Change Log

Hunt Change Log

Q1 2025

Introducing IOC Hunter Feed & Attribution in our C2 Feed

We’ve rolled out two major updates to help teams enrich threat detection and improve adversary tracking: the IOC Hunter Feed and threat actor attribution are now embedded in our C2 Feed.

IOC Hunter Feed

This new feed aggregates indicators of compromise (IOCs) from public threat research and enriches them with the context that matters.

Each IOC includes:

Publication metadata: source, title, date, and URL

Threat actor attribution: names, aliases, descriptions, country of origin

Associated indicators: IPs, hostnames, file hashes, and more

The feed gives analysts a reliable stream of contextualized IOCs-ready for enrichment, pivoting, or prioritization.

Attribution in the C2 Feed

The C2 Feed now includes optional metadata linking infrastructure to known threat actors and malware campaigns.

Attribution is based on matches from the IOC Hunter dataset and includes:

Actor names and aliases

Historical context and associated campaigns

Origin country and activity profile

This upgrade builds on our real-time scanning of C2 infrastructure and improves signal fidelity for defenders tracking active threats.

Accessing the Feeds

Both feeds are available now via the Hunt.io API in compressed JSON format.

To retrieve the IOC Hunter Feed:

curl -o ioc-hunter.json.gz 'https://api.hunt.io/v1/feeds/ioc-hunter' -H 'token: <API_TOKEN_GOES_HERE>'

To retrieve the C2 Feed with Attribution:

curl -o c2.json.gz 'https://api.hunt.io/v1/feeds/c2' -H 'token: <API_TOKEN_GOES_HERE>'

Key Fields

Entries in both feeds include:

IP, hostname, and port

Malware name and subsystem

Timestamp and confidence score

Threat actor metadata (if applicable)

This added context helps analysts move from indicator to actor faster and more accurately.

Why It Matters

Threat detection is just one part of the job. Knowing who’s behind an attack-and what else they’ve been involved in-helps teams prioritize, attribute, and respond more effectively.

These features are now available to all Hunt.io users. If you’re new to our platform, book a demo and we’ll walk you through how it works.

Introducing Hunt 2.0

Hunt 2.0 introduces a more powerful platform for threat analysis, improved data access, and a modernized interface designed to enhance security operations. This update includes a refined UI, advanced IP visualization, expanded HuntSQL™ and API features, and new integrations with Cyware and OpenCTI.

Improved Web Interface

The updated web interface offers a more intuitive design, optimizing navigation and data analysis for a seamless user experience.

Redesigned dashboard – Faster, more intuitive, and now supports collapsible navigation.

Enhanced search functionality – Expanded support for domains and IP associations.

Threat Actors Feature – Interactive IOC filtering from public research, validated by analysts.

IP Visual History – New tool to track IP relationships over time.

HuntSQL™ Enhancements

New URLx table for extended dataset queries.

Export options: CSV, JSON for offline analysis.

Updated documentation and sample queries.

AttackCapture™ Updates

New preview functionality – View any file type before downloading.

Expanded data collection – More sandboxed files for deeper analysis.

API Upgrades

The latest API enhancements provide deeper data access, streamline integrations with external tools, and include detailed documentation to simplify implementation.

AttackCapture™ API – Retrieve Open Directory data, listings, and statistics.

SQL API – Execute SQL queries remotely and fetch large datasets.

C2 & IP Enrichment APIs – Fetch active C2 servers, enrich IPs with detailed metadata, and download feeds in compressed JSON format.

Data Improvements

Hunt 2.0 improves data collection and processing, delivering more precise and actionable threat intelligence.

Key enhancements include:

Manual submission of Open Directories for AttackCapture™.

Enhanced SSL parsing for detecting malware-related certificates.

New C2 and malware pages with real-time filtering, news, and IOC insights.

New Integrations

New integrations with top cyber intelligence platforms ensure smoother workflows and enhanced operational efficiency.

Key integrations include:

Cyware Integration – Automatic ingestion of Hunt’s C2 feed for real-time threat detection.

OpenCTI Connector – Import Hunt’s C2 intelligence into OpenCTI via STIX format, with plans to expand feed support.

Experience Hunt 2.0 today and take your threat hunting to the next level.

Q3 2024

Announcing Hunt SQL

Hunt is announcing the release of Hunt SQL for threat hunting and analysis. This is a new feature that allows researchers, analysts and threat hunters to query the extensive Hunt database using the power and flexibility of SQL.

This initial release of Hunt SQL will contain:

HTTP - Users can query first party HTTP data to identify threat actors and malicious activity.

Malware - Users can query the Hunt database of confirmed C2 servers and build detailed statistics on threat actor activity.

Certificates - Users can query first party certificate data, allowing users to track and identify malicious certificates.

HoneyPot - Users can query honeypot data and obtain detailed stats on internet scanning activity.

Open Directories - Users can query the Hunt database of past and present open directories. This helps discover malware, exploits and attack tooling.

Phishing - Query an extensive list of phishing sites to identify and track phishing kits and threat actor tooling.

Access to Hunt SQL can be obtained by signing up for a free demo.

Announcing Hunt APIs

Today Hunt is announcing our IP Enrichment API. You can get detailed data on every IPv4 Address and enrich any existing system.

Unlock the true potential of your IP addresses with our groundbreaking IP Enrichment API.
Steps to using the API:

Reach out to our team to get access for commercial (paid), demo or research purposes.

Create an API key.

Look at the IP Enrichment Guide.

Prototype with the IP Enrichment Reference.

Check it out and schedule a demo today.

Launching AttackCapture from Hunt.io

Today, to kick off our 1 year anniversary, we're launching an update and rethink to our Open Directory feature. It's been an amazing year with over 50,000,000 files processed from bad actors.

Full Code Search across attacker code

MITRE ATT&CK codes baked in everywhere

Editorial observations

Automatic extraction of attacker credentials and keys

Download files as a password protect zip

Open Directories for Attributed IOCs

Attack files by scan signature

Attack files by File Signature

More Files Sandboxed - automatically

Check it out and schedule a demo today.

Q1 2024

January

enhancement

Preview in Open Directory now works with uppercase extensions like .TXT by default

enhancement

IOC Hunter now has a human in the loop to ensure the data is top quality all the time

enhancement

Added open directory signature for W3ll phishing kit

New signatures

Ares, MuddyWater APT, Godzilla Loader, Ermac, Gh0st RAT, Kaiji, Neptune Loader, Noterce, Epsilon Stealer, Octopus, Winnti, Gozi

enhancement

Added 110 new tags to GitHub recon projects and exports to the Exposed Open Directories

Q4 2023

December

enhancement

Added lists of Hosts and IPs to IOC Hunter page

New signatures

JinxLoader, Axile Stealer

enhancement

Added 230 new tags to GitHub recon projects and exports to the Exposed Open Directories

November

enhancement

Added IOC Hunter post links in IOC Hunter box on Dashboard page

new feature

Added new IOC Hunter page

New signatures

Serpent Stealer, Godzilla Loader, PlugX C2 Profile, IcedID

enhancement

Added 415 new tags to GitHub recon projects and exports to the Exposed Open Directories

October

new feature

Possibility to download list of new certificates as JSON file on Feeds page (Commercial)

Possibility to Download certificate image

enhancement

On Dashboard page New C2 Online and New Open directories are shown in tabs

C2 online and New open directories image

enhancement

Added Date, Software found, Tags and Hosting Company filters on Open Directories Page

new feature

Implementation of 2FA

new feature

Added Settings page on Dashboard

Q3 2023

September

new feature

Added Settings page on Dashboard

new feature

Added Certificate page with new JA4X certificate info

new feature

Added new type for searching Open Directories on Advanced Search page

new feature

Added pagination on Open Directory Search and removed 250 records limit

New signatures

Unknown Android Malware, Easy Stealer

New signatures

Nessus VA, Unknown Android Malware, OWASP ZAP API

Nessus VA, Unknown Android Malware image

new feature

Created Recent C2 Discoveries Page

new feature

Added copy button for the IPs on Overview page

enhancement

Syntax highlighting on JSON output

August

BUG FIX

Fixed links on Cobalt Strike Filters page

enhancement

Added example links on Advanced Search

enhancement

Redirection to Dashboard page after login

enhancement

Added colors to the changelog items

BUG FIX

Improved search box on Advanced search

BUG FIX

HTTPS → HTTP redirection when “is_ssl”: false

New signatures

Acunetix, SuperShell, Responder, ChaosRat, RedWarden, RedGuard, Mystic, AZORult

BUG FIX

Improved Search by Actor in Sensors

new feature

Added Dashboard Page

new feature

Added System wide Stats on Dashboard Page

enhancement

Updated ASN data in our databases

enhancement

Updated lists of downloaded extensions in Open Directories to aide in investigations (added the following ASP.NET, PHP, C, C++ files)

enhancement

Added tagging of common tools from Exposed Open Directories and linked to GitHub (total number: 240)

July

enhancement

New data sources and signatures for Exposed Open Directories go identify more

enhancement

Make external links more obvious with this icon

enhancement

Added search by file name to Exposed Open Directory

new feature

Added tagging of common tools from Exposed Open Directories and linked to GitHub (total number: 230)

Added tagging of common tools from exposed open directories image

BUG FIX

Added TLS protocol check algorithm to fix misleading TLS data on IP search

Q2 2023

June

improved detections

Protocols for TLS, DNS, FTP, mySQL, pop3, rdp, and Redis

new detections

Protocols for OpenVPN, MS-NMF, netbios, mikroitk, and server exec

BUG FIX

Improved Siemens detection to exclude false positives

New signatures

Araneida, Vidar

enhancement

Open Directories

May

new feature

Added extract IP info to Bulk Search

enhancement

Added many ports for daily scanning cloud IPs

New signatures

Rengine, L3mon, Hak5, EvilGoPhish, Pupy, Hookbot, Daam, BianLian

April

new feature

Added OpenAI to determine actor intent of Open Directories

New signatures

Added initial tracker version of : Havoc, Silver, Amadey, AgentTesla, VShel, IntectSh, Meterpreter, DcRat, BYoB

Q1 2023

March

enhancement

Added Login Pages and Dark mode

New signatures

Titan Stealer, Orcus, Ursnif, Nexus, ImBetter, Opendir Malware, HightHawk

February

enhancement

Added Protocol fingerprinting and enriching API

New signatures

PixPirate, ARL, Viper, DarkComet, RapperBot, StealC

January

new feature

Added Open Directory search

New signatures

Bitrat, RisePro, Mars Stealer, Shadowpad, Dacls, Alienbot, Lumma, Misha, Cova, Nosu, Spy-Agent, SystemBC, Brute Ratel, Posh C2, GoPhish, Burp Suite, BeEf, Mirai, Hydra, Ramnit, Rhadamanthys, Deimos C2, SharkStealer, Emotet

Q4 2022

December

enhancement

Added Actor and VPN Info

new feature

Created Bulk Search

New signatures

mythic, Metasploit, Covenan, AsyncRAT, Raccoon, RedLine, Laplas, Aurora Stealer, Lokibot

November

New signatures

CobaltStike, qakbot, bumblebee

October

new feature

Created Search Pages

new feature

Created C2 Summary and Activity Pages

New signatures

Added Initial version of Cobalt Strike tracker

Hunt Intelligence, Inc.