Hunt.io

🚨 🇮🇷 NEW RESEARCH: Mapping Iranian APT Infrastructure During Geopolitical Escalation hunt.io/blog/iranian-a… Tensions between the U.S., Israel, and Iran have escalated in recent weeks. When geopolitical conflicts reach this level, cyber operations rarely lag behind. In this research, we mapped infrastructure clusters tied to several Iranian-aligned threat actors using ASN patterns, certificate reuse, hosting providers, and exposed tooling discovered through Hunt.io Key findings: - MuddyWater open directory artifact → additional infrastructure via hash pivoting - Repeated ASN usage continues to expose Iranian infrastructure clusters - Open directories still reveal attacker tooling and staging artifacts - TLS SAN pivoting exposed backend C2 servers hidden behind Cloudflare - Infrastructure signals often appear weeks before active intrusion campaigns The investigation uncovered several previously unreported hosts, domains, and servers linked to Iranian-aligned operations. 🔎 Read the full analysis here: hunt.io/blog/iranian-a… #Iran #Israel #Cyberwarfare #ThreatIntelligence #War

📌 Looking Back: Iranian APT Infrastructure in Focus hunt.io/blog/iranian-a… Two weeks ago, we analyzed infrastructure linked to several Iranian-aligned threat groups. Pivoting across IPs, hashes, ASNs, and TLS certificates revealed clusters tied to actors like MuddyWater and APT35. In one case, a single IP exposed attacker tooling, additional servers in the same hosting network, and a short-lived Sliver C2 instance. Infrastructure patterns like these often appear weeks before campaigns become widely reported. #ThreatIntelligence #ThreatHunting #CyberSecurity

🚨 Phishing Alert: Fake Zoom Meeting Campaign 🚨 🧵Tracked by @Huntio 🔗 https://zoom-meeting-video-beignet-e41432[.]netlify[.]app ⚠️Drops: 🔗https://vhbgruop[.]com/ScreenConnect.ClientSetup%20(1).exe f7cbbd02bdd87e955ea87af352656dbf cc: @500mk500

⚠️ Authorities Take Down IoT Botnets Behind 30 Tbps DDoS Attacks gbhackers.com/authorities-di… Authorities have dismantled four major IoT botnets linked to record 30 Tbps DDoS attacks. The networks infected over 3 million devices, including routers and cameras, and were leased as “cybercrime-as-a-service.” Operators even bypassed firewalls to expand reach. A coordinated effort across the US, Germany, and Canada, with support from tech firms, seized C2 infrastructure and disrupted future large-scale attacks. #CyberSecurity #DDoS #Infosec

🚨 Forbidden Hyena Uses AI to Accelerate BlackReaperRAT Deployment securityonline.info/ai-powered-ars… Forbidden Hyena is leveraging generative AI to accelerate malware development, introducing BlackReaperRAT and rebranding Blackout Locker as Milkyway. The cluster is using AI to generate obfuscated code faster, making detection harder. The group relies on RAR-based delivery, multi-stage loaders, and LOTL techniques, abusing tools like VSS and AnyDesk to stay stealthy. There is a clear shift toward AI-assisted operations with higher speed and lower visibility. #CyberSecurity #ThreatIntelligence #Malware

🚀 Inside Phishing Infrastructure: Tracking Campaigns with Hunt Phishing campaigns rely on more than a single domain; they use entire infrastructures of parked domains, cloned brands, and phishing kits. By using our Phishing Infrastructure feature, analysts can pivot from targeted brands to active domains, inspect hosting details, and uncover the infrastructure behind campaigns. By linking domains, threat actors, and phishing kits, the platform helps security teams track TTPs and investigate campaigns faster. Ready to take your hunt to the next level? Book a demo today ➡️ hunt.io/get-started #ThreatHunting #ThreatIntelligence #Phishing

#APT #Sidewinder targeting #Pakistan NTC 🇵🇰 +1 Tracked by @Huntio https://bold-bonus-1d3b[.]malik-jaani786[.]workers[.]dev/?shfgkjdhgjkfhdgjkfhdgjkhfdjghfdghfjkd=1 Ref: x.com/volrant136/sta… x.com/volrant136/sta… cc: @500mk500 @MichalKoczwara @malwrhunterteam

⚠️ LeakNet Shifts Tactics to ClickFix and Deno Runtime Abuse bleepingcomputer.com/news/security/… Ransomware groups are increasingly shifting toward ClickFix as an initial access vector, and LeakNet is one of the newest examples. Instead of dropping malware on disk, attackers execute payloads directly in memory, making detection harder. The campaign blends in with normal dev activity, then moves laterally, steals credentials, and exfiltrates data via S3. Watch out for Deno outside dev environments, unusual PsExec usage, and unexpected outbound traffic. #CyberSecurity #Ransomware #ThreatHunting

Iranian Botnet Exposed via Open Directory: 15-Node Relay Network and Active C2 Hunt.io hunt.io/blog/iran-botn… @Huntio

Exploitation infrastructure observed scanning for: CVE-2025-55182(React2shell) CVE-2026-21962(Oracle Weblogic) CVE-2025-31324(SAP NetWeaver) - actively exploited by China-linked APTs Targeting India-based critical infrastructure SAP exploit script "MADE BY SCATTERED LAPSUS$ HUNTERS" → likely tool reuse. Tooling includes fscan & Neo-reGeorg - commonly seen in China-linked intrusion tradecraft. C2s: 160[.]191.183.147:80 160[.]191.183.126:80 Seen on @Huntio ~ 1 month ago. @malwrhunterteam @polygonben @WhichbufferArda

🚀 Hunting C2 Infrastructure by Country with Hunt Threat actors rely on C2 infrastructure to run their campaigns. Thanks to our C2 Infrastructure tool, analysts can quickly explore high-confidence malicious servers discovered through our global scanning. Results can be filtered by country to investigate regional activity. Clicking an IP opens deeper intelligence, including ASN data, reputation signals, malware indicators, open ports, and pivot points to map related infrastructure. Want to see it in action? Book a demo now 👉 hunt.io/get-started #ThreatHunting #ThreatIntelligence #CyberSecurity

💡 Threat Hunting in Splunk with Hunt's C2 Intelligence hunt.io/glossary/splun… Threat hunting in Splunk works best when logs are enriched with reliable intelligence, and using our Splunk Addon brings live C2 infrastructure and enriched IOC feeds directly into Splunk dashboards. Analysts can validate activity against curated intelligence, pivot on indicators, and run structured hunts without leaving their Splunk environment. With Splunk’s correlation engine and our high-fidelity feeds, teams can detect active attacker infrastructure faster and reduce noise in investigations. #ThreatHunting #ThreatIntelligence #CyberSecurity

🚩 Google Reports Ransomware Drop as Hackers Pivot to Data Exfiltration cybersecuritynews.com/google-warns-r… Ransomware is losing steam as payments drop and defenses improve, but attackers aren’t slowing down. Google warns they’re shifting tactics, focusing on data theft and extortion instead of just encryption. In 2025, ~77% of ransomware incidents involved data exfiltration, with stolen files used as leverage via leak sites. Smaller companies are now a primary target, while criminals also monetize access or run phishing campaigns using compromised infrastructure. #CyberSecurity #ThreatIntelligence #Ransomware

Russian spies have a nice Roundcube exploitation framework hunt.io/blog/operation…

🚨 72 Threat Actors Target the Farm-to-Table Supply Chain industrialcyber.co/reports/food-a… The food and agriculture sector, which spans the entire farm-to-table supply chain, is under steady cyber pressure. Food and Ag-ISAC, an industry group that shares cyber threat intelligence across the sector, is currently tracking 72 active threat actors targeting it, mixing state-backed groups and cybercrime. Russia accounts for ~59% of activity, China ~25%. Common tactics lean on LOTL, tool modification, and supply chain abuse rather than zero-days. Ransomware is surging, with incidents up 82% in the last year. #ThreatIntelligence #CyberSecurity #CyberThreats

⚠️ KadNap Botnet Turns Home Routers Into Hidden Attack Infrastructure the-independent.com/tech/security/… Over 14,000 devices have been hijacked by a stealthy new botnet called KadNap, mostly targeting Asus routers. It uses a decentralized P2P model, making takedowns difficult and detection even harder. Infected devices quietly route malicious traffic for DDoS and other attacks, often unnoticed beyond slower connections. By blending in with normal user traffic, KadNap turns everyday home networks into persistent threats across the Internet. #CyberSecurity #ThreatIntelligence #Infosec

🇮🇷 New Research: Iranian Botnet Uncovered Through a Single Exposed Directory Threat actors make mistakes. This one left an entire directory open. hunt.io/blog/iran-botn… Our researchers caught it on February 24th via AttackCapture™. 449 files across 59 subdirectories, including scripts, configs, a compiled C2 binary, and a bash history documenting the full operation. What was inside: a 15-node relay network tied to one shared TLS certificate, a deployment script opening 500 concurrent SSH sessions and compiling a bot client directly on victim machines, and a C2 binary with reconnection logic that keeps infected hosts calling back on their own. The bash history covered three phases: tunnel deployment, live DDoS testing, and botnet development. Code comments written in Farsi throughout. Full write-up, infrastructure pivots, and IOCs here: 👉 hunt.io/blog/iran-botn… #ThreatIntelligence #ThreatHunting #Botnet #OSINT

⚠️ CNCERT Flags Security Risks in OpenClaw AI Platform thehackernews.com/2026/03/opencl… China’s National Computer Network Emergency Response Technical Team (CNCERT) has issued a new warning about security risks in OpenClaw, a self-hosted autonomous AI agent with weak default protections and broad system access. Attackers could exploit prompt injection to manipulate the agent and extract sensitive data. In some cases, malicious prompts can even generate attacker-controlled URLs that leak information through messaging app link previews. This warning adds to the growing concerns around AI agents that browse the web and perform actions on behalf of users, creating new paths for data exfiltration and system compromise. #ThreatIntelligence #CyberSecurity #OpenClaw

#APT #Sidewinder targets #Pakistan National Telecom Corporation (NTC) Tracked by @Huntio https://royal-field-9144[.]girlfriendparty42[.]workers[.]dev/login.html?gfjdliotrgojnghgherbegrehureert0e0ee= Ref: x.com/volrant136/sta… cc: @500mk500 @MichalKoczwara @malwrhunterteam

🚩 Hive0163 Campaign Introduces AI-Generated Slopoly Malware cyberpress.org/slopoly-tied-t… A new malware framework called Slopoly, likely generated with AI, recently surfaced in a ransomware intrusion linked to the Hive0163 group. The attack begins with a ClickFix social engineering trick that convinces victims to run a malicious PowerShell script through the Windows Run dialog. Once inside, attackers deploy NodeSnake and InterlockRAT before introducing Slopoly later in the chain. The script itself is fairly simple, but its significance is bigger: it shows how easily threat actors can generate disposable, single-use malware with AI, making traditional signature-based detection much harder. #CyberSecurity #Malware #ThreatIntelligence

Threat intel most orgs are ignoring: SSL certificates get reused across attacker infrastructure. One cert seen on a malware C2 today = fingerprint for finding 40 related IPs tomorrow. Hunt.io, Shodan, Censys. Use them. 👁️