Hunt.io

🕵️‍♂️ Which Threat Actors Are Targeting Your Industry Right Now? Do you know which threat actors are targeting your industry right now? We do. With Hunt, you can filter our Threat Actor Listing by industry targets, then jump from a category like Government, Finance, or IT into actor-level context. Each actor profile includes aliases, country attribution, recent IOCs, IPs, hosts, SHA256s, posts, and source-backed activity. Start broad by industry, select an actor, and move straight into investigation. Discover which threat actors are active in your industry 👉 hunt.io/get-started #ThreatHunting #ThreatIntelligence #CyberSecurity

⚠️ IRGC-Linked Nimbus Manticore Deploys MiniFast Malware Against Strategic Sectors industrialcyber.co/ransomware/irg… Nimbus Manticore, an IRGC-linked threat actor, is now targeting defense, aerospace, telecom, aviation, and software orgs across the U.S., Europe, and the Middle East. The campaign uses fake career lures, trojanized Zoom installers, AppDomain hijacking, SEO poisoning, and a new backdoor called MiniFast. The malware shows signs of AI-assisted development, which may have helped the group adapt faster during current wartime conditions. #ThreatIntelligence #NimbusManticore #CyberSecurity #InfoSec

このアクターによる攻撃では同様のツールがまた使われるでしょうからハンティング等に活用できそうですね。 CVE-2025-32975: The Open Directory Behind the KACE SMA Breach and 60+ Downstream Victims hunt.io/blog/cve-2025-…

Hunt.io found that one provider, Saudi Telecom Company, hosted about 72% of Middle East C2 activity across 1,350+ servers from 98 providers, showing concentrated malicious infrastructure amid widespread campaigns. securityaffairs.com/192518/hacking…

🚩 Lazarus Deploys Memory-Only RAT Against Financial and Crypto Firms thehackernews.com/2026/05/lazaru… Lazarus is using a cross-platform malware called RemotePE against financial and crypto organizations. The chain starts with DPAPILoader, moves through RemotePELoader, then delivers RemotePE, a RAT that runs entirely in memory, which means fewer filesystem artifacts and a smaller forensic footprint. The campaign also uses social engineering, fake scheduling domains, C2 polling, EDR evasion, and file deletion routines seen in other Lazarus-linked malware. #ThreatIntelligence #Lazarus #Crypto #CyberSecurity

🚨 New Ghostwriter Campaign Targets Ukrainian Government securityaffairs.com/192538/apt/gho… Ghostwriter is back with a phishing campaign aimed at Ukrainian government organizations. The lure is Prometheus, a real Ukrainian learning platform used by government employees, which makes the malicious emails feel more believable. The chain involves compromised accounts, PDF attachments, and a ZIP file with JavaScript malware. Once running, the malware profiles the victim’s system, reports back to a C2 server, and is believed to deploy Cobalt Strike. #ThreatIntelligence #Ghostwriter #CobaltStrike #CyberSecurity

🚩 Drupal PostgreSQL Sites Face Active Exploit Attempts securityweek.com/drupal-vulnera… The new vulnerability CVE-2026-9082 was disclosed by Drupal on May 20, and, as expected, is already being targeted. The bug affects Drupal sites using PostgreSQL and can allow unauthenticated SQL injection, with possible information theft, privilege escalation, or RCE in some cases. If you run Drupal with PostgreSQL, patch your site ASAP. #ThreatIntelligence #Drupal #PostgreSQL #CyberSecurity #InfoSec

@KimZetter Thanks for sharing @KimZetter 🫶

Don't often see this kind of analysis of Middle East infrastructure: Over 3 months this year, 1,350 hacker command-and-control servers found being hosted across 98 regionaly providers. Saudi Telecom Company hosts 981 , or 72.4%, of them. hunt.io/blog/middle-ea…

IOC Hunter turns trusted public research into validated, enriched indicators you can actually use to start hunting, pivot faster, and avoid dead ends. Try IOC Hunter and kick start your next investigation 👉 hunt.io/get-started #ThreatIntelligence #ThreatHunting

One Telecom Provider Hosted Most of the Middle East ’s Active C2 Infrastructure securityaffairs.com/192518/hacking… #securityaffairs #hacking @Huntio

📌 Worth Another Read: The Single Mistake That Exposed xlabs_v1 Our xlabs_v1 research, published in late April, shows how one exposed staging server unraveled a DDoS-for-hire IoT botnet. AttackCapture™ found an open directory with the operator’s toolkit: ELF binaries, payloads, proxy creds, and a debug build that made the operation much easier to map. The botnet targeted game servers and Minecraft hosts, used 21 flood variants, and relied on exposed ADB on TCP/5555 for infection. One mistake led to a whole operation being exposed. Read the full article in our blog 👉 hunt.io/blog/xlabs-v1-… #ThreatHunting #ThreatIntelligence #CyberSecurity

@780thC Thanks for sharing!

Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers Iranian-nexus actors have been caught staging operations weeks before activation Hunt.io hunt.io/blog/middle-ea… @Huntio

⚠️ KongTuke Moves From ClickFix to Microsoft Teams securityonline.info/kongtuke-micro… The KongTuke threat group is moving beyond web-only ClickFix lures and into Microsoft Teams. This financially motivated IAB is now using external Teams chats to pose as a help desk or IT support staff. The hook is still simple: convince the user to paste and run a PowerShell command. The full chain can reach persistence in under five minutes, ending with ModeloRAT deployment. #ThreatIntelligence #KongTuke #MicrosoftTeams #Malware #CyberSecurity

🚨 Banana RAT Targets Brazilian Banking Customers hackread.com/banana-rat-mal… A new malware named "Banana RAT" is targeting banking customers in Brazil through fake invoices and phishing links shared over WhatsApp. Victims are pushed to download a fake NF-e file, which triggers fileless execution and gives attackers live access to the device. From there, the malware can stream the screen, log keys, freeze input, show fake “security update” overlays, and even swap Pix QR codes so payments go to the attackers. #Malware #CyberSecurity #InfoSec

🇷🇺 What Are the Top ISPs Hosting Malware in Russia? During our latest investigation into malicious infrastructure in Russia, hosting patterns started to stand out fast once we mapped malware families against C2 servers. At the provider level, a gap quickly appeared. Yandex[.]Cloud LLC showed 11 malware families but 587 C2 servers, while JSC TIMEWEB followed with 10 families and 102 C2 servers. Similar malware family counts, very different C2 volume. This gap shows where activity is concentrated, not just where variety exists. Provider-level visibility can turn a long list of C2s into something analysts can actually work with. Book a free demo and start mapping attacker infrastructure by ISP and country 👉 hunt.io/get-started #ThreatHunting #ThreatIntelligence #CyberSecurity

🔍 Attackers Often Leave Behind More Than an IP or Domain What attackers leave behind matters. AttackCapture™ helps analysts investigate exposed directories and the files sitting inside them: malware, scripts, credentials, logs, exploit tools, and more. You can search across archived code and text, review MITRE ATT&CK® techniques, inspect sandboxed files, and connect artifacts that would usually stay buried. This is more than just indicator tracking: it’s a closer look at how attacker infrastructure actually works. Turn exposed attacker files into your next investigation lead 👉 hunt.io/get-started #ThreatIntelligence #ThreatHunting #CyberSecurity

🇸🇦 🇮🇷 𝗡𝗲𝘄 𝗠𝗶𝗱𝗱𝗹𝗲 𝗘𝗮𝘀𝘁 𝗺𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗿𝗲𝗽𝗼𝗿𝘁: 𝟭,𝟯𝟱𝟬+ 𝗖𝟮 𝗦𝗲𝗿𝘃𝗲𝗿𝘀 𝗠𝗮𝗽𝗽𝗲𝗱 𝗔𝗰𝗿𝗼𝘀𝘀 𝟵𝟴 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿𝘀 Over a three-month window, we mapped more than 1,350 active C2 servers operating across 98 infrastructure providers in 14 Middle Eastern countries, covering telecoms, shared hosting, and VPS environments. 👉 Read the full report: hunt.io/blog/middle-ea… Here's what the data shows: → A single telecom carrier accounts for nearly 72% of all detected regional C2 activity, most of it tied to compromised customer endpoints rather than provider-level abuse → C2 infrastructure makes up over 96% of all observed malicious artifacts in the region → Tactical RMM leads the malware family breakdown with 92 unique C2 IPs, followed by Keitaro TDS (71) and Acunetix (38) → The malware mix covers a wide range of attack types - IoT botnets (Mozi, Hajime, Mirai), remote access tools (AsyncRAT, Sliver, Cobalt Strike), active scanning (Acunetix), and phishing infrastructure (Gophish, Keitaro TDS) → Campaigns in the dataset include Eagle Werewolf espionage operations, the DYNOWIPER destructive campaign targeting Poland's energy sector, and RondoDox botnet exploitation infrastructure on Iranian hosting The main takeaway is that malicious infrastructure in the region is not evenly spread. A small set of providers keeps showing up across unrelated campaigns and malware families, which is where the tracking value is. Provider-level visibility is what lets defenders get ahead of that pattern, rather than reacting to individual indicators that rotate daily. Full breakdown, including infrastructure observables, HuntSQL queries, and campaign examples, is in the report 👇 hunt.io/blog/middle-ea…

⚠️ Grafana Breach Linked to Recent TanStack npm Attack bleepingcomputer.com/news/security/… Last week’s Grafana breach has been linked to the recent TanStack npm supply-chain attack attributed to TeamPCP. After compromised TanStack packages hit its CI/CD workflow, Grafana rotated tokens during incident response. One was missed, giving attackers access to the company’s private repositories. Grafana says source code and some operational business info were downloaded, but no customer production systems or data were compromised. The company also says its codebase was not modified. #DataBreach #Grafana #TeamPCP #TanStack