Hunt.io 2024 Year in Review Key Product & Research Highlights
Published on
Published on
Published on
Dec 20, 2024
Dec 20, 2024
Dec 20, 2024
As we wrap up 2024, it's the perfect time to reflect on what we've achieved this year here at Hunt. From launching new products to empowering defenders with better threat hunting capabilities, it's been a year of growth, innovation, and progress. Here's a look back at the highlights:
Key Product Updates
C2 Feed
Early in the year, we rolled out the C2 Feed - a near real-time feed for detecting and understanding command-and-control (C2) frameworks. This threat intelligence feed is designed to enhance visibility and streamline security workflows by offering:
- Real-Time Detection: built from the ground up to identify malicious infrastructure as it emerges.
- Wide Coverage: monitors over 125 malware families with hand-crafted templates and continuous updates.
- Fully Supported Solutions: the Hunt.io team continuously analyzes and updates tools to ensure comprehensive coverage.
- Flexible Integration: categories tailored for existing pipelines, enabling confident blocking, warning, or Netflow analysis.
Platform Statistics Page
Transparency matters. That's why we launched a new statistics page that shows exactly how our platform is performing. You can now see real-time updates on malicious activity tracking and infrastructure coverage. Here's what you can expect:
- Real-Time Observations: we process up to 1 million observations per second, ensuring no malicious activity slips through the cracks.
- Port Scans: constantly scanning the internet to identify open ports and potential threats.
- Protocol Detection: spotting malicious or custom C2 protocols, even running on unusual ports.
- HTTP Content Analysis: capturing full HTML content to analyze suspicious infrastructure in detail.
- Public SSH Keys: keeping tabs on over 34 million public SSH keys daily to identify unusual changes or patterns.
- SSL Certificate Parsing: analyzing up to 200 million certificates each day to uncover unique identifiers that attackers rely on.
- JARM Fingerprinting: collecting 55 million TLS fingerprints daily to connect the dots on malicious infrastructure.
AttackCapture™
We introduced AttackCapture™ to help security teams uncover hidden attacker infrastructure by finding exposed directories and malicious files. Whether it's exploit kits, reverse shells, or C2 configurations, AttackCapture™ gives you the tools to dig deeper and get actionable insights quickly.
Key advantages include:
- Search Across Files Instantly: full-text code search helps you spot exploit code, scripts, and other clues hiding in open directories.
- Find Exposed Credentials: automatically flags credentials found in attacker content to connect dots faster.
- Map to MITRE ATT&CK®: see how sandboxed files align with MITRE techniques to understand attacker tactics at a glance.
- See Code Clearly: syntax highlighting makes it easy to preview and analyze code without any extra steps.
- Safe File Handling: download files as password-protected zips so that you can analyze them securely.
- Save Time with Insights: expert-written observations highlight key findings and relevant directories.
Code Search for AttackCapture™
One of the standout updates this year was the launch of Code Search within AttackCapture™, making it easier for security teams to spot malicious code across massive archives of open directories. Whether you're hunting for reverse shells, exploit kits, or C2 configurations, Code Search helps you quickly zero in on what matters.
Here's what it brings to the table:
- Find Exploit Code Fast: search through diverse files to uncover exploit scripts, malware samples, and reverse shells.
- Uncover C2 Configurations: pinpoint hidden Cobalt Strike profiles, customized configurations, and other command-and-control data.
- Flexible Queries: use powerful, keyword-based searches with "AND" operators to filter through massive amounts of code.
- Accelerate Investigations: discover indicators of compromise (IoCs) like unique malware fingerprints and credentials in seconds.
- Preview with Confidence: easily analyze code with syntax highlighting and safe file downloads.
HuntSQL™
HuntSQL™ puts the power of SQL into the hands of threat hunters and analysts, letting you query Hunt.io's extensive database with precision and speed. Whether you're investigating malware, tracking phishing infrastructure, or uncovering malicious certificates, HuntSQL™ gives you the flexibility to find what you need.
Applications in your threat-hunting efforts:
- Query Malware Data: analyze confirmed C2 servers and build detailed statistics about malware activity.
- Track Open Directories: discover attacker tools, exploits, and malware hidden in open directories.
- Identify Phishing Infrastructure: search extensive lists of phishing sites and track kits or tooling used by threat actors.
- Investigate HTTP Data: dive into first-party HTTP logs to identify malicious activity and threat actor patterns.
- Analyze Certificates: query malicious and non-standard SSL certificates to spot hidden infrastructure.
- Honeypot Insights: get detailed stats on internet scanning activity using honeypot data.
Most Popular Research Articles of 2024
This year, our research team at Hunt.io uncovered some of the most impactful cyber threats and emerging attack techniques. Here are the most popular research articles from 2024:
ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit
Before the 2024 IISS Defence Summit in Prague, attackers used the ToneShell backdoor to compromise systems. Disguised as legitimate event-related documents, the malware specifically targeted attendees to gather intelligence. The campaign has been attributed to Mustang Panda, a threat actor known for its focus on espionage and high-profile targets.
Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram
Suspected North Korean threat actors targeted members of the blockchain and crypto communities via Telegram, posing as venture capital investors to lure victims. After scheduling fake meetings, attackers delivered malicious Apple Scripts under the guise of resolving technical issues, compromising victims' systems.
Tracking ShadowPad Infrastructure Via Non-Standard Certificates
Our researchers identified a new ShadowPad infrastructure cluster by analyzing non-standard digital certificates, including one spoofing Dell Technologies. By examining these subtle certificate anomalies and HTTP headers, our team was able to map active ShadowPad servers, providing defenders with critical insights to detect and track this elusive malware.
Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub
Threat actors are exploiting gaming communities by distributing Xeno RAT malware through .gg domains and malicious GitHub repositories. The malware is disguised as tools for Roblox developers, such as scripting engines, to lure unsuspecting users. Our research team also linked this campaign to shared infrastructure hosting additional malware families, demonstrating how threat actors exploit trusted platforms for malicious activities.
Legacy Threat: PlugX Builder/Controller Discovered in Open Directory
Our team discovered an exposed server containing a PlugX builder and controller, alongside scripts and victim data. This open directory revealed how legacy malware tools remain accessible to threat actors, allowing them to customize PlugX payloads with features like persistence, keylogging, and proxy settings. The discovery underscores the ongoing risks posed by outdated yet effective threats.
Looking Ahead
As we head into 2025, our focus remains on empowering defenders with the tools and insights they need to outsmart attackers. We're already working on exciting updates and innovations that we can't wait to share with you.
We're committed to expanding our team to bring in top talent and continuing to deliver industry-leading threat hunting research. Our goal is to build a better platform and provide the most reliable threat data for security companies worldwide.
Thank you for being part of the Hunt.io journey.
As we wrap up 2024, it's the perfect time to reflect on what we've achieved this year here at Hunt. From launching new products to empowering defenders with better threat hunting capabilities, it's been a year of growth, innovation, and progress. Here's a look back at the highlights:
Key Product Updates
C2 Feed
Early in the year, we rolled out the C2 Feed - a near real-time feed for detecting and understanding command-and-control (C2) frameworks. This threat intelligence feed is designed to enhance visibility and streamline security workflows by offering:
- Real-Time Detection: built from the ground up to identify malicious infrastructure as it emerges.
- Wide Coverage: monitors over 125 malware families with hand-crafted templates and continuous updates.
- Fully Supported Solutions: the Hunt.io team continuously analyzes and updates tools to ensure comprehensive coverage.
- Flexible Integration: categories tailored for existing pipelines, enabling confident blocking, warning, or Netflow analysis.
Platform Statistics Page
Transparency matters. That's why we launched a new statistics page that shows exactly how our platform is performing. You can now see real-time updates on malicious activity tracking and infrastructure coverage. Here's what you can expect:
- Real-Time Observations: we process up to 1 million observations per second, ensuring no malicious activity slips through the cracks.
- Port Scans: constantly scanning the internet to identify open ports and potential threats.
- Protocol Detection: spotting malicious or custom C2 protocols, even running on unusual ports.
- HTTP Content Analysis: capturing full HTML content to analyze suspicious infrastructure in detail.
- Public SSH Keys: keeping tabs on over 34 million public SSH keys daily to identify unusual changes or patterns.
- SSL Certificate Parsing: analyzing up to 200 million certificates each day to uncover unique identifiers that attackers rely on.
- JARM Fingerprinting: collecting 55 million TLS fingerprints daily to connect the dots on malicious infrastructure.
AttackCapture™
We introduced AttackCapture™ to help security teams uncover hidden attacker infrastructure by finding exposed directories and malicious files. Whether it's exploit kits, reverse shells, or C2 configurations, AttackCapture™ gives you the tools to dig deeper and get actionable insights quickly.
Key advantages include:
- Search Across Files Instantly: full-text code search helps you spot exploit code, scripts, and other clues hiding in open directories.
- Find Exposed Credentials: automatically flags credentials found in attacker content to connect dots faster.
- Map to MITRE ATT&CK®: see how sandboxed files align with MITRE techniques to understand attacker tactics at a glance.
- See Code Clearly: syntax highlighting makes it easy to preview and analyze code without any extra steps.
- Safe File Handling: download files as password-protected zips so that you can analyze them securely.
- Save Time with Insights: expert-written observations highlight key findings and relevant directories.
Code Search for AttackCapture™
One of the standout updates this year was the launch of Code Search within AttackCapture™, making it easier for security teams to spot malicious code across massive archives of open directories. Whether you're hunting for reverse shells, exploit kits, or C2 configurations, Code Search helps you quickly zero in on what matters.
Here's what it brings to the table:
- Find Exploit Code Fast: search through diverse files to uncover exploit scripts, malware samples, and reverse shells.
- Uncover C2 Configurations: pinpoint hidden Cobalt Strike profiles, customized configurations, and other command-and-control data.
- Flexible Queries: use powerful, keyword-based searches with "AND" operators to filter through massive amounts of code.
- Accelerate Investigations: discover indicators of compromise (IoCs) like unique malware fingerprints and credentials in seconds.
- Preview with Confidence: easily analyze code with syntax highlighting and safe file downloads.
HuntSQL™
HuntSQL™ puts the power of SQL into the hands of threat hunters and analysts, letting you query Hunt.io's extensive database with precision and speed. Whether you're investigating malware, tracking phishing infrastructure, or uncovering malicious certificates, HuntSQL™ gives you the flexibility to find what you need.
Applications in your threat-hunting efforts:
- Query Malware Data: analyze confirmed C2 servers and build detailed statistics about malware activity.
- Track Open Directories: discover attacker tools, exploits, and malware hidden in open directories.
- Identify Phishing Infrastructure: search extensive lists of phishing sites and track kits or tooling used by threat actors.
- Investigate HTTP Data: dive into first-party HTTP logs to identify malicious activity and threat actor patterns.
- Analyze Certificates: query malicious and non-standard SSL certificates to spot hidden infrastructure.
- Honeypot Insights: get detailed stats on internet scanning activity using honeypot data.
Most Popular Research Articles of 2024
This year, our research team at Hunt.io uncovered some of the most impactful cyber threats and emerging attack techniques. Here are the most popular research articles from 2024:
ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit
Before the 2024 IISS Defence Summit in Prague, attackers used the ToneShell backdoor to compromise systems. Disguised as legitimate event-related documents, the malware specifically targeted attendees to gather intelligence. The campaign has been attributed to Mustang Panda, a threat actor known for its focus on espionage and high-profile targets.
Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram
Suspected North Korean threat actors targeted members of the blockchain and crypto communities via Telegram, posing as venture capital investors to lure victims. After scheduling fake meetings, attackers delivered malicious Apple Scripts under the guise of resolving technical issues, compromising victims' systems.
Tracking ShadowPad Infrastructure Via Non-Standard Certificates
Our researchers identified a new ShadowPad infrastructure cluster by analyzing non-standard digital certificates, including one spoofing Dell Technologies. By examining these subtle certificate anomalies and HTTP headers, our team was able to map active ShadowPad servers, providing defenders with critical insights to detect and track this elusive malware.
Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub
Threat actors are exploiting gaming communities by distributing Xeno RAT malware through .gg domains and malicious GitHub repositories. The malware is disguised as tools for Roblox developers, such as scripting engines, to lure unsuspecting users. Our research team also linked this campaign to shared infrastructure hosting additional malware families, demonstrating how threat actors exploit trusted platforms for malicious activities.
Legacy Threat: PlugX Builder/Controller Discovered in Open Directory
Our team discovered an exposed server containing a PlugX builder and controller, alongside scripts and victim data. This open directory revealed how legacy malware tools remain accessible to threat actors, allowing them to customize PlugX payloads with features like persistence, keylogging, and proxy settings. The discovery underscores the ongoing risks posed by outdated yet effective threats.
Looking Ahead
As we head into 2025, our focus remains on empowering defenders with the tools and insights they need to outsmart attackers. We're already working on exciting updates and innovations that we can't wait to share with you.
We're committed to expanding our team to bring in top talent and continuing to deliver industry-leading threat hunting research. Our goal is to build a better platform and provide the most reliable threat data for security companies worldwide.
Thank you for being part of the Hunt.io journey.
Related Posts:
Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.
Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.
Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.
Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.
Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.
Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.
Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.
Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.
Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.
Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.