My first blogpost on threat hunting & #xworm malware is out! Huge shoutout to @Huntio for their great tool!

PSA: I have been spending a lot of time this year hunting open directories with @Huntio On four separate occasions, I had to contact pentesters/pentesting companies to take down a shared home folder via python HTTP.server that were directly attributable to them. It wasn't CTF people or hobbyists. It was people doing their day jobs. Couple fun facts changing the port doesn't matter and only doing it for a couple hours doesn't matter the internet is a hostile place that is constantly scanned and scraped.

Using @Huntio to hunt for Lazarus/APT38 clusters is an effective way to understand which crypto-related companies are targeted by this threat actor. For example, we've observed a DPRK threat actor using the host 104.168.165.165 to create fake Hack VC subdomains, such as. /hack-vc.online-meets.xyz /hack-vc.video-meets.pro /xyzhack-vc.video-meets.xyz /video-meets.xyzhack-vc.video-meets.xyz /hack-vc.video-meets.xyzhack-vc.video-meets.xyz /hack-vc.video-meets.xyz /hack-vc.video-meets.site to impersonate/target the company.

New macOS malware targeting The Unarchiver! Stay safe, Mac users. Full report by @Moonlock_Lab with insights from @HuntIO https://moonlock.com/macos-malware-the-unarchiver… #Cybersecurity #MacOS #TheUnarchiver #Malware

http://7.2.6.finish.py and http://exp.7.2.6.py look to be variants of a POC for CVE-2024-21762 (based on Assetsnote's writeup). The IP also hosted some likely Rekoobe backdoor variants, among other things. Thanks @Huntio https://github.com/h4x0r-dz/CVE-2024-21762… https://assetnote.io/resources/research/two-bytes-is-plenty-fortigate-rce-with-cve-2024-21762

#IcePeony 1/n Using @Huntio Code Search, I located the opendir (165.22.211[.]62:80) from @nao_sec 's latest post by searching for a line of code from a bash script. This led to 2 more servers (172.233.1[.]11:80 & 128.199.70[.]91:8080) hosting the same CobaltStrike4.8 file.

Code search feature from @Huntio is excellent for monitoring threat actor OPSEC activities. For instance, it's well-known that Havoc C2 contains the specific header string "X-Havoc: true" making it relatively easy to detect. However what if the threat actor removes the "X-Havoc: true" header and sets up/adds a Cloudflare infrastructure/certificate to make detection harder to detect like an example here: /finances-news.com (0/94 VT) In that case, you can check the bash history, "havoc.yaotl," and "http_smb.yaotl" files to see how it's set up. From there, you can create a hunting rule to detect Havoc C2 even when the header string "X-Havoc: true," is removed, custom certificates are used and infra is behind CloudFlare. Happy hunting!

I broke into OSQuery's house to steal their TV and I couldn't because Hunt already stole it. Nice work @Huntio :) great feature.