๐๐๐ป๐ ๐ฏ.๐ฌ ๐ถ๐ ๐น๐ถ๐๐ฒ. ๐ฃ๐๐น๐น ๐๐ต๐ฒ ๐๐ต๐ฟ๐ฒ๐ฎ๐ฑ. ๐
Most threat hunting tools stop at the lookup. You get a result, maybe a tag, and then you're on your own figuring out what connects to what.
We built v3 to fix that. Every indicator, whether it's an IP, a domain, or a hash, should open into the full picture automatically.
๐ Here's what's new: https://t.co/vwdO3QT9QH
โ 60+ API endpoints across C2, AttackCapture, Vulnerability Intel, SQL, and more
โ Remote MCP server, connect Claude or other AI tools straight to Hunt data
โ Cloudflare Buster turns one domain into a full infrastructure cluster
โ Passive DNS History gives you a real timeline of DNS changes, not just a point-in-time snapshot
โ Attack Reports turns exposed attacker directories into structured campaign reports, tied to specific IPs, IOCs, and CVEs
โ Exploit Capture indexes 54,000+ AI-classified files staged in attacker open directories right now
โ Provider Radar now includes Registrar intelligence, catching domain provisioning patterns before those domains go live in an attack
โ Flattened data architecture so HuntSQL joins are finally possible, no workarounds
โ And much more!
And the best part: you get 14 days free, no credit card needed. Open an account and start hunting today ๐ https://t.co/E6aUhCpXD1
๐ก Inside C2 Frameworks: Servers, Clients, and Agents
What do you know about C2 frameworks?
In this entry from our glossary, we break down how command and control frameworks work and why they matter in modern attacks.
At a basic level, C2 gives attackers a way to manage compromised systems remotely.
The setup usually includes a server, a client, and an agent. Thatโs where commands, callbacks, automation, lateral movement, and data theft can come into play.
The hard part for defenders? C2 traffic often hides inside normal-looking web, DNS, or encrypted traffic.
Read the full article here ๐ https://t.co/J1GIOXvmPZ
#ThreatHunting #ThreatIntelligence #CyberSecurity
๐ต๏ธโโ๏ธ Turning IOC Lists Into Investigation Paths
IOC Hunter is not just a list of indicators. The real value comes when you can actually investigate the data.
In the example shown in the images, we filtered IPs from the last 7 days and got 155 recent results from published intelligence. From there, the digging starts fast: malware, source, hosting company, created date, ASN, risk signals, open ports, and pivots.
One IP tied to ValleyRAT quickly leads into CTG Server Limited, Singapore hosting, recent ports, and 22 available pivots.
That is the difference between collecting IOCs and actually investigating them.
Turn fresh IOCs into deeper infrastructure context ๐ https://t.co/7yE3U9d4bD
#ThreatHunting #ThreatIntelligence #CyberSecurity
๐จ UNC3753 Hits US Law Firms With Vishing and Office Intrusions
https://t.co/TNu2ITlFjO
Silent Ransom Group (aka UNC3753) is targeting US law firms and other professional services with a mix of vishing, IT impersonation, and remote access tools.
In some cases, the tactics got even bolder: attackers allegedly showed up at offices pretending to be IT staff.
Once inside, the group can move fast. Some incidents went from compromise to data theft and ransom demands.
#ThreatIntelligence #SilentRansomGroup #Vishing #CyberSecurity
๐จ ๐ฎ๐ท NEW RESEARCH: Mapping Iranian APT Infrastructure During Geopolitical Escalation
https://t.co/yUCp8JkvBP
Tensions between the U.S., Israel, and Iran have escalated in recent weeks. When geopolitical conflicts reach this level, cyber operations rarely lag behind.
In this research, we mapped infrastructure clusters tied to several Iranian-aligned threat actors using ASN patterns, certificate reuse, hosting providers, and exposed tooling discovered through https://t.co/aojFWxKETZ
Key findings:
- MuddyWater open directory artifact โ additional infrastructure via hash pivoting
- Repeated ASN usage continues to expose Iranian infrastructure clusters
- Open directories still reveal attacker tooling and staging artifacts
- TLS SAN pivoting exposed backend C2 servers hidden behind Cloudflare
- Infrastructure signals often appear weeks before active intrusion campaigns
The investigation uncovered several previously unreported hosts, domains, and servers linked to Iranian-aligned operations.
๐ Read the full analysis here: https://t.co/yUCp8JkvBP
#Iran #Israel #Cyberwarfare #ThreatIntelligence #War
๐ How We Identified 17,000+ Vulnerable OpenClaw Instances
https://t.co/Nkzwby8E8I
After CVE-2026-25253 surfaced, we set out to measure real-world exposure.
Our analysts identified 17,000+ internet-facing OpenClaw, Clawdbot, and Moltbot instances vulnerable to unauthenticated API token extraction via /api/export-auth. Many were running on standard web ports behind reverse proxies, making simple port filtering ineffective. We validated multiple fingerprinting methods to detect them at scale.
The takeaway is very clear: direct internet exposure can turn a tool into an attack vector.
#ThreatHunting #VulnerabilityResearch #AttackSurface
Structured hunts are good.
Custom techniques are better.
But seeing live C2 infrastructure in real time changes the game.
#ThreatHunting#ThreatIntel#CyberSecurity
๐ ๐๐๐ป๐ ๐ฎ.๐ด ๐ถ๐ ๐ผ๐๐
This new version is focused on faster pivots, clearer infrastructure context, and cleaner threat signals across IOC Hunter, C2 listings, IP search, and Reputation & Risk.
Highlights:
โข Negative filters for C2 & AttackCapture
โข Provider Tags in IP search, reverse DNS, and C2 listings
โข Unified, shareable IOC Hunter posts
โข Malware families visible in IOC lists
โข Registrar + domain creation date in bulk enrich
Full breakdown ๐
https://t.co/4JbBsOZ1F0
๐ ๐ง๐ต๐ฒ ๐ง๐ต๐ฟ๐ฒ๐ฎ๐ ๐๐๐ป๐๐ฒ๐ฟโ๐ ๐ค๐๐ฒ๐ฟ๐ ๐ฃ๐น๐ฎ๐๐ฏ๐ผ๐ผ๐ธ: ๐ช๐ฟ๐ถ๐๐๐ฒ๐ป ๐ฏ๐ ๐ต๐๐ป๐๐ฒ๐ฟ๐, ๐ฏ๐๐ถ๐น๐ ๐ณ๐ผ๐ฟ ๐ต๐๐ป๐๐ฒ๐ฟ๐.
https://t.co/Xl3kL1Mmnf
Threat hunting isnโt about static indicators anymore. Itโs about finding the unseen connections, the C2 panels hiding in cloud providers, reused certificates across botnets, or phishing kits cloned on new IPs.
The new Threat Hunterโs Query Playbook gives you 100 real HuntSQLโข queries that uncover live attacker infrastructure across malware, open directories, phishing, and TLS data.
Each query is field-proven, adaptable, and ready to run inside Hunt. Copy, tweak, and pivot until the pattern clicks. Thatโs where the real intel starts to surface.
No fluff. Just data, queries, and speed.
Download the playbook โฌ๏ธ
#ThreatHunting #CyberSecurity #ThreatHuntingEbook
๐ฉ Volvo Hit by Ransomware With Employee SSNs Stolen
https://t.co/7ds38oalPy
Volvo is recovering from a cyberattack that compromised a third-party HR vendor.
The breach exposed employeesโ personal data, including Social Security numbers, and disrupted operations.
The company confirms that while โa portionโ of data was stolen, identity theft risk for employees is being addressed.
#Ransomware #DataBreach #CyberSecurity #ThreatIntel
๐ When you need more than flat enrichment, HuntSQL lets you interrogate threat data directly.
https://t.co/Pum59r3EK9
#SQLSearch#CyberSecurity#ThreatHunting
โ ๏ธ ColdRiver Malware Campaign Joins โBO (BackdoorOps)โ Group in Stealth Attack
https://t.co/9PoTxKKlUc
A new campaign, tracked by IBM X-Force, uses a malware called ColdRiver in conjunction with BackdoorOps tactics.
The initial access vector is via spear-phishing emails that install a loader which installs ColdRiver as a backdoor.
ColdRiver supports process injection, DLL side-loading, file operations, screenshot capture, and C2 communication using Cloudfront for cover. Once installed, it can issue commands, move laterally, and persist via scheduled tasks or registry entries.
Targeted sectors include healthcare, defense, and education across the Asia Pacific region.
#ColdRiver #Malware #ThreatIntel #CyberSecurity
๐ From a single suspicious IP to a full attacker map, in minutes, not days
https://t.co/E43jsUxrXF
When you're chasing fragments of malicious infrastructure, enrichment alone isnโt enough.
See how โฌ๏ธ
#ThreatIntelligence#CyberSecurity#API
๐ฉ Researchers Expose SVG & PureRAT Phishing Campaigns Targeting Ukraine
https://t.co/jRpy3LPEL0
FortiGuard Labs uncovered a phishing operation that embeds malicious code into SVG files, tricking users into downloading ZIPs containing .chm files.
These lead to the deployment of CountLoader, which then installs Amatera Stealer and #PureRAT. Attack emails pose as notices from the Ukrainian police.
#Phishing #SVGExploit #ThreatIntel #CyberSecurity
๐ Stop chasing single IOCs. Start mapping full attacker infrastructure.
https://t.co/Xl3kL1Mmnf
Our new ebook ๐ง๐ต๐ฒ ๐ง๐ต๐ฟ๐ฒ๐ฎ๐ ๐๐๐ป๐๐ฒ๐ฟโ๐ ๐ค๐๐ฒ๐ฟ๐ ๐ฃ๐น๐ฎ๐๐ฏ๐ผ๐ผ๐ธ gives you 100 proven HuntSQLโข queries to track malware, C2s, phishing, certs, and more.
Instead of writing SQL from scratch, you can copy, adapt, and pivot on proven queries to surface attacker infrastructure in minutes.
Start hunting smarter today.
Download the playbook โฌ๏ธ
#ThreatHunting #CyberSecurity #ThreatHuntingEbook
๐ฉ MalTerminal: First AI-Powered Malware Using GPT-4 to Generate Ransomware & Reverse Shells
https://t.co/zIeUvOTpBD
Researchers from SentinelLABS exposed MalTerminal, malware that queries the GPT-4 API at runtime to generate either ransomware or a reverse shell based on user selection.
Static detection fails because the malicious logic isnโt embedded in the binary but generated dynamically over the network.
This trend follows academic projects like PromptLock, but MalTerminal is active in the wild.
#AIsecurity #Malware #ThreatIntel #CyberSecurity
โก New Research: Phishing against the U.S. energy sector is scaling fast.
Our team tracked more than 1,465 detections in 2025, with Chevron, ConocoPhillips, PBF Energy, and Phillips 66 all targeted.
Chevron stood out with 158 look-alike domains, many cloned using HTTrack and dressed up with investor portals, HYIP scam templates, and recycled favicons to appear legitimate.
We also saw:
โข Shared infrastructure across HostPapa, OVH, Namecheap, Amazon
โข Exposed /investors/ directories with copied financial content
โข Cloned login and register paths designed to harvest credentials
โข Pivoting on artifacts (favicon hashes, HTTrack comments) revealed clusters of related domains
This activity shows how attackers blend simple cloning tools with persistent infrastructure to scale phishing campaigns against trusted U.S. energy brands.
Full report + IOCs: https://t.co/ZCtLzKX8DF
๐ SOC Threat Hunting: Turning Insight into Impact
https://t.co/LsaGq7oP57
SOC threat hunting steps in where traditional defense falls short. Analysts start with a signal, a new vulnerability, an anomaly, or threat intel, and craft a hypothesis.
With EDR and other investigative tools, they dig into system behavior to distinguish suspicious activity from normal operations.
Once a threat is confirmed, findings are communicated to response teams, defenses are fortified, and key insights feed back into the hunting process.
Explore how SOC threat hunting delivers meaningful security outcomes โฌ๏ธ
#CyberSecurity #SOCTeam #ThreatHunting #ThreatIntelligence
Here's how we connected the dots to expose malicious operations.
https://t.co/NYtag1HgzJ
Our research uncovered a stealthy Cobalt Strike delivery method via PowerShell loader scripts hosted in open directories across Chinese and Russian infrastructure. A script named y1.ps1 used reflective DLL injection and API hashing to run shellcode entirely in memory, avoiding disk detection.
It called back to a Baidu Cloud Function endpoint before linking to a Cobalt Strike beacon hosted in Russia, identified through SSL metadata showing โMajor Cobalt Strikeโ and issuer โcobaltstrike.โ
While the core infrastructure ran on Chinese and Russian platforms, additional staging nodes were found in the US, Singapore, and Hong Kong.
#CyberSecurity #ThreatHunting #MalwareAnalysis #SecurityResearch
๐ Your intel is only as good as your ability to search it.
https://t.co/hH738P6LLy
Huntโs SQL Search API gives security teams flexible, powerful querying over live threat intelligence data. Use SQL-like syntax to search IPs, domains, malware families, SSL certs, open dirs, JARM fingerprints, ASNs, and more.
Write precise queries, pivot fast, and uncover hidden links, like a threat hunter with a data warehouse. โฌ๏ธ
#SQLSearch #CyberSecurity #ThreatHunting