Introducing Hunt 2.8
New Features
IOC Hunter Workflow Improvements
Refined extraction, validation, and filtering flows to make it easier to pivot from research into usable IOCs across investigations.
Provider Visibility Expansion
Improved visibility into hosting and provider context across IPs and domains, helping teams quickly understand where infrastructure lives and how it connects.
C2 Filtering Enhancements
More precise filtering options for command-and-control infrastructure, enabling faster isolation of relevant C2 activity during hunts.
Reputation & Risk Signal Accuracy
Cleaned up reputation and risk signals to reduce noise and focus on confirmed malicious indicators, improving trust and clarity during analysis.
Usability Improvements
IOC Navigation and Pivots
Smoother transitions between IOC Hunter, IP search, and related views to keep investigations aligned and reduce manual re-filtering.
Search and Filtering Refinements
General improvements to filtering behavior and result consistency across core workflows.
Performance
Faster IOC and Infrastructure Queries
Performance optimizations across IOC Hunter, IP search, and C2 listings to reduce load times and improve responsiveness during large investigations.
Bug Fixes
•
Fixed inconsistencies in IOC counts across views.
•
Resolved minor filtering and display issues impacting investigation workflows.
•
General stability improvements across the platform.
👉 Read the full blog post for more.
Introducing Hunt 2.7
New Features
Domain Risk & Reputation
Expanded with indicators for IOCs, malware, phishing, and open directories. Added IOC Hunter threat actor visibility plus WHOIS registrar and creation date for apex domains and hostnames.
IOC Hunter and Host Radar Link
IOC counts in Host Radar now open IOC Hunter prefiltered by provider and time range, keeping counts aligned for faster investigation pivots.
IOC Hunter Hosting Company Column
Added hosting company data to IOC Hunter IP lists for quick context and correlation with Host Radar.
AttackCapture™ Explore – Linked IOC Counts
The IOCs subtab now includes clickable IOC counts that open related listings with hostnames, ports, and tags from each article.
Usability Improvements
Session Timeout Extended
Session TTL increased to one week based on frequent user feedback.
Provider Tags
Quickly identify provider infrastructure across more areas of the platform.
Domain Search Enhancements
Added search box and bulk uploader to domain results for faster lookups.
Performance
Improved speed for C2 listings, risk cards, and IP search operations.
AttackCapture™
Multi-Value Filters
Added horizontal filter layout supporting multiple values with “More Filters” for Hostname, Port, Source, Tag, Malware, and IOCs.
Open Directory Summaries
Now provides concise text summaries for open directories.
Explore Navigation
Improved pivoting to related listings such as Open Source Software, C2 Scanning Signatures, and Malware Sandboxed Tags.
Bug Fixes
•
Fixed Windows flag display across the app.
•
Resolved ZIP extraction issues in AttackCapture.
•
Aligned Malware Sandbox Tag counts in Explore.
•
Fixed display of unknown malware ports in IP search protocols.
•
Improved accuracy of IP search warning counts.
👉 Read the full blog post for more.
Introducing Hunt 2.6
New Features
IP Risk & Reputation
Added new context for every IP, including scanned C2s, TOR nodes, VPNs, malicious open directories, related IOCs, and news coverage. PTR records are now visible under hostnames for clearer investigation paths.
SQL Downloads via API
You can now export HuntSQL™ query results directly from the API using the /v1/sql/download endpoint. Supported formats: CSV, JSON, and NDJSON.
New C2 Infrastructure
Expanded dataset with 15+ new families, including GobRat, Myth Stealer, Clay Rat, ZeroTrace C2, Raptor RAT, OHM Android RAT, Burp Suite, UltraVNC, Odyssey, Lazarus, Adaptix C2, Starkiller, Nemo C2, Latrodectus, Bofamet, and ValleyRat.
HuntSQL™ Enhancements
•
Added full support for LIMIT and OFFSET parameters for better query performance and control.
•
Improved schema copy behavior for more consistent results.
•
Enhanced reliability when exporting large datasets.
IOC Hunter
•
Expanded with hundreds of new sources and millions of additional articles, including real-time feeds from X (formerly Twitter).
•
Updated titles for better readability and faster scanning.
Integrations
•
OpenCTI 1.1: Optimized for faster data sync and smoother performance.
API Enhancements
•
PIOC handling now deduplicates data for accurate IOC counts.
Bug Fixes
•
Fixed HuntSQL™ schema copy errors.
•
Corrected missing China Telecom logo and minor display issues.
•
Improved confidence score handling for C2 listings.
•
Dashboard pagination and display bugs resolved.
👉 Read the full blog post for more.
Introducing Hunt 2.5
New Features
Pivots Table
New HuntSQL™ table showing related intelligence artifacts such as certificate subjects, hashes, and TLS fingerprints. Each entry includes occurrence counts and pivot options to Advanced Search or SQL Search for faster context expansion.
Add to Query Button
Quickly expand queries with the new Add to Query button inside SQL results. Hover over a field value and apply it directly to your query to build precise conditions on the fly.
Certificate Fields
httpv2 now includes the full TLS certificate record with 50+ fields, allowing analysts to pivot on certificate data and HTTP attributes within a single HuntSQL™ query.
Phishing Feed
A new downloadable phishing feed is now available, including incident IDs, status, host or IP group, brand tags, phishing kit details, and related URLs.
Phishing Kits SHA256 Pivoting
Clicking a phishing kit’s SHA256 hash now redirects to the new AttackCapture™ Extracted Zip File Manager, showing related file details and connections.
General Updates
•
Updated IP database through our partnership with IPInfo, now refreshed continuously.
•
Full-screen layout for a cleaner, more spacious app experience with improved visual separation between navigation and content.
•
SAML integration improvements adding default user permissions, verified email timestamps, and cross-subdomain session cookie support.
HuntSQL™ Enhancements
•
Added Pivots table for faster movement between related artifacts.
•
Improved memory handling and clearer messages when hitting query size limits.
Bug Fixes
•
Fixed URL parameter parsing issues on the phishing brand listing page.
•
Added proper error handling for large database queries returning 413 responses.
•
Resolved display inconsistencies in SQL search overlays.
👉 Read the full blog post for more.
Introducing Hunt 2.4
New Features
AttackCapture™
•
Archive Unpacking: ZIPs and similar file types are now automatically extracted and searchable
•
SHA256 UI Updates: Cleaner layout with improved file size display and persistent hash input
HuntSQL™ Enhancements
•
HTTPv2 Table: New schema with grouped fields under http.headers., html.head., and html.hash
•
Field Expansion: Dozens of new HTTP, HTML, and hash fields now available
•
Built-in Cheat Sheets: Quick reference for SQL functions, operators, and time syntax
IOC Hunter
•
Advanced Filtering: Easily find IOCs tied to specific threat actors or sources
Phishing Infrastructure
•
Kit Details Page: Consolidated view of files, metadata, and extracted paths for each phishing kit
•
Expanded Kit List: Now includes 1,400+ kits, with filters by domain, file count, and more
HostRadar
•
Hosting Enrichment: Added names and descriptions for over 200 providers
General Improvements
•
Malware Search: Now queries across 3,500+ families with name-based filtering
•
UI Polish: Cleaned up bulk extractor, IP widget, and removed extra horizontal scrolling
Bug Fixes
•
Fixed open directory results missing from Domain Search
•
Resolved GitHub tagging issues in AttackCapture™
•
Addressed errors with certain Alibaba IP variants
👉 Read the full blog post for more.
Introducing Hunt 2.3
New Features
AttackCapture™
•
Analyst Notes Directory: A centralized list of directories with analyst-written notes is now available at the bottom of the dashboard. Helps prioritize where to start your investigation.
•
Editorial Observations: Each host now includes a short analyst summary to quickly understand what is exposed without reviewing every file.
HuntSQL™ Enhancements
•
Inspirational SQL Queries: The editor now preloads example queries based on the selected table or use case.
•
Record Export: You can now download individual result records as CSV or JSON.
•
Time Cheat Sheet: A built-in reference makes it easier to write relative time filters, fixed date ranges, and timestamp conditions.
Bulk Domain Enrichment
•
Domains now include context such as C2s, open directories, and IOCs. Supports hundreds of lookups at once.
Phishing Navigation
•
A new navigation section has been added for phishing investigations. Includes Overview, Actors, and Kits.
Enterprise SSO
•
SAML 2.0 is now supported. Contact us if you’d like to enable it for your organization.
Bug Fixes
•
Pagination added to the AttackCapture™ search results page
•
Fixed IOCs that were not properly defanged during domain searches
•
Corrected incorrect “2025-03-10” date in some AttackCapture™ details
•
Resolved layout issue on 16″ screens that caused horizontal scrolling in AttackCapture™ list views
•
Fixed Code Search Examples so they are now clickable, and added more example queries
👉 Read the full blog post for more.
Introducing Hunt 2.2
New Features
•
Zip Extraction in AttackCapture™: Archive files are now automatically unpacked, revealing embedded payloads like scripts, configs, and executables.
•
Smarter File Search: Search by filename or extension.
•
IP History Consolidation: See all activity, metadata, and related context tied to a single IP, across ASN, provider, and geolocation.
•
Host Radar: Spot patterns across abused hosting providers, from phishing domains to malware infrastructure.
HuntSQL™ Enhancements
•
New UI: Cleaner layout with datasets grouped by category (Malware, HTTP, Phishing, Nmap).
•
WHOIS + Nmap Tables: Billions of domain records and over 2,000 previously unseen protocols now searchable.
•
Result Popups: Click any result row for metadata, headers, hashes, and decoded content-switch between table and JSON views.
•
Faster Querying: Shift+Enter submits instantly. WHOIS defaults to the last 180 days. Each dataset includes sample queries.
Platform + UI Improvements
•
Persistent IP Search: IP search bar now stays visible across views.
•
Improved Code Search: Filter by file size and date.
•
Session Timeout Extended: Now 12 hours (up from 2–4) for longer workflows.
•
Faster Filtering: A new endpoint speeds up list views by offloading filter processing.
Integrations
•
Splunk App: Bring Hunt C2 Feeds and IOC Hunter into Splunk with dashboards, saved searches, and automated updates.
API Updates
•
Lowercase Hash Support: SQL search now handles Python-style lowercase hashes for certificates.
•
Custom Timeout for IOC Hunter: Set API_QUERY_TIMEOUT to suit your workflows.
Bug Fixes
•
Fixed incorrect “last seen” in Ports History.
•
SQL formatting improved for clarity.
•
Autocomplete is disabled in SQL editor to reduce noise.
•
Added missing cert fields: not_before, not_after, cipher_suite, tls_version, hostnames.
👉 Read the full blog post for more.
Introducing Hunt 2.1
New Features
•
Deep Text File Analysis: AttackCapture™ now includes one-click file summaries that auto-tag exploits, tooling, and intent.
•
IOC Feed API Upgrade: Added malware_name and description fields to enrich IOCs natively.
Platform + UI Improvements
•
New Subdirectory Stats in AttackCapture™: See total subdirs, file counts, and sizes at a glance.
•
AttackCapture™ File Type Stats: Visual breakdown of captured file extensions and sizes.
•
New Bulk Extractor Design: Malware rows now highlighted in red, sortable IP columns added.
•
Unified History Tab: IP view now consolidates timeline, SSL, SSH, ports, and JARM in one place.
•
New Certificate Details Page: Clean layout with pivot links for JA4X and fingerprints.
•
Platform Stats: Now includes real-time breakdown of certificates, ports, HTTP, SSH, and more.
Threat Intelligence Enhancements
•
Expanded Threat Actor Dataset: We’ve added significantly more threat actors and extended metadata across profiles.
•
New Filters: Search by adversary name, incident type (ransomware, espionage), or victim sector.
Data + Schema
•
Open Directory Filenames Dataset: Track exposed files missed by download, with metadata and URLs.
•
Improved HuntSQL™ Navigation: Schemas now grouped by type (Malware, SSH, HTTP, etc.).
•
Updated SQL Docs: More examples, pivot tips, regex filters, and advanced queries.
Integrations
•
Cyware Integration: IOC Hunter feed is now supported without extra config.
Bug Fixes
•
Fixed session timeout issue affecting some users.
•
Fixed protocol mismatch bug impacting approximately 400,000 collections per day (“plain HTTP sent to HTTPS port”).
👉 Read the full blog post for more.
IOC Hunter Feed & Attribution Now in Our C2 Feed
We’ve launched two key upgrades to enhance threat detection and attribution: the new IOC Hunter Feed and added threat actor metadata in the C2 Feed.
IOC Hunter Feed
This feed collects IOCs from public research and adds valuable context like:
•
Source info (title, date, URL)
•
Threat actor attribution (name, aliases, country)
•
Related indicators (IPs, hostnames, file hashes)
It provides a reliable, enriched stream of IOCs for faster analysis.
Attribution in the C2 Feed
Our C2 Feed now includes optional metadata connecting infrastructure to known actors and malware, based on matches from the IOC Hunter dataset.
Each entry includes:
•
Actor names, campaigns, origin
•
IPs, hostnames, malware, confidence scores
How to Access
Both feeds are available via the Hunt.io API in compressed JSON.
Why It Matters
Moving from raw indicators to identifying threat actors helps teams prioritize and respond with greater clarity.
👉 Read the full blog post for more.
Introducing Hunt 2.0
Hunt 2.0 introduces a more powerful platform for threat analysis, improved data access, and a modernized interface designed to enhance security operations. This update includes a refined UI, advanced IP visualization, expanded HuntSQL™ and API features, and new integrations with Cyware and OpenCTI.
Improved Web Interface
The updated web interface offers a more intuitive design, optimizing navigation and data analysis for a seamless user experience.
•
Redesigned dashboard – Faster, more intuitive, and now supports collapsible navigation.
•
Enhanced search functionality – Expanded support for domains and IP associations.
•
Threat Actors Feature – Interactive IOC filtering from public research, validated by analysts.
•
IP Visual History – New tool to track IP relationships over time.
HuntSQL™ Enhancements
•
New URLx table for extended dataset queries.
•
Export options: CSV, JSON for offline analysis.
•
Updated documentation and sample queries.
AttackCapture™ Updates
•
New preview functionality – View any file type before downloading.
•
Expanded data collection – More sandboxed files for deeper analysis.
•
Updated documentation and sample queries.
API Upgrades
The latest API enhancements provide deeper data access, streamline integrations with external tools, and include detailed documentation to simplify implementation.
•
AttackCapture™ API – Retrieve Open Directory data, listings, and statistics.
•
SQL API – Execute SQL queries remotely and fetch large datasets.
•
C2 & IP Enrichment APIs – Fetch active C2 servers, enrich IPs with detailed metadata, and download feeds in compressed JSON format.
Data Improvements
Hunt 2.0 improves data collection and processing, delivering more precise and actionable threat intelligence.
Key enhancements include:
•
Manual submission of Open Directories for AttackCapture™.
•
Enhanced SSL parsing for detecting malware-related certificates.
•
New C2 and malware pages with real-time filtering, news, and IOC insights.
New Integrations
New integrations with top cyber intelligence platforms ensure smoother workflows and enhanced operational efficiency.
Key integrations include:
•
Cyware Integration – Automatic ingestion of Hunt’s C2 feed for real-time threat detection.
•
OpenCTI Connector – Import Hunt’s C2 intelligence into OpenCTI via STIX format, with plans to expand feed support.
Experience Hunt 2.0 today and take your threat hunting to the next level.
Announcing Hunt SQL
Hunt is announcing the release of Hunt SQL for threat hunting and analysis. This is a new feature that allows researchers, analysts and threat hunters to query the extensive Hunt database using the power and flexibility of SQL.
This initial release of Hunt SQL will contain:
•
HTTP - Users can query first party HTTP data to identify threat actors and malicious activity.
•
Malware - Users can query the Hunt database of confirmed C2 servers and build detailed statistics on threat actor activity.
•
Certificates - Users can query first party certificate data, allowing users to track and identify malicious certificates.
•
HoneyPot - Users can query honeypot data and obtain detailed stats on internet scanning activity.
•
Open Directories - Users can query the Hunt database of past and present open directories. This helps discover malware, exploits and attack tooling.
•
Phishing - Query an extensive list of phishing sites to identify and track phishing kits and threat actor tooling.
Access to Hunt SQL can be obtained by signing up for a free demo.
Announcing Hunt APIs
Today Hunt is announcing our IP Enrichment API. You can get detailed data on every IPv4 Address and enrich any existing system.
Unlock the true potential of your IP addresses with our groundbreaking IP Enrichment API. Steps to using the API:
•
Reach out to our team to get access for commercial (paid), demo or research purposes.
•
Create an API key.
•
Look at the IP Enrichment Guide.
•
Prototype with the IP Enrichment Reference.
Check it out and schedule a demo today.
Launching AttackCapture from Hunt.io
Today, to kick off our 1 year anniversary, we're launching an update and rethink to our Open Directory feature. It's been an amazing year with over 50,000,000 files processed from bad actors.
•
Full Code Search across attacker code
•
MITRE ATT&CK codes baked in everywhere
•
Editorial observations
•
Automatic extraction of attacker credentials and keys
•
Download files as a password protect zip
•
Open Directories for Attributed IOCs
•
Attack files by scan signature
•
Attack files by File Signature
•
More Files Sandboxed - automatically
Check it out and schedule a demo today.
January
enhancement
•
Preview in Open Directory now works with uppercase extensions like .TXT by default
enhancement
•
IOC Hunter now has a human in the loop to ensure the data is top quality all the time
enhancement
•
Added open directory signature for W3ll phishing kit
New signatures
•
Ares, MuddyWater APT, Godzilla Loader, Ermac, Gh0st RAT, Kaiji, Neptune Loader, Noterce, Epsilon Stealer, Octopus, Winnti, Gozi
enhancement
•
Added 110 new tags to GitHub recon projects and exports to the Exposed Open Directories
December
enhancement
•
Added lists of Hosts and IPs to IOC Hunter page
New signatures
•
JinxLoader, Axile Stealer
enhancement
•
Added 230 new tags to GitHub recon projects and exports to the Exposed Open Directories
November
enhancement
•
Added IOC Hunter post links in IOC Hunter box on Dashboard page
new feature
•
Added new IOC Hunter page
New signatures
•
Serpent Stealer, Godzilla Loader, PlugX C2 Profile, IcedID
enhancement
•
Added 415 new tags to GitHub recon projects and exports to the Exposed Open Directories
October
new feature
•
Possibility to download list of new certificates as JSON file on Feeds page (Commercial)
enhancement
•
On Dashboard page New C2 Online and New Open directories are shown in tabs
enhancement
•
Added Date, Software found, Tags and Hosting Company filters on Open Directories Page
new feature
•
Implementation of 2FA
new feature
•
Added Settings page on Dashboard
September
new feature
•
Added Settings page on Dashboard
new feature
•
Added Certificate page with new JA4X certificate info
new feature
•
Added new type for searching Open Directories on Advanced Search page
new feature
•
Added pagination on Open Directory Search and removed 250 records limit
New signatures
•
Unknown Android Malware, Easy Stealer
New signatures
•
Nessus VA, Unknown Android Malware, OWASP ZAP API
new feature
•
Created Recent C2 Discoveries Page
new feature
•
Added copy button for the IPs on Overview page
enhancement
•
Syntax highlighting on JSON output
August
BUG FIX
•
Fixed links on Cobalt Strike Filters page
enhancement
•
Added example links on Advanced Search
enhancement
•
Redirection to Dashboard page after login
enhancement
•
Added colors to the changelog items
BUG FIX
•
Improved search box on Advanced search
BUG FIX
•
HTTPS → HTTP redirection when “is_ssl”: false
New signatures
•
Acunetix, SuperShell, Responder, ChaosRat, RedWarden, RedGuard, Mystic, AZORult
BUG FIX
•
Improved Search by Actor in Sensors
new feature
•
Added Dashboard Page
new feature
•
Added System wide Stats on Dashboard Page
enhancement
•
Updated ASN data in our databases
enhancement
•
Updated lists of downloaded extensions in Open Directories to aide in investigations (added the following ASP.NET, PHP, C, C++ files)
enhancement
•
Added tagging of common tools from Exposed Open Directories and linked to GitHub (total number: 240)
July
enhancement
•
New data sources and signatures for Exposed Open Directories go identify more
enhancement
•
Make external links more obvious with this icon
enhancement
•
Added search by file name to Exposed Open Directory
new feature
•
Added tagging of common tools from Exposed Open Directories and linked to GitHub (total number: 230)
BUG FIX
•
Added TLS protocol check algorithm to fix misleading TLS data on IP search
June
improved detections
•
Protocols for TLS, DNS, FTP, mySQL, pop3, rdp, and Redis
new detections
•
Protocols for OpenVPN, MS-NMF, netbios, mikroitk, and server exec
BUG FIX
•
Improved Siemens detection to exclude false positives
New signatures
•
Araneida, Vidar
enhancement
•
Open Directories
May
new feature
•
Added extract IP info to Bulk Search
enhancement
•
Added many ports for daily scanning cloud IPs
New signatures
•
Rengine, L3mon, Hak5, EvilGoPhish, Pupy, Hookbot, Daam, BianLian
April
new feature
•
Added OpenAI to determine actor intent of Open Directories
New signatures
•
Added initial tracker version of : Havoc, Silver, Amadey, AgentTesla, VShel, IntectSh, Meterpreter, DcRat, BYoB
March
enhancement
•
Added Login Pages and Dark mode
New signatures
•
Titan Stealer, Orcus, Ursnif, Nexus, ImBetter, Opendir Malware, HightHawk
February
enhancement
•
Added Protocol fingerprinting and enriching API
New signatures
•
PixPirate, ARL, Viper, DarkComet, RapperBot, StealC
January
new feature
•
Added Open Directory search
New signatures
•
Bitrat, RisePro, Mars Stealer, Shadowpad, Dacls, Alienbot, Lumma, Misha, Cova, Nosu, Spy-Agent, SystemBC, Brute Ratel, Posh C2, GoPhish, Burp Suite, BeEf, Mirai, Hydra, Ramnit, Rhadamanthys, Deimos C2, SharkStealer, Emotet
December
enhancement
•
Added Actor and VPN Info
new feature
•
Created Bulk Search
New signatures
•
mythic, Metasploit, Covenan, AsyncRAT, Raccoon, RedLine, Laplas, Aurora Stealer, Lokibot
November
New signatures
•
CobaltStike, qakbot, bumblebee
October
new feature
•
Created Search Pages
new feature
•
Created C2 Summary and Activity Pages
New signatures
•
Added Initial version of Cobalt Strike tracker
