Hunt.io

💡How TTP Hunting Helps Teams Catch Threats Earlier In this entry from our glossary, we break down TTP threat hunting and why it matters. Attackers do not move randomly: they repeat patterns, test techniques, and leave behavior behind. Instead of waiting for alerts, analysts look for the tactics, techniques, and procedures behind real attacks: lateral movement, credential dumping, LOTL activity, suspicious infrastructure, and more. What matters is not only finding threats faster, but also understanding how attackers operate and turning their own playbook against them. Read the full article here 👉 https://t.co/P7DaiNCeMF #ThreatHunting #ThreatIntelligence #CyberSecurity

🚩 Russia-Linked Gamaredon Unleashes GammaWorm Against Ukraine https://t.co/b9aZXSkLSS Gamaredon, a Russia-linked APT focused mainly on Ukraine, is now using a new malware strain called GammaWorm against Ukrainian networks. The campaign starts with a malicious XHTML file and a WinRAR flaw, then drops the worm through the Windows Startup folder. GammaWorm hides modules in NTFS Alternate Data Streams, spreads through USB sticks and network drives, and uses Telegram and Cloudflare as dead drops for live C2 addresses. #ThreatIntelligence #Gamaredon #WinRAR #CyberSecurity

🕵️‍♂️ Infrastructure-Level Threat Hunting With Host Radar Hunt's Host Radar helps analysts stop treating malicious infrastructure as a pile of disconnected indicators. It maps activity by country, company, domain, and provider, then ties together C2s, phishing sites, malicious open directories, and IOCs. In the CN view shown here, you can quickly compare providers like China Unicom, Alibaba Group, Tencent, China Telecom, and more, then drill into their activity. This provider-level view makes threat hunting cleaner, faster, and harder to fool. Turn scattered IOCs into provider-level intelligence with Host Radar 👉 https://t.co/7yE3U9d4bD #ThreatHunting #ThreatIntelligence #CyberSecurity

⚠️ SideCopy Deploys XenoRAT Malware in New Afghanistan Campaign https://t.co/SSC3mvhs63 The Pakistan-linked threat group SideCopy is back with a new campaign, this time deploying XenoRAT malware against Afghanistan’s Ministry of Finance. The operation targeted finance officials across all 34 Afghan Mustoufiats, using a spear phishing ZIP with a malicious shortcut disguised as a PDF. The chain abused mshta.exe, loaded payloads from a compromised Afghan education domain, and deployed XenoRAT 1.8.7 with registry and scheduled task persistence. #ThreatIntelligence #SideCopy #XenoRAT #CyberSecurity

⚙️ Turn IP Addresses Into Threat Hunting Leads Using Hunt's API An IP can tell you more than just "where." With Hunt’s IP Enrichment API, a single request can return observed activity across certificates, malware C2, JARM, HTTP data, protocols, SSH, honeypots, phishing, and open directories. That means faster context for investigation workflows, without jumping between separate datasets. The attached image shows an example of this enrichment through an API request, with the response trimmed to fit the visual, turning one IP into investigation-ready data. Get a demo and start adding richer context to every IP you investigate 👉 https://t.co/7yE3U9d4bD #ThreatHunting #ThreatIntelligence #CyberSecurity

🚩 Iran-Linked Black Shadow Targets IT and Recovery Systems https://t.co/6Xi9fZS1F7 The Iran-linked threat group Black Shadow has launched a new campaign against Middle Eastern organizations, and it goes beyond data theft. The operation combines exfiltration with deliberate destruction across IT and recovery systems: VMware vCenter, Windows volumes, SQL Server databases, application servers, and Veeam backup chains. The goal is not just to break systems but to make recovery much harder. #ThreatIntelligence #CyberSecurity #InfoSec

🚨 Russia-Linked APT GREYVIBE Targets Ukraine With AI-Assisted Malware https://t.co/MPwcLTe1oZ GREYVIBE is a Russia-linked APT active since at least August 2025, targeting Ukraine and Ukrainian-related organizations. The group has used five attack chains across spear-phishing emails, fake CAPTCHA pages, fraudulent Ukrainian adult-club sites, fake charity pages, and Android spyware lures. AI seems to be built into several parts of the operation, from code and obfuscation to backend work and image generation. The upside: the group has made several mistakes, from exposed backend functions and VirusTotal test uploads to slangy artifact names. #GREYVIBE #ThreatIntelligence #CyberSecurity #InfoSec

🚩 ShinyHunters Claims Charter Leak With 42M Records https://t.co/nFGRT9GNGz ShinyHunters is making headlines again, this time with a claimed Charter Communications leak. The group published data it says was stolen in April, including over 42 million customer records. The breach could impact nearly 4.9 million people, with the dataset reportedly including names, addresses, phone numbers, and 85,000 employee-related records with job titles. Charter says only sales tools for business customers were impacted, and that no CPNI or sensitive PI was released. #DataBreach #ShinyHunters #CyberSecurity

📌 Looking Back at the Iranian-Nexus Operation Against Oman's Government A few weeks ago, we published a report on an Iranian-nexus operation targeting Oman’s government. One exposed open directory revealed a working C2 environment, exploit scripts, webshells, session logs, and exfiltrated data tied to government systems. The campaign hit 12 ministries and exposed over 26,000 citizen and Ministry of Justice records. Read the full article in our blog 👉 https://t.co/9iRX4F2O4u #ThreatHunting #ThreatIntelligence #CyberSecurity

⚠️ HTTPSpy, HelloDoor, and VS Code Tunnels Enter Kimsuky’s Playbook https://t.co/iQIEBRydpZ Kimsuky, a North Korea-linked threat actor, is changing tactics. Recent campaigns used fake South Korean security software pages, a fake Webex page built around a real meeting schedule, and payloads leading to HTTPSpy. Their toolkit also keeps expanding: HelloDoor, HttpMalice, HttpTroy, AppleSeed, HappyDoor, VS Code tunnels, Cloudflare Quick Tunnels, and DWAgent. It’s a mix of custom malware and legitimate remote access tooling. #ThreatIntelligence #Kimsuky #CyberSecurity #InfoSec

🚨 Government Data Becomes a Bigger Target Across Latin America https://t.co/M2yBgJfuOP Latin American cybercriminal groups are putting government data under heavy pressure. This is not just one country or one incident. La Pampa Leaks claimed access to 5.8 million Uruguayan citizen records, Chronus Group claimed data from 25 Mexican government agencies and groups, and Colombia’s health ministry reportedly faced 23 million attempted attacks in March. The playbook is not always classic ransomware. In many cases, attackers skip encryption and focus on siphoning databases, monetizing citizen records, or using leak claims to pressure victims in public. #ThreatIntelligence #DataBreach #CyberSecurity

🔍 Track Active C2 Servers by Country There is an easy way to find where live C2 infrastructure is showing up right now. With our C2 Infrastructure Feed, hunters can filter active servers by country, malware family, port, hosting company, and time range. In the attached image, the listing is filtered for China and Russia, showing live C2 entries with IPs, ports, malware labels, first seen dates, and last seen activity. Start with a country and then move straight into infrastructure that matters. Find the latest live C2s across the countries that matter to your team 👉 https://t.co/7yE3U9d4bD #ThreatIntelligence #ThreatHunting #CyberSecurity

⚠️ ShinyHunters Claims Carnival Breach Affecting Nearly 6 Million People https://t.co/kaVUpEi5wB Carnival has confirmed a breach affecting nearly 6 million people after attackers used social engineering to access part of its IT systems. The stolen data reportedly included names, dates of birth, email addresses, genders, locations, and loyalty program details tied to Holland America’s Mariner Society. ShinyHunters claimed the attack back in April. #DataBreach #ShinyHunters #Cybersecurity

The operators made one mistake. Every phishing page in the campaign carried the same 128-character metadata hash in the HTML. Four HuntSQL pivots. One fingerprint. 1,628 URLs mapped across three continents. 👉 Full infrastructure breakdown, detection strategies, and HuntSQL queries in the report: https://t.co/siQiZNVQN5

🚨 🌍 New report: Exposing a Global Smishing Operation Across 19 Countries We started hunting after Romania's official payment portal posted a public phishing warning. Here's what we found: - 1,628 malicious URLs across 33 backend IPs and three continents - Targets include government portals, road police, postal services, and telecoms in 19 countries - One 128-character metadata hash present in every single phishing page 👉 Full report: https://t.co/siQiZNVQN5

The same infrastructure hitting Romanian taxpayers was also targeting DPD customers in the UK and Ireland, T-Mobile users in the US, road police portals in Bulgaria and Armenia, and court payment systems in Trinidad & Tobago. One campaign. Three continents. 33 backend IPs across Tencent Cloud, Alibaba Cloud, Cloudflare, and a VPS in Moldova.