Hunt.io

🚨 🇮🇷 NEW RESEARCH: Mapping Iranian APT Infrastructure During Geopolitical Escalation hunt.io/blog/iranian-a… Tensions between the U.S., Israel, and Iran have escalated in recent weeks. When geopolitical conflicts reach this level, cyber operations rarely lag behind. In this research, we mapped infrastructure clusters tied to several Iranian-aligned threat actors using ASN patterns, certificate reuse, hosting providers, and exposed tooling discovered through Hunt.io Key findings: - MuddyWater open directory artifact → additional infrastructure via hash pivoting - Repeated ASN usage continues to expose Iranian infrastructure clusters - Open directories still reveal attacker tooling and staging artifacts - TLS SAN pivoting exposed backend C2 servers hidden behind Cloudflare - Infrastructure signals often appear weeks before active intrusion campaigns The investigation uncovered several previously unreported hosts, domains, and servers linked to Iranian-aligned operations. 🔎 Read the full analysis here: hunt.io/blog/iranian-a… #Iran #Israel #Cyberwarfare #ThreatIntelligence #War

🚨 China-linked Red Menshen APT Targets Telecom Networks with BPFDoor securityaffairs.com/190029/malware… A new campaign linked to Red Menshen APT is targeting telecom networks using stealthy BPFDoor implants to maintain long-term, hidden access. The malware runs at the kernel level and activates only via crafted packets, leaving almost no trace. Once inside, attackers move laterally, harvest credentials, and monitor sensitive communications. New variants blend into normal traffic and infrastructure, making detection even harder across critical telecom environments. #CyberSecurity #ThreatIntelligence #InfoSec

🚩New PXA Campaign Targets Financial Institutions via Phishing ZIPs cybersecuritynews.com/hackers-use-ph… A new phishing campaign is targeting financial firms with PXA Stealer, using ZIP downloads and decoy files like resumes, invoices, and installers. PXA Stealer's usage rose 8–10% in early 2026 as older infostealers faded. The malware steals browser credentials and crypto wallets, exfiltrating data via Telegram while blending in with legitimate Windows processes. Persistence via registry changes keeps access long-term, making detection harder across large organizations. #CyberSecurity #ThreatIntelligence #Phishing

📌 Operation Roundish: How We Uncovered An APT28 Roundcube Toolkit hunt.io/blog/operation… Earlier this month, we published a blog post on Operation Roundish, showing how APT28 continues to exploit Roundcube against Ukrainian government targets. The toolkit enables credential theft, mailbox exfiltration, persistent forwarding, and 2FA abuse. It also introduces newer elements like a CSS side-channel and browser credential theft. Not entirely new, but still highly relevant as this tradecraft keeps evolving. #ThreatHunting #ThreatIntelligence #CyberSecurity

⚠️ NGINX MP4 Module Flaw Enables DoS and Potential Code Execution gbhackers.com/f5-nginx-plus-… A high-severity flaw (CVE-2026-32647) in NGINX’s MP4 module allows attackers to trigger DoS or potentially achieve code execution using crafted video files. The issue stems from an out-of-bounds read and affects systems where the mp4 module is explicitly enabled. Exploitation can crash worker processes and disrupt traffic. Fixes are available in recent NGINX releases. If you can’t patch right away, consider disabling the mp4 directive or limiting who can upload media files. #CyberSecurity #NGINX #ThreatIntelligence

🚨NEW RESEARCH: 33K Exposed LiteLLM Instances, Two C2 Frameworks, One Trojanized PyPI Package On March 24, #TeamPCP trojanized #LiteLLM on PyPI. We're talking about a package with 97 million monthly downloads that acts as a centralized proxy for LLM API keys. One pip install hands over cloud creds, SSH keys, K8s tokens, and database passwords in a single pass. This is what we found: - 33,688 internet-facing LiteLLM deployments found at scan time -Credential harvesting across 15+ categories: AWS keys, crypto wallets, CI/CD secrets, TLS keys, and more -K8s escalation from a single pod to privileged containers on every node -Dual C2 running AdaptixC2 and Havoc simultaneously for redundancy -Certificate pivoting via certificate reuse uncovered a third server tied to the exfil domain Full teardown with IOCs and HuntSQL queries 👇 hunt.io/blog/33k-expos…

🚨 Google Forms Used in New PureHVNC Campaign Targeting LinkedIn Professionals securityonline.info/google-forms-p… A new campaign is abusing Google Forms to deliver PureHVNC malware, targeting professionals via LinkedIn. Victims are lured with fake job or business documents, then pushed to download ZIP files containing disguised executables. Once opened, attackers gain full remote access and steal data from browsers, apps, and crypto wallets. The technique isn’t new; the delivery is. Treat Google Forms with the same caution as email links, especially when downloads are involved. #CyberSecurity #Malware #InfoSec

🚀 From Raw Research to Investigation-Ready IOCs Most threat investigations start messy: scattered reports, raw IOCs, and too much time validating data. IOC Hunter cuts through that. You get validated, enriched IOCs from 175+ trusted sources, ready to use. Pivot across IPs, domains, and infrastructure in seconds, without breaking your flow. One IOC can quickly turn into real context and a clearer view of the threat behind it. Book a demo now and give it a try 👉 hunt.io/get-started #ThreatHunting #ThreatIntelligence #CyberSecurity

@adversarialy @DefusedCyber Love this! 😎

Caught even earlier using AdaptixC2 and this PoC for the EPMM vuln: github.com/MehdiLeDeaut/C… The ability to pivot between @Huntio & @DefusedCyber can result in some pretty interesting findings #opendir

⚠️ Magento Stores Exposed As PolyShell Exploitation Scales bleepingcomputer.com/news/security/… PolyShell attacks are spreading fast across Magento. Just days after disclosure, over 56% of vulnerable stores were already targeted. The flaw sits in the REST API and enables RCE or account takeover via file uploads. Some attacks now deploy a WebRTC-based skimmer to exfiltrate card data, bypassing CSP and traditional controls. A fix exists in beta, but production patches are still pending, leaving many stores exposed. #Magento #CyberSecurity #ThreatIntelligence

🚀 From Threat Actor to Infrastructure in Seconds Using our platform, analysts can explore 600+ threat actors and pivot across IOCs, IPs, and domains in a few clicks. Drill into ASN data, hosting, services, and risk signals while maintaining full context. Instead of rebuilding context at every step, you can move across related infrastructure and indicators without breaking the investigation thread. This makes it easier to validate alerts, expand scope, and understand what’s actually connected. Want to see it in action? Book a demo now 👉 hunt.io/get-started #ThreatHunting #ThreatIntelligence #CyberSecurity

💡 The PEAK Threat Hunting Framework: Full Guide and Examples hunt.io/glossary/peak-… Threat hunting works best when it’s structured. The PEAK framework (Prepare, Execute, Act with Knowledge) gives teams a clear way to run consistent, repeatable hunts instead of one-off investigations. But execution is where it often breaks, and that’s where Hunt fits in. We help analysts pivot from IOCs into full infrastructure, correlate data fast, and keep investigations moving without losing context or switching tools. #ThreatHunting #ThreatIntelligence #CyberSecurity

🚩 LiteLLM Python Library With 3M Daily Downloads Compromised on PyPI cybersecuritynews.com/litellm-packag… LiteLLM on PyPI has been compromised in versions 1.82.7–1.82.8, impacting a library with ~95M monthly downloads (~3M daily). Attackers injected a backdoor that runs on import and even at interpreter startup via a .pth file. The payload steals credentials, targets cloud and Kubernetes environments, and establishes persistence. This new attack has been identified as part of a broader TeamPCP campaign. The group has compromised GitHub Actions, Docker Hub, npm, and OpenVSX in the last few weeks. Organizations should audit their systems and dependency chains immediately, as LiteLLM may have been introduced indirectly through nested dependencies. #CyberSecurity #LiteLLM #TeamPCP

Massive #phishing cluster behind 47[.]91[.]170[.]222 AS45102 Alibaba US Technology Co., Ltd 🇭🇰 2000+ domains registered in the last 24h @AlibabaGroup @500mk500 @ValidinLLC @CriminalIP_US @Huntio @FBICyberDiv @abuse_ch @spamhaus @SpamhausTech @CISACyber @NCSC @UK_Daniel_Card @Phish_Destroy

🚨 ODNI Warns of Escalating Cyber Threats to US Critical Infrastructure industrialcyber.co/reports/odni-r… A new ODNI report warns that U.S. critical infrastructure faces growing cyber threats from China, Russia, Iran, and North Korea. The actors are actively targeting government and private networks, combining espionage, disruption, and influence. China remains the most persistent threat, while Russia and Iran continue offensive operations. North Korea blends cybercrime and espionage to fund its regime. Ransomware groups and hacktivists are also intensifying attacks, increasing pressure on infrastructure and global systems. #ThreatIntelligence #CyberSecurity #InfoSec

We found an open directory on Proton66 that a TheGentlemen ransomware affiliate forgot to close 🕵️ We pivoted on TheGentlemen ransomware IOCs and landed on an open directory on Proton66 with 126 files inside. Full pre-encryption toolkit. Mimikatz logs with victim NTLM hashes. Two plaintext ngrok tokens. All sitting unauthenticated on a Russian bulletproof host. No custom malware. No zero-days. Just dual-use and off-the-shelf offensive tools in the right sequence, which is exactly why this is hard to catch. Full breakdown, IOCs, and detection guidance: hunt.io/blog/thegentle… #ThreatHunting #Ransomware #ThreatIntelligence #DFIR #BlueTeam #TheGentlemen

⚠️ Attackers Disguise Infostealer As Copyright Infringement Notices darkreading.com/cyberattacks-d… A new campaign is targeting sectors like healthcare and government, delivering the PureLog infostealer through fake copyright infringement notices. Victims download what appears to be a PDF, triggering a multi-stage, fileless infection chain. Using Python and .NET loaders, AMSI bypass, and anti-VM checks, PureLog runs entirely in memory. Once active, it steals credentials, crypto wallets, and system data, marking a shift towards a more targeted and evasive phishing. #ThreatIntelligence #Phishing #CyberSecurity

⚠️ CISA Warns of DarkSword Exploit Chain Targeting Apple Devices cyberpress.org/apple-flaws-da… CISA has issued a warning of three Apple zero-days actively exploited in the DarkSword chain. The attack starts via malicious web content, requires minimal interaction, and escalates from code execution to kernel access and persistence, leading to near full device takeover. It affects iOS, macOS, and other Apple platforms. Since it’s already being exploited in the wild, delaying updates leaves devices exposed. Apply patches ASAP. #ThreatIntelligence #CyberSecurity #Apple

🚩 Trivy Supply Chain Attack Escalates: Infostealer, Worm, and Kubernetes Wiper thehackernews.com/2026/03/trivy-… The Trivy supply chain attack keeps expanding. Malicious Docker images (0.69.4–0.69.6) delivered a TeamPCP infostealer, later fueling a worm (CanisterWorm) and even a Kubernetes wiper. A compromised service account enabled repo defacement and wider access across environments. This isn’t just a single breach; it’s a chained attack moving from CI/CD to clusters. If you used affected versions, assume compromise and investigate immediately. #ThreatIntelligence #CyberSecurity #Infosec

#GoPhish | Targets Pakistan National Disaster Management Authority (NDMA) Tracked by @Huntio https://www.ndmagovpk[.]com:3333/login 159.65.117[.]170 Also found: fbr-g0v[.]pk cc: @500mk500 @MichalKoczwara @malwrhunterteam

🚨 Perseus Android Malware Enables Full Device Takeover and Steals Banking Data cybersecuritynews.com/perseus-androi… A new Android trojan, Perseus, is targeting banking users across Europe and beyond. Built from Cerberus and Phoenix code, it combines credential theft, keylogging, and full device control via Accessibility Services. It spreads through fake IPTV apps, bypassing Play Store protections. A standout feature is its ability to silently read note apps, exposing passwords and crypto data. Researchers link it to active campaigns hitting 50+ institutions and multiple crypto platforms. #CyberSecurity #Android #Malware