How to Track Threat Actors Through Real-World IOC Pivoting

The signs were ominous at retail giant Marks & Spencer when, last year, an elaborate cyberattack hindered the firm's operations and even raised concerns of stolen sensitive data. A similar trend occurred in the Oyster case, where resurfaced attacker infrastructure linked to ransomware revealed how persistent cybercriminal networks have become. Incidents like these, however, aren't isolated; they are symptomatic of a broader problem within the industry's current threat detection environment.

At Hunt.io, we believe that threat detection requires a more contextual and proactive approach. Our advanced threat listings and IOC pivoting tools let analysts go from raw indicators to real insights in seconds, the kind of speed and clarity you need to counter modern attackers.

In this post, we break down how we approach threat hunting in an environment where adversaries shift tactics fast. The goal: help you connect behaviors, infrastructure, and intent into a clear, useful picture.

Turning Threat Actor Profiles into Actionable Intelligence

Every successful investigation begins with a clear sense of who you're up against. At a time when attribution is often diluted in a mixture of overlapping tactics and reused malicious infrastructure, among other hurdles, having a clear and consistent view of threat actors and their activities is no longer optional; it is essential.

Take a look, for example, at the amount of detailed threat actor information available on Hunt.io, such as APT36 (see below). This group, known for its state-aligned targeting of Indian government and military entities, has been observed leveraging deceptive infrastructure like the ClickFix phishing lure, masquerading as legitimate support tools to deploy malware such as Crimson RAT and collect sensitive credentials.

Notice how this threat actor's profile not only summarizes their espionage focus and geopolitical alignment but also provides a preliminary inventory of actionable intelligence; at the time of this post, 52 IPs, 265 hosts, and 27 file hashes are noticeably tied to their operations.

Each data point is backed by verifiable sources, linked to known campaigns, and enriched with aliases like COPPER FIELDSTONE and Mythic Leopard. This level of detail transforms what would normally be a static profile into its mini intelligence hub, with ample room for enhanced pivoting and correlation.

Thanks to our interconnected listings and IOC pivoting, security teams can now easily validate attribution, assess exposure, and deploy proactive strategies within hours, not days.

Advanced Threat Actor Filtering

Filtering in Hunt.io isn't a gimmick or just another checkbox feature. It is a core investigative instrument that helps you isolate what matters, when it matters.

For example, you can zero in on a particular threat actor (like APT34 above), which will reveal any related indicators, including IP addresses, associated hosts, file hashes, and any noteworthy posts.

In fact, with flexible filters such as "Adversary Name" or the ability to choose by victims, country of origin, you can narrow vast amounts of threat indicators down to precise, actionable views.

Equally valuable is the ability to filter by incident type (e.g., ransomware), allowing analysts to isolate specific actors and their infrastructure. This targeted view cuts through the noise, highlighting only the most relevant IOCs and campaign links.

Whether you're investigating an ongoing incident or simply scoping exposure across a particular region or sector, our filtering features will allow you to focus on what's essential and relevant to your investigation.

From Indicators to Infrastructure: Advanced IOC Pivoting

Every pivot starts small, an IP, a domain, a hash. The real value comes when that clue leads to a full view of attacker infrastructure. It's also about seeing the patterns others miss. With Hunt.io, that process is seamless, fast, and full of context.

Let's hone in, for example, on a specific threat actor like BlackBasta. From the Threat Actor Listing, select their profile, where you can readily see associated IOCs like IPs, hostnames, and file hashes.

Next, click on the particular IP you're interested in for a detailed view revealing hosting details, open ports, and timeline activity, giving analysts a one-stop vantage point of their operational footprint.

The Domain tab shows that IP 185.220.100.240 has been linked to potential low-reputation or dynamic DNS hostnames, such as mkw.vitekivpddns.com, 098909hjk.casacam.net, and vhjry71.accesscam.org.

These domains follow patterns commonly seen in short-lived or disposable infrastructure, often used for phishing, malware delivery, or C2 communications. None of them has a rank, suggesting they're not tied to legitimate or high-traffic services.

The Associations tab shows that IP 185.220.100.240 shares a public SSH key fingerprint with two other nearby Tor exit nodes (185.220.100.241 and .242). All three are hosted in Germany and have been seen using the same SSH key since April 28, 2025. This suggests a shared configuration or deployment, likely part of the same managed infrastructure.

Let's now pivot into the Signals Activity tab as another example.

IP 185.220.100.240 accessed various HTTP paths like /json_rpc, /cgi-bin/authLogin.cgi, and /server-info.action, along with a malformed request string. It cycled through multiple user agents, some mimicking browsers, others containing suspicious strings like a Log4Shell payload and a raw CVE reference. The IP also scanned 36 ports, ranging from common ones (80, 443, 8080) to high and uncommon ports.

TLS connections from this host showed several distinct JA3 fingerprints, suggesting the use of different clients or tools. While it's a Tor exit node based in Germany, the combination of exploit patterns, wide port scanning, and rotated fingerprints suggests this IP may be part of automated reconnaissance or early-stage attack infrastructure.

Historical data further reinforces this picture. The IP maintained consistent activity on port 22 over multiple months and showed repeated use of the same JARM fingerprint (2ad2a) across ports 9000 and 9100, pointing to reused TLS configurations and possible shared infrastructure. One certificate was also tied to a suspicious domain (www.xdka2l66crf4ehum.net), often indicative of disposable or attacker-controlled assets.

These patterns are commonly observed in infrastructure tied to known campaigns. Pivoting from an IP like this into connected hostnames and file hashes can expose deeper ties.

Back to the threat actor profile, we then pivot to hostnames and hashes. From that view, you can uncover key details: infrastructure reuse, payload distribution, and staging domains tied to ransomware operations.

The benefits of IOC pivoting are clear: uncover shared behaviors, reused tooling, and hidden links across threat campaigns. Its real power lies in how quickly it turns scattered data into a clear picture of adversary infrastructure.

At Hunt.io, we treat IOCs as starting points, not static artifacts. They’re clues meant to be explored and expanded. Therefore, our pivoting model adopts a behavior-centric view that isn't confined to static lookups; it invites analysts to explore the underlying attributes that make each indicator unique.

Summing up

Understanding advanced threats requires the right intelligence, and Hunt.io delivers. Our IOC pivoting transforms scattered indicators into a full picture of attacker infrastructure, behavior, and intent.

Ready to put this into practice? Hunt.io isn't just another feed aggregator or lookup tool; it's a holistic threat hunting platform built to uncover even the most subtle of footprints hiding across what can certainly be a tangled web of ever-growing malicious activity.

Start pivoting with purpose. Request a demo today and see what you've been missing.