Blog

Threat Hunting Blog

Threat Hunting Blog

Threat Hunting Blog

Check out our latest threat hunting articles, tips and stories

Check out our latest threat hunting articles, tips and stories

Check out our latest threat hunting articles, tips and stories

URLx Just Got Bigger: 10.6B URLs for Recon and Malicious Infrastructure Hunting
Mar 27, 2025

Explore exposed infrastructure with URLx: 10.6B+ URLs, HTTPx integration, and advanced filtering - now live in Hunt.io.

Product News

A Practical Guide to Uncovering Malicious Infrastructure With Hunt.io
Mar 25, 2025

Learn how to track and map adversary infrastructure using Hunt, pivoting from a single IP to uncover hidden connections through infrastructure overlaps and key intelligence indicators.

Threat Research

Introducing IOC Hunter Feed and Attribution for Enhanced Threat Intelligence
Mar 20, 2025

Track threat actors and malicious infrastructure with Hunt.io’s IOC Hunter Feed and C2 Attribution. Get deeper visibility and context for better threat intelligence.

Product News

South Korean Organizations Targeted by Cobalt Strike ‘Cat’ Delivered by a Rust Beacon
Mar 18, 2025

Discover how threat actors used a Rust loader to deploy Cobalt Strike ‘Cat’ against South Korean targets. Learn more.

Threat Research

JSPSpy and ‘Filebroser’: A Custom File Management Tool in Webshell Infrastructure
Mar 11, 2025

Discover how threat actors deploy a rebranded File Browser alongside JSPSpy for stealth file management on compromised servers.

Threat Research

Introducing Hunt 2.0: Deeper Threat Analysis & Enhanced Data for Cyber Intelligence
Mar 6, 2025

Our latest release delivers deeper threat analysis with improved threat actor, C2, malware data, and new integrations for robust cyber intelligence.

Product News

Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2
Mar 4, 2025

Discover how an open directory exposed a threat actor impersonating EFF to target gamers and how we mapped their infrastructure to Stealc & Pyramid C2.

Threat Research

Uncovering Joker’s C2 Network: How Hunt’s SSL History Exposed Its Infrastructure
Feb 27, 2025

Discover Joker malware infrastructure with Hunt SSL History, mapping its C2 network through certificate tracking of recent and past activity.

Threat Research

LightSpy Malware Now Targets Facebook & Instagram Data
Feb 20, 2025

A new LightSpy server expands its attack scope, targeting Facebook and Instagram database files. Explore its evolving capabilities and infrastructure.

Threat Research

Backdoored Installers for Signal, Line, and Gmail Target Chinese-Speaking Users
Feb 18, 2025

Read how attackers distribute backdoored Signal, Line, and Gmail installers through fraudulent download pages and how to defend against this campaign.

Threat Research

Advanced Threat Hunting with New SSL Features: Unlocking HuntSQL™ Anomaly Flags for Deeper Detection
Feb 13, 2025

Hunt.io enhances SSL threat hunting with new anomaly flags in HuntSQL™, improving the detection of misconfigurations, expired certificates, and malware infrastructure.

Product News

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt
Feb 12, 2025

Discover how Pyramid, an open-source tool, enables post-exploitation. Learn detection methods using HTTP headers and recent findings in Hunt.

Threat Research

SmokeLoader Malware Targets Ukraine’s Auto & Banking Sectors via Open Directories
Feb 6, 2025

Attackers used open directories to spread SmokeLoader malware, luring Ukraine’s auto and banking sectors. Explore findings, execution, and tactics.

Threat Research

GreenSpot APT Targets 163.com Users with Fake Download Pages & Spoofed Domains
Feb 4, 2025

GreenSpot APT targets 163.com users via fake download pages and domain spoofing. Learn their tactics, risks, and how to protect your email accounts.

Threat Research

Unlock SSL Intelligence: How SSL History Boosts Threat Hunting
Jan 30, 2025

Explore how SSL intelligence and SSL history empower proactive threat hunting. Learn tools, real-world examples, and strategies to track cyber threats.

Threat Research

Unmasking SparkRAT: Detection & macOS Campaign Insights
Jan 28, 2025

Explore SparkRAT detection tactics, macOS targeting, and insights into recent DPRK-linked campaigns with actionable research findings.

Threat Research

Suspected KEYPLUG Infrastructure: TLS Certificates and GhostWolf Links
Jan 23, 2025

Uncover how Hunt’s TLS records reveal patterns in suspected KEYPLUG infrastructure, linking GhostWolf and RedGolf/APT41 to ongoing activity.

Threat Research

VS Code Extension Impersonating Zoom Targets Google Chrome Cookies
Jan 21, 2025

Uncover a deceptive VS Code extension, masquerading as Zoom, that pilfers your Google Chrome cookies. Join us as we expose the techniques behind this alarming supply chain campaign.

Threat Research

‘JustJoin’ Landing Page Linked to Suspected DPRK Activity Resurfaces
Jan 14, 2025

Learn how a landing page mimicking “JustJoin,” tied to suspected DPRK cyber activity, has reappeared with new infrastructure linked through SSH key overlaps.

Threat Research

Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure
Jan 9, 2025

Read more about connections through a TLS certificate linking reported and unreported infrastructure tied to the Cyberhaven extension compromise.

Threat Research

Golang Beacons and VS Code Tunnels: Tracking a Cobalt Strike Server Leveraging Trusted Infrastructure
Jan 7, 2025

Learn how a Cobalt Strike server with a TLS certificate and prominent watermark showed a Golang-compiled beacon communicating with Visual Studio Code tunnels.

Threat Research

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Product News

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

Threat Research

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

Threat Research

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Threat Research

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Threat Research

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

Threat Research

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

Threat Research

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Threat Research

Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator
Nov 12, 2024

Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.

Threat Research

RunningRAT’s Next Move: From Remote Access to Crypto mining For Profit
Nov 5, 2024

RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.

Threat Research

Oct 31, 2024

Discover an open directory of red team tools fit for Halloween, from Cobalt Strike to BrowserGhost.

Threat Research

Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified
Oct 29, 2024

Explore a suspected North Korean-linked phishing campaign targeting Naver and how unknown actors use distinct TLS certificates to spoof Apple domains.

Threat Research

Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users
Oct 24, 2024

Discover how an open directory of Rekoobe malware samples led to different domains resembling trading platforms, posing risks for traders and investors.

Threat Research

WarmCookie Infrastructure Update: Uncovering New C2 Servers and Threats
Oct 17, 2024

Get an inside look at Warmcookie’s updated C2 infrastructure linked to its latest update. We reveal insights into newly identified servers that can assist defenders in identifying related servers.

Threat Research

Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More
Oct 15, 2024

Read how CodeSearch helps security professionals to identify exploit code, reverse shells, and C2 configs across open directories, enhancing threat detection.

Threat Research

Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity
Oct 10, 2024

Learn how basic tracking techniques using unusual certificates and redirects helped uncover Earth Baxia and a hidden cyber threat, providing practical insights for network defense.

Threat Research

Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Templates
Oct 8, 2024

Explore our in-depth analysis of a cybercriminal’s server, revealing DDoS tools, SpyNote spyware, phishing sites, and ransomware tactics.

Threat Research

Announcing Hunt SQL
Oct 3, 2024

We’re excited to release Hunt SQL and to provide the power and flexibility of SQL to researchers, analysts and threat hunters alike. 

Product News

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection  | Hunt.io
Oct 1, 2024

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection | Hunt.io

Threat Research

Echoes of Stargazer Goblin: Analyzing Shared TTPs from an Open Directory
Sep 24, 2024

Check out our new blog post on exposed files found in an open directory that reveal an attack with overlapping TTPs linked to the Stargazers network.

Threat Research

Announcing Hunt APIs
Sep 17, 2024

Today Hunt is announcing our IP Enrichment API. You can get detailed data on every IPv4 Address and enrich any existing system.

Product News

Decoy Docs and Malicious Browser Extensions: A Closer Look at a Multi-Layered Threat
Sep 10, 2024

Compromising a browser can be a goldmine for attackers, offering extensive access to sensitive user data ...

Threat Research

ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit
Sep 3, 2024

The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta...

Threat Research

Latrodectus Malware Masquerades as AhnLab Security Software to Infect Victims
Aug 29, 2024

During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...

Threat Research

Launching AttackVault by Hunt.Io
Aug 23, 2024

We originally launched our "Open Directory" feature in Hunt a year ago.  The premise behind it was to get into the mind of the attacker by get a backstage view into their attacks.  What we learned was that there was a ton of information that could be correlated and indexed.  Today, we're reaffirming our commitment to getting into the tooling of attackers by launching AttackCapture™ by Hunt.io.

Product News

EvilGophish Unhooked: Insights Into the Infrastructure and Notable Domains
Aug 13, 2024

In late 2023, Hunt Research published a blog post detailing how we uncover emerging and previously unknown Gophish infrastructure.

Threat Research

Pentester or Threat Actor? Open Directory Exposes Test Results and Possible Targeting of Government Organizations
Aug 7, 2024

During routine research of newly identified open directories, the Hunt Research Team made a startling discovery: a...

Threat Research

macOS Malware Impersonates The Unarchiver App to Steal User Data | Hunt.io
Jul 30, 2024

Discover how macOS malware tricks users into downloading an app disguised as The Unarchiver app. The app contains a binary named “CryptoTrade” designed to steal sensitive user information.

Threat Research

A Simple Approach to Discovering Oyster Backdoor Infrastructure | Hunt.io
Jul 23, 2024

Oyster backdoor, also known as Broomstick (IBM) and CleanUpLoader (RussianPanda – X), has been linked to...

Threat Research

SEO Poisoning Campaigns Target Browser Installers and Crypto Sites, Spreading Poseidon, GhostRAT & More
Jul 16, 2024

The Hunt Research Team recently stumbled upon Search Engine Optimization (SEO) poisoning campaigns posing as ...

Threat Research

The Secret Ingredient: Unearthing Suspected SpiceRAT Infrastructure via HTML Response
Jul 11, 2024

Reports on new malware families often leave subtle clues that lead researchers to uncover additional infrastructure not...

Threat Research

ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
Jul 2, 2024

Nearly three years after ProxyLogon and ProxyShell wreaked widespread havoc on Microsoft Exchange servers, the Hunt

Threat Research

Geacon and Geacon_Pro: A Constant Menace to Linux and Windows Systems
Jun 27, 2024

The red-teaming tool Cobalt Strike has long been a staple for simulating attacks, predominantly targeting Windows ...

Threat Research

Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub
Jun 25, 2024

XenoRAT, an open-source malware available on GitHub, has been linked to a North Korean hacking group and unnamed...

Threat Research

Caught in the Act: Uncovering SpyNote in Unexpected Places
Jun 20, 2024

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

Threat Research

Open Directories Expose Publicly Available Tools Targeting Asian Organizations
Jun 18, 2024

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...

Threat Research

Gh0st and Pantegana: Two RATs that Refuse to Fade Away
Jun 12, 2024

Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable...

Threat Research

Jun 6, 2024

In this post, we'll detail the infrastructure of the LightSpy spyware framework and highlight the unique TLS certificate...

Threat Research

Jun 5, 2024

The threat actor(s) built and controlled at least one of the binaries on the same server, granting us access to numerous..

Threat Research

SolarMarker: Hunt Insights and Findings
May 30, 2024

Following Recorded Future's (RF) report, "Exploring the Depths of SolarMarker's Multi-tiered Infrastructure," the Hunt Research Team leveraged the IOCs provided to discover a method of identifying clusters of SolarMarker servers in the wild.

Threat Research

Tales from the Hunt: A Look at Yakit Security Tool
May 28, 2024

In our previous post on the Viper framework, we briefly covered the Yakit Security tool, which is publicly available on GitHub. In this post, we'll discuss its features and cover additional red team tools co-hosted with the project, as discovered during our internet-wide scans.

Threat Research

Unearthing New Infrastructure by Revisiting Past Threat Reports
May 21, 2024

Suppose you know David Bianco’s “Pyramid of Pain” model. In that case, you know that IP addresses are among the lower indicators of compromise due to their short lifespan and ease of change to legitimate purposes.

Threat Research

Into the Viper’s Nest: Observations from Hunt’s Scanning
May 8, 2024

From initial access and privilege escalation to lateral movement and data collection, the open-source platform Viper...

Threat Research

Spotting SparkRAT: Detection Tactics & Sandbox Findings
Apr 23, 2024

The Hunt Research Team vigilantly monitors GitHub, sifts through the IOC sections of threat intelligence reports, and scours various online forums for emerging threats, ensuring our detections stay practical and current for our customers. Our focus frequently turns to lesser-known threats that can still wreak havoc on the networks of uninformed defenders.

Threat Research

In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory
Apr 16, 2024

Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through...

Threat Research

BlueShell: Four Years On, Still A Formidable Threat
Apr 9, 2024

Platforms like GitHub offer a valuable resource for developers and the open-source community. However, these sites also create a potential...

Threat Research

A Hunt How-To: Detecting RedGuard C2 Redirector
Apr 2, 2024

If you’re like me, you’ve likely read multiple reports on network intrusions involving a “standard” deployment...

Threat Research

Coin Miner and Mozi Botnet
Mar 28, 2024

Open directories can sometimes contain unexpected dangers in the hidden parts of the internet. Our recent investigation...

Threat Research

A Treasure Trove of Trouble: Open Directory Exposes Red Team Tools
Mar 21, 2024

While open directories are often seen as a goldmine for security researchers and blue teams searching for malware...

Threat Research

One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials
Mar 19, 2024

The W3LL Phishing Kit, a phishing-as-a-service (PAaS) tool, was identified by Group-IB in 2022. What makes the kit...

Threat Research

Hunting PrismX: Techniques for Network Discovery
Mar 12, 2024

Described on its GitHub README as an "Integrated lightweight cross-platform penetration system," PrismX goe...

Threat Research

Open Directory Exposes Phishing Campaign Targeting Google & Naver Credentials
Mar 5, 2024

Over the past month, Hunt has tracked an ongoing phishing campaign by a likely North Korean threat actor focused on...

Threat Research

Feb 28, 2024

Hunt is tracking an ongoing sophisticated phishing campaign targeting individuals in the Telegram groups focused on...

Threat Research

Unveiling the Power of Tag Cloud: Navigating the Digital Landscape with Precision
Feb 14, 2024

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with ...

Threat Research

Tracking ShadowPad Infrastructure Via Non-Standard Certificates
Feb 9, 2024

This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity...

Threat Research

Feb 6, 2024

Where national interests, strategic ambitions, and sometimes personal gain intertwine, state-linked cyber threat actors...

Threat Research

The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1)
Feb 1, 2024

This post will serve as the first in a long series of articles on using the platform to identify malicious infrastructure and hunt...

Threat Research

Introducing Hunt Advanced Search
Jan 30, 2024

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with ...

Threat Research

How We Identify Malicious Infrastructure At Hunt.io
Jan 24, 2024

ShadowPad, Quasar RAT, HeadLace, Emotet, and SIGNBT (to name a few) often grab headlines and captivate readers...

Threat Research

Introducing the Hunt.io C2 Feed
Jan 15, 2024

It’s been a while since we announced a new feature, and with 2024 already in full swing, it is time to highlight what’s...

Product News

Announcing IOC-Hunter
Nov 14, 2023

As the end of the year approaches, we continue to enhance our feature set by building on well-established threat-...

Product News

Gateway to Intrusion: Malware Delivery Via Open Directories
Oct 31, 2023

Attackers constantly devise new and sophisticated methods of delivering malware to infiltrate systems and exfiltrate...

Threat Research

How Hunt.io Identifies Services on Non-Standard Ports
Oct 25, 2023

The term “threat hunting” is generally associated with detecting malicious behavior on endpoints manually...

Threat Research

Phish No More: A Hunt.io Guide to Gophish Detection
Oct 12, 2023

Phishing is more than a social engineering technique; it's a harrowing threat landscape where deception, innovation, and vigilance collide.

Threat Research

Sep 28, 2023

In the ever-evolving world of cybersecurity, few individuals embody the spirit of innovation and exploration as profoundly as John Althouse.

Threat Research

Hunt Platform Statistics Launch
Sep 19, 2023

Learn about the Hunt.io massive observation collection platform.

Threat Research

Discovering & Disrupting Malicious Infrastructure
Sep 12, 2023

Michael showcases how the Hunt platform can be leveraged to proactively identify infrastructure not yet publicly reported on from recent malware campaigns.

Threat Research

Aug 17, 2023

How Open Directories Help with Threat Hunting and Incident Response.

Threat Research

Let's go Hunting
Aug 1, 2023

We are excited to unveil Hunt.io, a cutting-edge threat hunting solution that is set to transform the landscape of cybersecurity.

Threat Research

URLx Just Got Bigger: 10.6B URLs for Recon and Malicious Infrastructure Hunting
Mar 27, 2025

Explore exposed infrastructure with URLx: 10.6B+ URLs, HTTPx integration, and advanced filtering - now live in Hunt.io.

Product News

A Practical Guide to Uncovering Malicious Infrastructure With Hunt.io
Mar 25, 2025

Learn how to track and map adversary infrastructure using Hunt, pivoting from a single IP to uncover hidden connections through infrastructure overlaps and key intelligence indicators.

Threat Research

Introducing IOC Hunter Feed and Attribution for Enhanced Threat Intelligence
Mar 20, 2025

Track threat actors and malicious infrastructure with Hunt.io’s IOC Hunter Feed and C2 Attribution. Get deeper visibility and context for better threat intelligence.

Product News

South Korean Organizations Targeted by Cobalt Strike ‘Cat’ Delivered by a Rust Beacon
Mar 18, 2025

Discover how threat actors used a Rust loader to deploy Cobalt Strike ‘Cat’ against South Korean targets. Learn more.

Threat Research

JSPSpy and ‘Filebroser’: A Custom File Management Tool in Webshell Infrastructure
Mar 11, 2025

Discover how threat actors deploy a rebranded File Browser alongside JSPSpy for stealth file management on compromised servers.

Threat Research

Introducing Hunt 2.0: Deeper Threat Analysis & Enhanced Data for Cyber Intelligence
Mar 6, 2025

Our latest release delivers deeper threat analysis with improved threat actor, C2, malware data, and new integrations for robust cyber intelligence.

Product News

Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2
Mar 4, 2025

Discover how an open directory exposed a threat actor impersonating EFF to target gamers and how we mapped their infrastructure to Stealc & Pyramid C2.

Threat Research

Uncovering Joker’s C2 Network: How Hunt’s SSL History Exposed Its Infrastructure
Feb 27, 2025

Discover Joker malware infrastructure with Hunt SSL History, mapping its C2 network through certificate tracking of recent and past activity.

Threat Research

LightSpy Malware Now Targets Facebook & Instagram Data
Feb 20, 2025

A new LightSpy server expands its attack scope, targeting Facebook and Instagram database files. Explore its evolving capabilities and infrastructure.

Threat Research

Backdoored Installers for Signal, Line, and Gmail Target Chinese-Speaking Users
Feb 18, 2025

Read how attackers distribute backdoored Signal, Line, and Gmail installers through fraudulent download pages and how to defend against this campaign.

Threat Research

Advanced Threat Hunting with New SSL Features: Unlocking HuntSQL™ Anomaly Flags for Deeper Detection
Feb 13, 2025

Hunt.io enhances SSL threat hunting with new anomaly flags in HuntSQL™, improving the detection of misconfigurations, expired certificates, and malware infrastructure.

Product News

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt
Feb 12, 2025

Discover how Pyramid, an open-source tool, enables post-exploitation. Learn detection methods using HTTP headers and recent findings in Hunt.

Threat Research

SmokeLoader Malware Targets Ukraine’s Auto & Banking Sectors via Open Directories
Feb 6, 2025

Attackers used open directories to spread SmokeLoader malware, luring Ukraine’s auto and banking sectors. Explore findings, execution, and tactics.

Threat Research

GreenSpot APT Targets 163.com Users with Fake Download Pages & Spoofed Domains
Feb 4, 2025

GreenSpot APT targets 163.com users via fake download pages and domain spoofing. Learn their tactics, risks, and how to protect your email accounts.

Threat Research

Unlock SSL Intelligence: How SSL History Boosts Threat Hunting
Jan 30, 2025

Explore how SSL intelligence and SSL history empower proactive threat hunting. Learn tools, real-world examples, and strategies to track cyber threats.

Threat Research

Unmasking SparkRAT: Detection & macOS Campaign Insights
Jan 28, 2025

Explore SparkRAT detection tactics, macOS targeting, and insights into recent DPRK-linked campaigns with actionable research findings.

Threat Research

Suspected KEYPLUG Infrastructure: TLS Certificates and GhostWolf Links
Jan 23, 2025

Uncover how Hunt’s TLS records reveal patterns in suspected KEYPLUG infrastructure, linking GhostWolf and RedGolf/APT41 to ongoing activity.

Threat Research

VS Code Extension Impersonating Zoom Targets Google Chrome Cookies
Jan 21, 2025

Uncover a deceptive VS Code extension, masquerading as Zoom, that pilfers your Google Chrome cookies. Join us as we expose the techniques behind this alarming supply chain campaign.

Threat Research

‘JustJoin’ Landing Page Linked to Suspected DPRK Activity Resurfaces
Jan 14, 2025

Learn how a landing page mimicking “JustJoin,” tied to suspected DPRK cyber activity, has reappeared with new infrastructure linked through SSH key overlaps.

Threat Research

Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure
Jan 9, 2025

Read more about connections through a TLS certificate linking reported and unreported infrastructure tied to the Cyberhaven extension compromise.

Threat Research

Golang Beacons and VS Code Tunnels: Tracking a Cobalt Strike Server Leveraging Trusted Infrastructure
Jan 7, 2025

Learn how a Cobalt Strike server with a TLS certificate and prominent watermark showed a Golang-compiled beacon communicating with Visual Studio Code tunnels.

Threat Research

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Product News

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

Threat Research

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

Threat Research

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Threat Research

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Threat Research

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

Threat Research

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

Threat Research

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Threat Research

Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator
Nov 12, 2024

Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.

Threat Research

RunningRAT’s Next Move: From Remote Access to Crypto mining For Profit
Nov 5, 2024

RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.

Threat Research

Oct 31, 2024

Discover an open directory of red team tools fit for Halloween, from Cobalt Strike to BrowserGhost.

Threat Research

Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified
Oct 29, 2024

Explore a suspected North Korean-linked phishing campaign targeting Naver and how unknown actors use distinct TLS certificates to spoof Apple domains.

Threat Research

Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users
Oct 24, 2024

Discover how an open directory of Rekoobe malware samples led to different domains resembling trading platforms, posing risks for traders and investors.

Threat Research

WarmCookie Infrastructure Update: Uncovering New C2 Servers and Threats
Oct 17, 2024

Get an inside look at Warmcookie’s updated C2 infrastructure linked to its latest update. We reveal insights into newly identified servers that can assist defenders in identifying related servers.

Threat Research

Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More
Oct 15, 2024

Read how CodeSearch helps security professionals to identify exploit code, reverse shells, and C2 configs across open directories, enhancing threat detection.

Threat Research

Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity
Oct 10, 2024

Learn how basic tracking techniques using unusual certificates and redirects helped uncover Earth Baxia and a hidden cyber threat, providing practical insights for network defense.

Threat Research

Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Templates
Oct 8, 2024

Explore our in-depth analysis of a cybercriminal’s server, revealing DDoS tools, SpyNote spyware, phishing sites, and ransomware tactics.

Threat Research

Announcing Hunt SQL
Oct 3, 2024

We’re excited to release Hunt SQL and to provide the power and flexibility of SQL to researchers, analysts and threat hunters alike. 

Product News

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection  | Hunt.io
Oct 1, 2024

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection | Hunt.io

Threat Research

Echoes of Stargazer Goblin: Analyzing Shared TTPs from an Open Directory
Sep 24, 2024

Check out our new blog post on exposed files found in an open directory that reveal an attack with overlapping TTPs linked to the Stargazers network.

Threat Research

Announcing Hunt APIs
Sep 17, 2024

Today Hunt is announcing our IP Enrichment API. You can get detailed data on every IPv4 Address and enrich any existing system.

Product News

Decoy Docs and Malicious Browser Extensions: A Closer Look at a Multi-Layered Threat
Sep 10, 2024

Compromising a browser can be a goldmine for attackers, offering extensive access to sensitive user data ...

Threat Research

ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit
Sep 3, 2024

The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta...

Threat Research

Latrodectus Malware Masquerades as AhnLab Security Software to Infect Victims
Aug 29, 2024

During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...

Threat Research

Launching AttackVault by Hunt.Io
Aug 23, 2024

We originally launched our "Open Directory" feature in Hunt a year ago.  The premise behind it was to get into the mind of the attacker by get a backstage view into their attacks.  What we learned was that there was a ton of information that could be correlated and indexed.  Today, we're reaffirming our commitment to getting into the tooling of attackers by launching AttackCapture™ by Hunt.io.

Product News

EvilGophish Unhooked: Insights Into the Infrastructure and Notable Domains
Aug 13, 2024

In late 2023, Hunt Research published a blog post detailing how we uncover emerging and previously unknown Gophish infrastructure.

Threat Research

Pentester or Threat Actor? Open Directory Exposes Test Results and Possible Targeting of Government Organizations
Aug 7, 2024

During routine research of newly identified open directories, the Hunt Research Team made a startling discovery: a...

Threat Research

macOS Malware Impersonates The Unarchiver App to Steal User Data | Hunt.io
Jul 30, 2024

Discover how macOS malware tricks users into downloading an app disguised as The Unarchiver app. The app contains a binary named “CryptoTrade” designed to steal sensitive user information.

Threat Research

A Simple Approach to Discovering Oyster Backdoor Infrastructure | Hunt.io
Jul 23, 2024

Oyster backdoor, also known as Broomstick (IBM) and CleanUpLoader (RussianPanda – X), has been linked to...

Threat Research

SEO Poisoning Campaigns Target Browser Installers and Crypto Sites, Spreading Poseidon, GhostRAT & More
Jul 16, 2024

The Hunt Research Team recently stumbled upon Search Engine Optimization (SEO) poisoning campaigns posing as ...

Threat Research

The Secret Ingredient: Unearthing Suspected SpiceRAT Infrastructure via HTML Response
Jul 11, 2024

Reports on new malware families often leave subtle clues that lead researchers to uncover additional infrastructure not...

Threat Research

ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
Jul 2, 2024

Nearly three years after ProxyLogon and ProxyShell wreaked widespread havoc on Microsoft Exchange servers, the Hunt

Threat Research

Geacon and Geacon_Pro: A Constant Menace to Linux and Windows Systems
Jun 27, 2024

The red-teaming tool Cobalt Strike has long been a staple for simulating attacks, predominantly targeting Windows ...

Threat Research

Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub
Jun 25, 2024

XenoRAT, an open-source malware available on GitHub, has been linked to a North Korean hacking group and unnamed...

Threat Research

Caught in the Act: Uncovering SpyNote in Unexpected Places
Jun 20, 2024

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

Threat Research

Open Directories Expose Publicly Available Tools Targeting Asian Organizations
Jun 18, 2024

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...

Threat Research

Gh0st and Pantegana: Two RATs that Refuse to Fade Away
Jun 12, 2024

Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable...

Threat Research

Jun 6, 2024

In this post, we'll detail the infrastructure of the LightSpy spyware framework and highlight the unique TLS certificate...

Threat Research

Jun 5, 2024

The threat actor(s) built and controlled at least one of the binaries on the same server, granting us access to numerous..

Threat Research

SolarMarker: Hunt Insights and Findings
May 30, 2024

Following Recorded Future's (RF) report, "Exploring the Depths of SolarMarker's Multi-tiered Infrastructure," the Hunt Research Team leveraged the IOCs provided to discover a method of identifying clusters of SolarMarker servers in the wild.

Threat Research

Tales from the Hunt: A Look at Yakit Security Tool
May 28, 2024

In our previous post on the Viper framework, we briefly covered the Yakit Security tool, which is publicly available on GitHub. In this post, we'll discuss its features and cover additional red team tools co-hosted with the project, as discovered during our internet-wide scans.

Threat Research

Unearthing New Infrastructure by Revisiting Past Threat Reports
May 21, 2024

Suppose you know David Bianco’s “Pyramid of Pain” model. In that case, you know that IP addresses are among the lower indicators of compromise due to their short lifespan and ease of change to legitimate purposes.

Threat Research

Into the Viper’s Nest: Observations from Hunt’s Scanning
May 8, 2024

From initial access and privilege escalation to lateral movement and data collection, the open-source platform Viper...

Threat Research

Spotting SparkRAT: Detection Tactics & Sandbox Findings
Apr 23, 2024

The Hunt Research Team vigilantly monitors GitHub, sifts through the IOC sections of threat intelligence reports, and scours various online forums for emerging threats, ensuring our detections stay practical and current for our customers. Our focus frequently turns to lesser-known threats that can still wreak havoc on the networks of uninformed defenders.

Threat Research

In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory
Apr 16, 2024

Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through...

Threat Research

BlueShell: Four Years On, Still A Formidable Threat
Apr 9, 2024

Platforms like GitHub offer a valuable resource for developers and the open-source community. However, these sites also create a potential...

Threat Research

A Hunt How-To: Detecting RedGuard C2 Redirector
Apr 2, 2024

If you’re like me, you’ve likely read multiple reports on network intrusions involving a “standard” deployment...

Threat Research

Coin Miner and Mozi Botnet
Mar 28, 2024

Open directories can sometimes contain unexpected dangers in the hidden parts of the internet. Our recent investigation...

Threat Research

A Treasure Trove of Trouble: Open Directory Exposes Red Team Tools
Mar 21, 2024

While open directories are often seen as a goldmine for security researchers and blue teams searching for malware...

Threat Research

One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials
Mar 19, 2024

The W3LL Phishing Kit, a phishing-as-a-service (PAaS) tool, was identified by Group-IB in 2022. What makes the kit...

Threat Research

Hunting PrismX: Techniques for Network Discovery
Mar 12, 2024

Described on its GitHub README as an "Integrated lightweight cross-platform penetration system," PrismX goe...

Threat Research

Open Directory Exposes Phishing Campaign Targeting Google & Naver Credentials
Mar 5, 2024

Over the past month, Hunt has tracked an ongoing phishing campaign by a likely North Korean threat actor focused on...

Threat Research

Feb 28, 2024

Hunt is tracking an ongoing sophisticated phishing campaign targeting individuals in the Telegram groups focused on...

Threat Research

Unveiling the Power of Tag Cloud: Navigating the Digital Landscape with Precision
Feb 14, 2024

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with ...

Threat Research

Tracking ShadowPad Infrastructure Via Non-Standard Certificates
Feb 9, 2024

This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity...

Threat Research

Feb 6, 2024

Where national interests, strategic ambitions, and sometimes personal gain intertwine, state-linked cyber threat actors...

Threat Research

The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1)
Feb 1, 2024

This post will serve as the first in a long series of articles on using the platform to identify malicious infrastructure and hunt...

Threat Research

Introducing Hunt Advanced Search
Jan 30, 2024

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with ...

Threat Research

How We Identify Malicious Infrastructure At Hunt.io
Jan 24, 2024

ShadowPad, Quasar RAT, HeadLace, Emotet, and SIGNBT (to name a few) often grab headlines and captivate readers...

Threat Research

Introducing the Hunt.io C2 Feed
Jan 15, 2024

It’s been a while since we announced a new feature, and with 2024 already in full swing, it is time to highlight what’s...

Product News

Announcing IOC-Hunter
Nov 14, 2023

As the end of the year approaches, we continue to enhance our feature set by building on well-established threat-...

Product News

Gateway to Intrusion: Malware Delivery Via Open Directories
Oct 31, 2023

Attackers constantly devise new and sophisticated methods of delivering malware to infiltrate systems and exfiltrate...

Threat Research

How Hunt.io Identifies Services on Non-Standard Ports
Oct 25, 2023

The term “threat hunting” is generally associated with detecting malicious behavior on endpoints manually...

Threat Research

Phish No More: A Hunt.io Guide to Gophish Detection
Oct 12, 2023

Phishing is more than a social engineering technique; it's a harrowing threat landscape where deception, innovation, and vigilance collide.

Threat Research

Sep 28, 2023

In the ever-evolving world of cybersecurity, few individuals embody the spirit of innovation and exploration as profoundly as John Althouse.

Threat Research

Hunt Platform Statistics Launch
Sep 19, 2023

Learn about the Hunt.io massive observation collection platform.

Threat Research

Discovering & Disrupting Malicious Infrastructure
Sep 12, 2023

Michael showcases how the Hunt platform can be leveraged to proactively identify infrastructure not yet publicly reported on from recent malware campaigns.

Threat Research

Aug 17, 2023

How Open Directories Help with Threat Hunting and Incident Response.

Threat Research

Let's go Hunting
Aug 1, 2023

We are excited to unveil Hunt.io, a cutting-edge threat hunting solution that is set to transform the landscape of cybersecurity.

Threat Research

URLx Just Got Bigger: 10.6B URLs for Recon and Malicious Infrastructure Hunting
Mar 27, 2025

Explore exposed infrastructure with URLx: 10.6B+ URLs, HTTPx integration, and advanced filtering - now live in Hunt.io.

Product News

A Practical Guide to Uncovering Malicious Infrastructure With Hunt.io
Mar 25, 2025

Learn how to track and map adversary infrastructure using Hunt, pivoting from a single IP to uncover hidden connections through infrastructure overlaps and key intelligence indicators.

Threat Research

Introducing IOC Hunter Feed and Attribution for Enhanced Threat Intelligence
Mar 20, 2025

Track threat actors and malicious infrastructure with Hunt.io’s IOC Hunter Feed and C2 Attribution. Get deeper visibility and context for better threat intelligence.

Product News

South Korean Organizations Targeted by Cobalt Strike ‘Cat’ Delivered by a Rust Beacon
Mar 18, 2025

Discover how threat actors used a Rust loader to deploy Cobalt Strike ‘Cat’ against South Korean targets. Learn more.

Threat Research

JSPSpy and ‘Filebroser’: A Custom File Management Tool in Webshell Infrastructure
Mar 11, 2025

Discover how threat actors deploy a rebranded File Browser alongside JSPSpy for stealth file management on compromised servers.

Threat Research

Introducing Hunt 2.0: Deeper Threat Analysis & Enhanced Data for Cyber Intelligence
Mar 6, 2025

Our latest release delivers deeper threat analysis with improved threat actor, C2, malware data, and new integrations for robust cyber intelligence.

Product News

Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2
Mar 4, 2025

Discover how an open directory exposed a threat actor impersonating EFF to target gamers and how we mapped their infrastructure to Stealc & Pyramid C2.

Threat Research

Uncovering Joker’s C2 Network: How Hunt’s SSL History Exposed Its Infrastructure
Feb 27, 2025

Discover Joker malware infrastructure with Hunt SSL History, mapping its C2 network through certificate tracking of recent and past activity.

Threat Research

LightSpy Malware Now Targets Facebook & Instagram Data
Feb 20, 2025

A new LightSpy server expands its attack scope, targeting Facebook and Instagram database files. Explore its evolving capabilities and infrastructure.

Threat Research

Backdoored Installers for Signal, Line, and Gmail Target Chinese-Speaking Users
Feb 18, 2025

Read how attackers distribute backdoored Signal, Line, and Gmail installers through fraudulent download pages and how to defend against this campaign.

Threat Research

Advanced Threat Hunting with New SSL Features: Unlocking HuntSQL™ Anomaly Flags for Deeper Detection
Feb 13, 2025

Hunt.io enhances SSL threat hunting with new anomaly flags in HuntSQL™, improving the detection of misconfigurations, expired certificates, and malware infrastructure.

Product News

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt
Feb 12, 2025

Discover how Pyramid, an open-source tool, enables post-exploitation. Learn detection methods using HTTP headers and recent findings in Hunt.

Threat Research

SmokeLoader Malware Targets Ukraine’s Auto & Banking Sectors via Open Directories
Feb 6, 2025

Attackers used open directories to spread SmokeLoader malware, luring Ukraine’s auto and banking sectors. Explore findings, execution, and tactics.

Threat Research

GreenSpot APT Targets 163.com Users with Fake Download Pages & Spoofed Domains
Feb 4, 2025

GreenSpot APT targets 163.com users via fake download pages and domain spoofing. Learn their tactics, risks, and how to protect your email accounts.

Threat Research

Unlock SSL Intelligence: How SSL History Boosts Threat Hunting
Jan 30, 2025

Explore how SSL intelligence and SSL history empower proactive threat hunting. Learn tools, real-world examples, and strategies to track cyber threats.

Threat Research

Unmasking SparkRAT: Detection & macOS Campaign Insights
Jan 28, 2025

Explore SparkRAT detection tactics, macOS targeting, and insights into recent DPRK-linked campaigns with actionable research findings.

Threat Research

Suspected KEYPLUG Infrastructure: TLS Certificates and GhostWolf Links
Jan 23, 2025

Uncover how Hunt’s TLS records reveal patterns in suspected KEYPLUG infrastructure, linking GhostWolf and RedGolf/APT41 to ongoing activity.

Threat Research

VS Code Extension Impersonating Zoom Targets Google Chrome Cookies
Jan 21, 2025

Uncover a deceptive VS Code extension, masquerading as Zoom, that pilfers your Google Chrome cookies. Join us as we expose the techniques behind this alarming supply chain campaign.

Threat Research

‘JustJoin’ Landing Page Linked to Suspected DPRK Activity Resurfaces
Jan 14, 2025

Learn how a landing page mimicking “JustJoin,” tied to suspected DPRK cyber activity, has reappeared with new infrastructure linked through SSH key overlaps.

Threat Research

Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure
Jan 9, 2025

Read more about connections through a TLS certificate linking reported and unreported infrastructure tied to the Cyberhaven extension compromise.

Threat Research

Golang Beacons and VS Code Tunnels: Tracking a Cobalt Strike Server Leveraging Trusted Infrastructure
Jan 7, 2025

Learn how a Cobalt Strike server with a TLS certificate and prominent watermark showed a Golang-compiled beacon communicating with Visual Studio Code tunnels.

Threat Research

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Product News

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

Threat Research

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

Threat Research

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Threat Research

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Threat Research

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

Threat Research

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

Threat Research

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Threat Research

Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator
Nov 12, 2024

Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.

Threat Research

RunningRAT’s Next Move: From Remote Access to Crypto mining For Profit
Nov 5, 2024

RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.

Threat Research

Oct 31, 2024

Discover an open directory of red team tools fit for Halloween, from Cobalt Strike to BrowserGhost.

Threat Research

Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified
Oct 29, 2024

Explore a suspected North Korean-linked phishing campaign targeting Naver and how unknown actors use distinct TLS certificates to spoof Apple domains.

Threat Research

Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users
Oct 24, 2024

Discover how an open directory of Rekoobe malware samples led to different domains resembling trading platforms, posing risks for traders and investors.

Threat Research

WarmCookie Infrastructure Update: Uncovering New C2 Servers and Threats
Oct 17, 2024

Get an inside look at Warmcookie’s updated C2 infrastructure linked to its latest update. We reveal insights into newly identified servers that can assist defenders in identifying related servers.

Threat Research

Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More
Oct 15, 2024

Read how CodeSearch helps security professionals to identify exploit code, reverse shells, and C2 configs across open directories, enhancing threat detection.

Threat Research

Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity
Oct 10, 2024

Learn how basic tracking techniques using unusual certificates and redirects helped uncover Earth Baxia and a hidden cyber threat, providing practical insights for network defense.

Threat Research

Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Templates
Oct 8, 2024

Explore our in-depth analysis of a cybercriminal’s server, revealing DDoS tools, SpyNote spyware, phishing sites, and ransomware tactics.

Threat Research

Announcing Hunt SQL
Oct 3, 2024

We’re excited to release Hunt SQL and to provide the power and flexibility of SQL to researchers, analysts and threat hunters alike. 

Product News

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection  | Hunt.io
Oct 1, 2024

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection | Hunt.io

Threat Research

Echoes of Stargazer Goblin: Analyzing Shared TTPs from an Open Directory
Sep 24, 2024

Check out our new blog post on exposed files found in an open directory that reveal an attack with overlapping TTPs linked to the Stargazers network.

Threat Research

Announcing Hunt APIs
Sep 17, 2024

Today Hunt is announcing our IP Enrichment API. You can get detailed data on every IPv4 Address and enrich any existing system.

Product News

Decoy Docs and Malicious Browser Extensions: A Closer Look at a Multi-Layered Threat
Sep 10, 2024

Compromising a browser can be a goldmine for attackers, offering extensive access to sensitive user data ...

Threat Research

ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit
Sep 3, 2024

The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta...

Threat Research

Latrodectus Malware Masquerades as AhnLab Security Software to Infect Victims
Aug 29, 2024

During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...

Threat Research

Launching AttackVault by Hunt.Io
Aug 23, 2024

We originally launched our "Open Directory" feature in Hunt a year ago.  The premise behind it was to get into the mind of the attacker by get a backstage view into their attacks.  What we learned was that there was a ton of information that could be correlated and indexed.  Today, we're reaffirming our commitment to getting into the tooling of attackers by launching AttackCapture™ by Hunt.io.

Product News

EvilGophish Unhooked: Insights Into the Infrastructure and Notable Domains
Aug 13, 2024

In late 2023, Hunt Research published a blog post detailing how we uncover emerging and previously unknown Gophish infrastructure.

Threat Research

Pentester or Threat Actor? Open Directory Exposes Test Results and Possible Targeting of Government Organizations
Aug 7, 2024

During routine research of newly identified open directories, the Hunt Research Team made a startling discovery: a...

Threat Research

macOS Malware Impersonates The Unarchiver App to Steal User Data | Hunt.io
Jul 30, 2024

Discover how macOS malware tricks users into downloading an app disguised as The Unarchiver app. The app contains a binary named “CryptoTrade” designed to steal sensitive user information.

Threat Research

A Simple Approach to Discovering Oyster Backdoor Infrastructure | Hunt.io
Jul 23, 2024

Oyster backdoor, also known as Broomstick (IBM) and CleanUpLoader (RussianPanda – X), has been linked to...

Threat Research

SEO Poisoning Campaigns Target Browser Installers and Crypto Sites, Spreading Poseidon, GhostRAT & More
Jul 16, 2024

The Hunt Research Team recently stumbled upon Search Engine Optimization (SEO) poisoning campaigns posing as ...

Threat Research

The Secret Ingredient: Unearthing Suspected SpiceRAT Infrastructure via HTML Response
Jul 11, 2024

Reports on new malware families often leave subtle clues that lead researchers to uncover additional infrastructure not...

Threat Research

ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
Jul 2, 2024

Nearly three years after ProxyLogon and ProxyShell wreaked widespread havoc on Microsoft Exchange servers, the Hunt

Threat Research

Geacon and Geacon_Pro: A Constant Menace to Linux and Windows Systems
Jun 27, 2024

The red-teaming tool Cobalt Strike has long been a staple for simulating attacks, predominantly targeting Windows ...

Threat Research

Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub
Jun 25, 2024

XenoRAT, an open-source malware available on GitHub, has been linked to a North Korean hacking group and unnamed...

Threat Research

Caught in the Act: Uncovering SpyNote in Unexpected Places
Jun 20, 2024

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

Threat Research

Open Directories Expose Publicly Available Tools Targeting Asian Organizations
Jun 18, 2024

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...

Threat Research

Gh0st and Pantegana: Two RATs that Refuse to Fade Away
Jun 12, 2024

Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable...

Threat Research

Jun 6, 2024

In this post, we'll detail the infrastructure of the LightSpy spyware framework and highlight the unique TLS certificate...

Threat Research

Jun 5, 2024

The threat actor(s) built and controlled at least one of the binaries on the same server, granting us access to numerous..

Threat Research

SolarMarker: Hunt Insights and Findings
May 30, 2024

Following Recorded Future's (RF) report, "Exploring the Depths of SolarMarker's Multi-tiered Infrastructure," the Hunt Research Team leveraged the IOCs provided to discover a method of identifying clusters of SolarMarker servers in the wild.

Threat Research

Tales from the Hunt: A Look at Yakit Security Tool
May 28, 2024

In our previous post on the Viper framework, we briefly covered the Yakit Security tool, which is publicly available on GitHub. In this post, we'll discuss its features and cover additional red team tools co-hosted with the project, as discovered during our internet-wide scans.

Threat Research

Unearthing New Infrastructure by Revisiting Past Threat Reports
May 21, 2024

Suppose you know David Bianco’s “Pyramid of Pain” model. In that case, you know that IP addresses are among the lower indicators of compromise due to their short lifespan and ease of change to legitimate purposes.

Threat Research

Into the Viper’s Nest: Observations from Hunt’s Scanning
May 8, 2024

From initial access and privilege escalation to lateral movement and data collection, the open-source platform Viper...

Threat Research

Spotting SparkRAT: Detection Tactics & Sandbox Findings
Apr 23, 2024

The Hunt Research Team vigilantly monitors GitHub, sifts through the IOC sections of threat intelligence reports, and scours various online forums for emerging threats, ensuring our detections stay practical and current for our customers. Our focus frequently turns to lesser-known threats that can still wreak havoc on the networks of uninformed defenders.

Threat Research

In Plain Sight: Uncovering SuperShell & Cobalt Strike from an Open Directory
Apr 16, 2024

Hunt scans every corner of the public IPV4 space and constantly scours the Internet for open directories. Through...

Threat Research

BlueShell: Four Years On, Still A Formidable Threat
Apr 9, 2024

Platforms like GitHub offer a valuable resource for developers and the open-source community. However, these sites also create a potential...

Threat Research

A Hunt How-To: Detecting RedGuard C2 Redirector
Apr 2, 2024

If you’re like me, you’ve likely read multiple reports on network intrusions involving a “standard” deployment...

Threat Research

Coin Miner and Mozi Botnet
Mar 28, 2024

Open directories can sometimes contain unexpected dangers in the hidden parts of the internet. Our recent investigation...

Threat Research

A Treasure Trove of Trouble: Open Directory Exposes Red Team Tools
Mar 21, 2024

While open directories are often seen as a goldmine for security researchers and blue teams searching for malware...

Threat Research

One More Trip to The W3LL: Phishing Kit Targets Outlook Credentials
Mar 19, 2024

The W3LL Phishing Kit, a phishing-as-a-service (PAaS) tool, was identified by Group-IB in 2022. What makes the kit...

Threat Research

Hunting PrismX: Techniques for Network Discovery
Mar 12, 2024

Described on its GitHub README as an "Integrated lightweight cross-platform penetration system," PrismX goe...

Threat Research

Open Directory Exposes Phishing Campaign Targeting Google & Naver Credentials
Mar 5, 2024

Over the past month, Hunt has tracked an ongoing phishing campaign by a likely North Korean threat actor focused on...

Threat Research

Feb 28, 2024

Hunt is tracking an ongoing sophisticated phishing campaign targeting individuals in the Telegram groups focused on...

Threat Research

Unveiling the Power of Tag Cloud: Navigating the Digital Landscape with Precision
Feb 14, 2024

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with ...

Threat Research

Tracking ShadowPad Infrastructure Via Non-Standard Certificates
Feb 9, 2024

This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity...

Threat Research

Feb 6, 2024

Where national interests, strategic ambitions, and sometimes personal gain intertwine, state-linked cyber threat actors...

Threat Research

The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1)
Feb 1, 2024

This post will serve as the first in a long series of articles on using the platform to identify malicious infrastructure and hunt...

Threat Research

Introducing Hunt Advanced Search
Jan 30, 2024

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with ...

Threat Research

How We Identify Malicious Infrastructure At Hunt.io
Jan 24, 2024

ShadowPad, Quasar RAT, HeadLace, Emotet, and SIGNBT (to name a few) often grab headlines and captivate readers...

Threat Research

Introducing the Hunt.io C2 Feed
Jan 15, 2024

It’s been a while since we announced a new feature, and with 2024 already in full swing, it is time to highlight what’s...

Product News

Announcing IOC-Hunter
Nov 14, 2023

As the end of the year approaches, we continue to enhance our feature set by building on well-established threat-...

Product News

Gateway to Intrusion: Malware Delivery Via Open Directories
Oct 31, 2023

Attackers constantly devise new and sophisticated methods of delivering malware to infiltrate systems and exfiltrate...

Threat Research

How Hunt.io Identifies Services on Non-Standard Ports
Oct 25, 2023

The term “threat hunting” is generally associated with detecting malicious behavior on endpoints manually...

Threat Research

Phish No More: A Hunt.io Guide to Gophish Detection
Oct 12, 2023

Phishing is more than a social engineering technique; it's a harrowing threat landscape where deception, innovation, and vigilance collide.

Threat Research

Sep 28, 2023

In the ever-evolving world of cybersecurity, few individuals embody the spirit of innovation and exploration as profoundly as John Althouse.

Threat Research

Hunt Platform Statistics Launch
Sep 19, 2023

Learn about the Hunt.io massive observation collection platform.

Threat Research

Discovering & Disrupting Malicious Infrastructure
Sep 12, 2023

Michael showcases how the Hunt platform can be leveraged to proactively identify infrastructure not yet publicly reported on from recent malware campaigns.

Threat Research

Aug 17, 2023

How Open Directories Help with Threat Hunting and Incident Response.

Threat Research

Let's go Hunting
Aug 1, 2023

We are excited to unveil Hunt.io, a cutting-edge threat hunting solution that is set to transform the landscape of cybersecurity.

Threat Research

Page 1 / 10

Previous
Next

Categories :

Categories :

Categories :

All
Threat Research
Product News