections through a TLS certificate linking reported and unreported infrastructure tied to the Cyberhaven extension compromise.

Learn how a Cobalt Strike server with a TLS certificate and prominent watermark showed a Golang-compiled beacon communicating with Visual Studio Code tunnels.

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.

RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.

Discover an open directory of red team tools fit for Halloween, from Cobalt Strike to BrowserGhost.

Explore a suspected North Korean-linked phishing campaign targeting Naver and how unknown actors use distinct TLS certificates to spoof Apple domains.

Discover how an open directory of Rekoobe malware samples led to different domains resembling trading platforms, posing risks for traders and investors.

Get an inside look at Warmcookie’s updated C2 infrastructure linked to its latest update. We reveal insights into newly identified servers that can assist defenders in identifying related servers.

Read how CodeSearch helps security professionals to identify exploit code, reverse shells, and C2 configs across open directories, enhancing threat detection.

Learn how basic tracking techniques using unusual certificates and redirects helped uncover Earth Baxia and a hidden cyber threat, providing practical insights for network defense.

Explore our in-depth analysis of a cybercriminal’s server, revealing DDoS tools, SpyNote spyware, phishing sites, and ransomware tactics.

We’re excited to release Hunt SQL and to provide the power and flexibility of SQL to researchers, analysts and threat hunters alike. 

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection | Hunt.io

Check out our new blog post on exposed files found in an open directory that reveal an attack with overlapping TTPs linked to the Stargazers network.

Today Hunt is announcing our IP Enrichment API. You can get detailed data on every IPv4 Address and enrich any existing system.

Compromising a browser can be a goldmine for attackers, offering extensive access to sensitive user data ...

The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta...

During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...

We originally launched our "Open Directory" feature in Hunt a year ago.  The premise behind it was to get into the mind of the attacker by get a backstage view into their attacks.  What we learned was that there was a ton of information that could be correlated and indexed.  Today, we're reaffirming our commitment to getting into the tooling of attackers by launching AttackCapture™ by Hunt.io.

In late 2023, Hunt Research published a blog post detailing how we uncover emerging and previously unknown Gophish infrastructure.

During routine research of newly identified open directories, the Hunt Research Team made a startling discovery: a...

Discover how macOS malware tricks users into downloading an app disguised as The Unarchiver app. The app contains a binary named “CryptoTrade” designed to steal sensitive user information.

Oyster backdoor, also known as Broomstick (IBM) and CleanUpLoader (RussianPanda – X), has been linked to...

The Hunt Research Team recently stumbled upon Search Engine Optimization (SEO) poisoning campaigns posing as ...

Reports on new malware families often leave subtle clues that lead researchers to uncover additional infrastructure not...

Nearly three years after ProxyLogon and ProxyShell wreaked widespread havoc on Microsoft Exchange servers, the Hunt

The red-teaming tool Cobalt Strike has long been a staple for simulating attacks, predominantly targeting Windows ...

XenoRAT, an open-source malware available on GitHub, has been linked to a North Korean hacking group and unnamed...

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...

Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable...

In this post, we'll detail the infrastructure of the LightSpy spyware framework and highlight the unique TLS certificate...

The threat actor(s) built and controlled at least one of the binaries on the same server, granting us access to numerous..

Following Recorded Future's (RF) report, "Exploring the Depths of SolarMarker's Multi-tiered Infrastructure," the Hunt Research Team leveraged the IOCs provided to discover a method of identifying clusters of SolarMarker servers in the wild.

In our previous post on the Viper framework, we briefly covered the Yakit Security tool, which is publicly available on GitHub. In this post, we'll discuss its features and cover additional red team tools co-hosted with the project, as discovered during our internet-wide scans.

Suppose you know David Bianco’s “Pyramid of Pain” model. In that case, you know that IP addresses are among the lower indicators of compromise due to their short lifespan and ease of change to legitimate purposes.

From initial access and privilege escalation to lateral movement and data collection, the open-source platform Viper...

The Hunt Research Team vigilantly monitors GitHub, sifts through the IOC sections of threat intelligence reports, and scours various online forums for emerging threats, ensuring our detections stay practical and current for our customers. Our focus frequently turns to lesser-known threats that can still wreak havoc on the networks of uninformed defenders.

Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through...

Platforms like GitHub offer a valuable resource for developers and the open-source community. However, these sites also create a potential...

If you’re like me, you’ve likely read multiple reports on network intrusions involving a “standard” deployment...

Open directories can sometimes contain unexpected dangers in the hidden parts of the internet. Our recent investigation...

While open directories are often seen as a goldmine for security researchers and blue teams searching for malware...

The W3LL Phishing Kit, a phishing-as-a-service (PAaS) tool, was identified by Group-IB in 2022. What makes the kit...

Described on its GitHub README as an "Integrated lightweight cross-platform penetration system," PrismX goe...

Over the past month, Hunt has tracked an ongoing phishing campaign by a likely North Korean threat actor focused on...

Hunt is tracking an ongoing sophisticated phishing campaign targeting individuals in the Telegram groups focused on...

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with ...

This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity...

Where national interests, strategic ambitions, and sometimes personal gain intertwine, state-linked cyber threat actors...

This post will serve as the first in a long series of articles on using the platform to identify malicious infrastructure and hunt...

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with ...

ShadowPad, Quasar RAT, HeadLace, Emotet, and SIGNBT (to name a few) often grab headlines and captivate readers...

It’s been a while since we announced a new feature, and with 2024 already in full swing, it is time to highlight what’s...

As the end of the year approaches, we continue to enhance our feature set by building on well-established threat-...

Attackers constantly devise new and sophisticated methods of delivering malware to infiltrate systems and exfiltrate...

The term “threat hunting” is generally associated with detecting malicious behavior on endpoints manually...

Phishing is more than a social engineering technique; it's a harrowing threat landscape where deception, innovation, and vigilance collide.

In the ever-evolving world of cybersecurity, few individuals embody the spirit of innovation and exploration as profoundly as John Althouse.

Learn about the Hunt.io massive observation collection platform.

Michael showcases how the Hunt platform can be leveraged to proactively identify infrastructure not yet publicly reported on from recent malware campaigns.

How Open Directories Help with Threat Hunting and Incident Response.

We are excited to unveil Hunt.io, a cutting-edge threat hunting solution that is set to transform the landscape of cybersecurity.