Introducing Hunt 2.2
AttackCapture™ Zip Extraction, Smarter SQL, IP History Consolidation, and more
Published on
Published on
Published on
Jun 12, 2025
Jun 12, 2025
Jun 12, 2025
Introducing Hunt 2.2 AttackCapture™ Zip Extraction, Smarter SQL, IP History Consolidation, and more
Following the recent launch of Hunt 2.1, we've continued refining the platform with performance upgrades and usability enhancements. This update focuses on making core workflows faster and more reliable, while also addressing several key issues reported by our users.
Here's a quick snapshot of what's new:
| Feature | What's New? |
|---|---|
| Data Improvements | Expanded port and protocol support, added WHOIS and Nmap tables, more malware samples, and better IP range search. |
| Usability Improvements | Shift + Enter to submit, added an improved IP search box, and support for lowercase hashes. |
| AttackCapture™ Improvements | Zip archives are now auto-unpacked to expose hidden malicious files and IOCs. You can also quickly find files by name or extension type with the new search feature. |
| IP History Consolidation | View all activity and metadata tied to an IP, including ASN and country details. |
| API Updates | You can now search SQL with lowercase hashes for certificates, and the IOC Hunter timeout is configurable via API_QUERY_TIMEOUT. |
| Splunk Integration | Access our C2 Feed and IOC indicators in your Splunk environment. |
| Host Radar | See which hosting providers are being abused for C2s, phishing, and open directories, with live, pivotable data. |
AttackCapture™
Automatic Zip Extraction: Zip archives are now automatically unpacked to expose hidden files and reveal additional indicators. Malicious scripts, executables, and config files are detected and tagged with relevant malware families.
New AttackCapture™ File Search: The file manager now lets you search for files by name, extension, or keyword, making it easier to spot things like APK payloads across exposed infrastructure. Each result shows the file size, any tags, and links to relevant MITRE techniques.
HuntSQL™ enhancements
HuntSQL™ has a new look: With a cleaner UI and categorized datasets for easier navigation (Malware, HTTP, Phishing, Nmap, and more).
Added 2 new tables: WHOIS History with billions of domain records, and Nmap with detailed data on 2,000+ previously undetected protocols.
SQL Result Popup: Clicking the arrow icon at the start of any SQL result row opens a new popup panel.
The popup shows full metadata, including HTTP headers, hashes, protocol details, and decoded content. You can switch between table and raw JSON views to inspect server responses, spot patterns, and extract IOCs faster.
Updated schema documentation for clarity and completeness
Shift-Enter to run queries instantly submits your query to speed up the workflow
Set the default timestamp constraint for the WHOIS table to last 180 days
Each dataset now includes sample queries to help you explore the data faster
General Updates
Consolidated history by IP: View all related events, detections, and context tied to a single IP in one place. Also includes ASN, provider, and country attribution, for example AS4134, CHINANET-BACKBONE, China.
Persistent IP Search Bar: The IP search bar now stays visible across views, making it easier to pivot between IPs without losing your place or navigating back to the dashboard.
Advanced Search performance: Introduced a new endpoint for filters and counts to offload processing from the main listing view. The list now loads faster without waiting for filter counts.
Code search improvements: Now supports file size and date filters to help narrow down relevant matches quickly.
UX improvement: Session timeout has been extended to 12 hours (previously 2-4 hours) to reduce interruptions during longer workflows.
Splunk Integration: The Hunt.io App for Splunk lets you bring C2 and IOC Hunter feeds directly into Splunk. It includes dashboards, saved searches, and automatic feed updates to help you detect and correlate malicious activity faster.
Add your API key to start enriching alerts, pivoting across IPs and domains, and uncovering hidden links to threat actors, all within your existing Splunk workflows. It helps analysts triage faster and focus on high-fidelity, actionable intel.
Host Radar: This new feature helps security teams track malicious infrastructure by showing where attackers are hosting C2s, phishing domains, and open directories across major web hosting providers.
Users can now dig into specific details for each hosting provider, as shown below, including bulletproof hosting indicators, crypto acceptance, known aliases, and customer name servers.
It replaces isolated IOCs with a live, interactive view of high-risk infrastructure and patterns that actually matter.
In the following screenshot, you can see over 3,500 malware-linked IPs hosted on DigitalOcean, tied to tools like BYOB, reNgine, and evilgophish. Each result shows ports, countries, malware tags, and first-seen timestamps, all clickable, all updated in real time.
API Updates
Search SQL with lowercase hashes (Python default behavior) for certificates
Added IOC Hunter API_QUERY_TIMEOUT env var to easily manage it and increase from the default of 10s
Bug Fixes
Resolved an issue in Ports History to now show the correct "last seen" values.
Improved formatting in SQL results with proper headers and line breaks for better readability.
Autocomplete has been disabled in the SQL editor to minimize distractions and maintain focus on queries.
Added undocumented certificate fields to SQL output: not_before, not_after, cypher_suite, tls_version, hostnames
We're always working to improve Hunt.io based on your feedback. Keep it coming, we're listening.
Following the recent launch of Hunt 2.1, we've continued refining the platform with performance upgrades and usability enhancements. This update focuses on making core workflows faster and more reliable, while also addressing several key issues reported by our users.
Here's a quick snapshot of what's new:
| Feature | What's New? |
|---|---|
| Data Improvements | Expanded port and protocol support, added WHOIS and Nmap tables, more malware samples, and better IP range search. |
| Usability Improvements | Shift + Enter to submit, added an improved IP search box, and support for lowercase hashes. |
| AttackCapture™ Improvements | Zip archives are now auto-unpacked to expose hidden malicious files and IOCs. You can also quickly find files by name or extension type with the new search feature. |
| IP History Consolidation | View all activity and metadata tied to an IP, including ASN and country details. |
| API Updates | You can now search SQL with lowercase hashes for certificates, and the IOC Hunter timeout is configurable via API_QUERY_TIMEOUT. |
| Splunk Integration | Access our C2 Feed and IOC indicators in your Splunk environment. |
| Host Radar | See which hosting providers are being abused for C2s, phishing, and open directories, with live, pivotable data. |
AttackCapture™
Automatic Zip Extraction: Zip archives are now automatically unpacked to expose hidden files and reveal additional indicators. Malicious scripts, executables, and config files are detected and tagged with relevant malware families.
New AttackCapture™ File Search: The file manager now lets you search for files by name, extension, or keyword, making it easier to spot things like APK payloads across exposed infrastructure. Each result shows the file size, any tags, and links to relevant MITRE techniques.
HuntSQL™ enhancements
HuntSQL™ has a new look: With a cleaner UI and categorized datasets for easier navigation (Malware, HTTP, Phishing, Nmap, and more).
Added 2 new tables: WHOIS History with billions of domain records, and Nmap with detailed data on 2,000+ previously undetected protocols.
SQL Result Popup: Clicking the arrow icon at the start of any SQL result row opens a new popup panel.
The popup shows full metadata, including HTTP headers, hashes, protocol details, and decoded content. You can switch between table and raw JSON views to inspect server responses, spot patterns, and extract IOCs faster.
Updated schema documentation for clarity and completeness
Shift-Enter to run queries instantly submits your query to speed up the workflow
Set the default timestamp constraint for the WHOIS table to last 180 days
Each dataset now includes sample queries to help you explore the data faster
General Updates
Consolidated history by IP: View all related events, detections, and context tied to a single IP in one place. Also includes ASN, provider, and country attribution, for example AS4134, CHINANET-BACKBONE, China.
Persistent IP Search Bar: The IP search bar now stays visible across views, making it easier to pivot between IPs without losing your place or navigating back to the dashboard.
Advanced Search performance: Introduced a new endpoint for filters and counts to offload processing from the main listing view. The list now loads faster without waiting for filter counts.
Code search improvements: Now supports file size and date filters to help narrow down relevant matches quickly.
UX improvement: Session timeout has been extended to 12 hours (previously 2-4 hours) to reduce interruptions during longer workflows.
Splunk Integration: The Hunt.io App for Splunk lets you bring C2 and IOC Hunter feeds directly into Splunk. It includes dashboards, saved searches, and automatic feed updates to help you detect and correlate malicious activity faster.
Add your API key to start enriching alerts, pivoting across IPs and domains, and uncovering hidden links to threat actors, all within your existing Splunk workflows. It helps analysts triage faster and focus on high-fidelity, actionable intel.
Host Radar: This new feature helps security teams track malicious infrastructure by showing where attackers are hosting C2s, phishing domains, and open directories across major web hosting providers.
Users can now dig into specific details for each hosting provider, as shown below, including bulletproof hosting indicators, crypto acceptance, known aliases, and customer name servers.
It replaces isolated IOCs with a live, interactive view of high-risk infrastructure and patterns that actually matter.
In the following screenshot, you can see over 3,500 malware-linked IPs hosted on DigitalOcean, tied to tools like BYOB, reNgine, and evilgophish. Each result shows ports, countries, malware tags, and first-seen timestamps, all clickable, all updated in real time.
API Updates
Search SQL with lowercase hashes (Python default behavior) for certificates
Added IOC Hunter API_QUERY_TIMEOUT env var to easily manage it and increase from the default of 10s
Bug Fixes
Resolved an issue in Ports History to now show the correct "last seen" values.
Improved formatting in SQL results with proper headers and line breaks for better readability.
Autocomplete has been disabled in the SQL editor to minimize distractions and maintain focus on queries.
Added undocumented certificate fields to SQL output: not_before, not_after, cypher_suite, tls_version, hostnames
We're always working to improve Hunt.io based on your feedback. Keep it coming, we're listening.
Related Posts:
Explore exposed infrastructure with URLx: 10.6B+ URLs, HTTPx integration, and advanced filtering - now live in Hunt.io.
Explore exposed infrastructure with URLx: 10.6B+ URLs, HTTPx integration, and advanced filtering - now live in Hunt.io.
Our latest release delivers deeper threat analysis with improved threat actor, C2, malware data, and new integrations for robust cyber intelligence.
Our latest release delivers deeper threat analysis with improved threat actor, C2, malware data, and new integrations for robust cyber intelligence.
Discover the new Hunt.io updates: deep text assisted analysis, IOC feed improvements, improved threat actor data, and faster advanced search. Learn more.
Discover the new Hunt.io updates: deep text assisted analysis, IOC feed improvements, improved threat actor data, and faster advanced search. Learn more.
Explore exposed infrastructure with URLx: 10.6B+ URLs, HTTPx integration, and advanced filtering - now live in Hunt.io.
Our latest release delivers deeper threat analysis with improved threat actor, C2, malware data, and new integrations for robust cyber intelligence.
Discover the new Hunt.io updates: deep text assisted analysis, IOC feed improvements, improved threat actor data, and faster advanced search. Learn more.
Get biweekly intelligence to hunt adversaries before they strike.
Products
Hunt Intelligence, Inc.
Get biweekly intelligence to hunt adversaries before they strike.
Products
Hunt Intelligence, Inc.
Get biweekly intelligence to hunt adversaries before they strike.
Products
Hunt Intelligence, Inc.