urlscan.io

Today we're launching urlscan Brand AI within our urlscan Pro portal. Brand AI will visually examine websites to determine the name of the brand the website claims to represent, a more robust approach than text-based queries. Read the details in our blog: urlscan.io/blog/2025/07/3…

Excited to support @pivot_con again! This year we're hosting a workshop on hunting phishing pages & pivoting across infrastructure. If you're attending, come find us - we'd love to catch up with familiar faces and hear your stories! urlscan.io/blog/2026/04/1…

Good things come in small boxes. Thanks to the relentless work of our amazing team we finally have a user-friendly assistant for writing those complex hunting queries on the urlscan Pro platform and setting up notifications and monitoring for any new hits.

Got a suspicious URL but don't want to click it? 🔒 @urlscanio visits it for you - capturing a screenshot, every domain contacted, every script loaded, and the tech stack behind it. Used by Reuters in a real hacking investigation. Free for basic use: tools.osintnewsletter.com/osint-tools/ur…

Community: We want to ensure our community platform remains viable to operate for us. To that end, some scan results will have promotions (not ads!) for related services injected into screenshot. These not-ads are very subtle and should not interfere with your operations.

API: We're discontinuing our v1 API effective immediately. The API will be replaced by an MCP server which will be promoted from Alpha to Beta stage any day now. We expect full API parity to the old API by Q3 of 2027.

Major changes coming to urlscan.io starting today: We're switching our core scanning engine to w3m. That means scans without visual distractions for you and less load for us. You will need to spend fewer resources processing scan results, screenshots are just ASCII!

TAs are weaponising client-side proxy frameworks like Ultraviolet & Scramjet to deliver stealthy phishing campaigns that evade traditional detection. Our latest urlscan Pro report covers techniques, artifacts, and detection strategies for this new threat: urlscan.io/pricing/urlsca…

A submission on @URLScan (#transactions" target="_blank" rel="nofollow noopener">urlscan.io/result/019d2c0…) confirmed that the TA446-controlled domain was serving the DarkSword exploit kit, including the initial redirector, exploit loader, RCE, and PAC bypass components. The sandbox escapes were not observed. Related compromised first stage domains also include motorbeylimited[.]com and bridetvstreaming[.]org. Only the activity from March 26 spoofing Atlantic Council has been linked to DarkSword usage; previous TA446 activity shows no indication of exploit use.

Another payload site found on @urlscanio 🇰🇷Site appears to be targeting Korean security researchers... 🌐/sdij.org/adminorg/index.html urlscan.io/result/019d28b… Page states it is a System Security Bug Bounty Program🔑 But there's more ... 🧵

@unmaskparasites Thanks, looking into this. Yes, this is Unix timestamp zero.

@urlscanio Some domains seem to have 0 timestamps which results in tags saying "56 yr old"

Now on urlscan.io: The first observed timestamp of domains / hostnames in scans. This is often the single most accurate indicator of whether a website is legitimate or not. Powered by our real-time DB of newly observed domains & hostnames: urlscan.io/pricing/newly-…

Meet us at PIVOTcon in Málaga and go hands-on with us and how we use the urlscan platform for phishing campaign research!

Heads up! The "Remote Access Scams" Intel Report is now available on our public blog as well, the first of many reports which we will be made public in a slightly redacted form. Awesome work by our threat research team. urlscan.io/blog/2026/03/2…

We have made significant improvements to our Brand AI (smart brand recognition) and ML Verdicts (scoring) features on urlscan Pro. We have also launched AI-powered Visual Summaries so you can understand malicious sites in foreign languages more easily: urlscan.io/blog/2026/03/2…

This is a really common misconception. That’s definitely how most legacy geolocation providers do it, but it’s not how we do things at @ipinfo - our geolocation is based on evidence and network observations, not on guesswork or outdated Whois data.

This one is important, folks: Make sure that *all* of your API requests to urlscan.io are using authentication starting May 4th, otherwise your stuff *will* break: urlscan.io/blog/2026/03/1…

🇮🇷 New Research: Iranian Botnet Uncovered Through a Single Exposed Directory Threat actors make mistakes. This one left an entire directory open. hunt.io/blog/iran-botn… Our researchers caught it on February 24th via AttackCapture™. 449 files across 59 subdirectories, including scripts, configs, a compiled C2 binary, and a bash history documenting the full operation. What was inside: a 15-node relay network tied to one shared TLS certificate, a deployment script opening 500 concurrent SSH sessions and compiling a bot client directly on victim machines, and a C2 binary with reconnection logic that keeps infected hosts calling back on their own. The bash history covered three phases: tunnel deployment, live DDoS testing, and botnet development. Code comments written in Farsi throughout. Full write-up, infrastructure pivots, and IOCs here: 👉 hunt.io/blog/iran-botn… #ThreatIntelligence #ThreatHunting #Botnet #OSINT

Scammers are using fake "live support" pages to trick victims into installing legit remote tools like AnyDesk & TeamViewer. Once connected, attackers guide victims through real bank logins and MFA approvals. Report on urlscan Pro: urlscan.io/pricing/urlsca…