logo

Hunt.io Blog

ID: 98d67329-7040-5562-b5e6-876377cf6ae2

STIX ID: identity--98d67329-7040-5562-b5e6-876377cf6ae2

Feed Type: skeleton

Earliest post: 2026-02-16

Latest post: 2026-02-25

The Hunt.io Blog shares threat intelligence research, practical guides, and deep investigations into malicious infrastructure, malware campaigns, and proactive threat hunting techniques to help defenders uncover and understand adversary activity.

01/01/2020
06/04/2026
Title Date Published Describes IncidentAuthorVisible
PCPJack Hijacked 230 AWS, GCP, and Azure Servers to Run a Hidden SMTP Relay Network2026-06-04TrueTrue
Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted2026-05-28TrueTrue
Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers2026-05-22TrueTrue
How TeamPCP's Python Toolkit Survives a C2 Takedown: FIRESCALE, GitHub, and the Victim's Own Account2026-05-15TrueTrue
CVE-2025-32975: The Open Directory Behind the KACE SMA Breach and 60+ Downstream Victims2026-05-13TrueTrue
xlabs_v1 DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet2026-04-30TrueTrue
DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers2026-04-22TrueTrue
Exposing Russian Malicious Infrastructure: 1,250+ C2 Servers Mapped Across 165 Providers2026-04-16TrueTrue
Canis C2 Exposed: Previously Undocumented Cross-Platform Surveillance Framework Targeting Japan2026-04-09TrueTrue
Breaking Down the Axios Supply Chain Attack: Dropper, Cross-Platform RATs, and BlueNoroff/TA4442026-04-02TrueTrue
33K Exposed LiteLLM Deployments and the C2 Servers Behind TeamPCP's Supply Chain Attack2026-03-28TrueTrue
TheGentlemen Ransomware Toolkit Found on Russian Proton66 Server2026-03-25TrueTrue
Iranian Botnet Exposed via Open Directory: 15-Node Relay Network and Active C22026-03-18TrueTrue
Exposing Lumma Stealer’s Second-Stage Infrastructure and C2 Servers with ASN and JA4X Pivoting2026-03-12TrueTrue
Operation Roundish: Uncovering an APT28 Roundcube Exploitation Toolkit Targeting Ukraine2026-03-12TrueTrue
Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation2026-03-05TrueTrue
The Complete Guide to Hunting Cobalt Strike - Part 4: Operationalizing C2 Feeds with API Automation2026-03-04TrueTrue
Fake Homebrew Pages Deliver Cuckoo Stealer via ClickFix2026-02-18TrueTrue
Cobalt Strike Operators Leverage PowerShell Loaders Across Chinese, Russian, and Global Infrastructure2026-02-16TrueTrue
Paste.ee Abuse Uncovered: XWorm & AsyncRAT Infrastructure2026-02-16TrueTrue
APT34-Like Threat Infrastructure Uncovered Before Activation2026-02-16TrueTrue
APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows & Linux Users2026-02-16TrueTrue
Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait2026-02-16TrueTrue
Detecting IOX, FRP, Rakshasa, and Stowaway Proxies Using Hunt.io2026-02-16TrueTrue
Server-Side Phishing: How Credential Theft Campaigns Are Hiding in Plain Sight2026-02-16TrueTrue
Proactive ClickFix Threat Hunting with Hunt.io2026-02-16TrueTrue
KeyPlug Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company2026-02-16TrueTrue
Hunt.io Insights: Gamaredon’s Flux-Like Infrastructure and a Look at Recent ShadowPad Activity2026-02-16TrueTrue
JSPSpy and ‘filebroser’: A Custom File Management Tool in Webshell Infrastructure2026-02-16TrueTrue
South Korean Organizations Targeted by Cobalt Strike ‘Cat’ Delivered by a Rust Beacon2026-02-16TrueTrue
Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign2026-02-16TrueTrue
Advanced Threat Hunting with New SSL Features: Unlocking HuntSQL™ Anomaly Flags for Deeper Detection2026-02-16TrueTrue
Malicious Signal, Line, and Gmail Installers Target Chinese-Speaking Users with Backdoors2026-02-16TrueTrue
Uncovering Joker’s C2 Network: How Hunt’s SSL History Exposed Its Infrastructure2026-02-16TrueTrue
LightSpy Malware Now Targets Facebook & Instagram Data2026-02-16TrueTrue
Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt2026-02-16TrueTrue
Unlock SSL Intelligence: How SSL History Boosts Threat Hunting2026-02-16TrueTrue
Unmasking SparkRAT: Detection & macOS Campaign Insights2026-02-16TrueTrue
VS Code Extension Impersonating Zoom Targets Google Chrome Cookies2026-02-16TrueTrue
Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure2026-02-16TrueTrue
MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device2026-02-16TrueTrue
Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity2026-02-16TrueTrue
Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies2026-02-16TrueTrue
XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method2026-02-16TrueTrue
Suspected KEYPLUG Infrastructure: TLS Certificates and GhostWolf Links2026-02-16TrueTrue
Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator2026-02-16TrueTrue
Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users2026-02-16TrueTrue
Tricks, Treats, and Threats: Cobalt Strike & the Goblin Lurking in Plain Sight2026-02-16TrueTrue
Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified2026-02-16TrueTrue
Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More2026-02-16TrueTrue

1–50 of 95

Built by the dogesec team. Copyright 2026.