urlscan.io

2K posts

urlscan.io banner
urlscan.io

urlscan.io

@urlscanio

A sandbox for websites - Find malicious websites and phishing - https://t.co/LfPJPBGXFV - https://t.co/XjI4zJaBBp - #threatintel #cybercrime #infosec #web #phishing

The Cloud Katılım Ekim 2016
136 Takip Edilen14.3K Takipçiler
Sabitlenmiş Tweet
urlscan.io
urlscan.io@urlscanio·
Today we're launching urlscan Brand AI within our urlscan Pro portal. Brand AI will visually examine websites to determine the name of the brand the website claims to represent, a more robust approach than text-based queries. Read the details in our blog: urlscan.io/blog/2025/07/3…
urlscan.io tweet media
English
0
25
90
11.2K
urlscan.io retweetledi
Hunt.io
Hunt.io@Huntio·
🇨🇳 🤖 𝗦𝘂𝘀𝗽𝗲𝗰𝘁𝗲𝗱 𝗖𝗵𝗶𝗻𝗲𝘀𝗲 𝗼𝗽𝗲𝗿𝗮𝘁𝗼𝗿𝘀 𝘄𝗶𝗿𝗲𝗱 𝗖𝗹𝗮𝘂𝗱𝗲 𝗖𝗼𝗱𝗲 𝗮𝗻𝗱 𝗗𝗲𝗲𝗽𝗦𝗲𝗲𝗸 𝗶𝗻𝘁𝗼 𝗮 𝗹𝗶𝘃𝗲 𝗴𝗼𝘃𝗲𝗿𝗻𝗺𝗲𝗻𝘁 𝗶𝗻𝘁𝗿𝘂𝘀𝗶𝗼𝗻 𝗰𝗮𝗺𝗽𝗮𝗶𝗴𝗻 In June 2026, a pivot off known TencShell C2 infrastructure covered by Cato Networks, led our research team to an open directory exposing an active intrusion. Inside were victim source code, custom exploits, operator logs, and cloned login pages, with the attack notes written in Simplified Chinese. The part that caught our attention was the tooling. Claude Code and DeepSeek-v4-pro were running as working parts of the operation, not sitting off to the side. What we found: → Claude Code handled execution and session persistence while DeepSeek-v4-pro drove the reasoning, a split documented across the recovered logs → Hands-on exploitation of government systems in Afghanistan, Thailand, and Taiwan, plus recon and staged phishing against U.S. government portals → A single HTTP header fingerprint pivoted out to 13 Hong Kong servers across four ASNs → Scanning of 5,890+ government hosts across 10 countries with a custom Python scoring script → A parallel run at financial services firms across Europe, Australia, and Asia → A likely second C2 framework, Gshell, with no prior public reporting we could find This lines up with Anthropic's November 2025 disclosure of a China-linked operation that leaned on Claude Code for large-scale intrusions. 👉 Read the full research and IOCs: hunt.io/blog/chinese-o…
GIF
English
0
11
15
1.3K
urlscan.io retweetledi
Hunt.io
Hunt.io@Huntio·
𝗛𝘂𝗻𝘁 𝟯.𝟬 𝗶𝘀 𝗹𝗶𝘃𝗲. 𝗣𝘂𝗹𝗹 𝘁𝗵𝗲 𝘁𝗵𝗿𝗲𝗮𝗱. 🚀 Most threat hunting tools stop at the lookup. You get a result, maybe a tag, and then you're on your own figuring out what connects to what. We built v3 to fix that. Every indicator, whether it's an IP, a domain, or a hash, should open into the full picture automatically. 👉 Here's what's new: hunt.io/blog/introduci… → 60+ API endpoints across C2, AttackCapture, Vulnerability Intel, SQL, and more → Remote MCP server, connect Claude or other AI tools straight to Hunt data → Cloudflare Buster turns one domain into a full infrastructure cluster → Passive DNS History gives you a real timeline of DNS changes, not just a point-in-time snapshot → Attack Reports turns exposed attacker directories into structured campaign reports, tied to specific IPs, IOCs, and CVEs → Exploit Capture indexes 54,000+ AI-classified files staged in attacker open directories right now → Provider Radar now includes Registrar intelligence, catching domain provisioning patterns before those domains go live in an attack → Flattened data architecture so HuntSQL joins are finally possible, no workarounds → And much more! And the best part: you get 14 days free, no credit card needed. Open an account and start hunting today 👇 portal.hunt.io/sign-up
GIF
English
1
18
27
4.3K
urlscan.io
urlscan.io@urlscanio·
New TI report 🚨 Mouse System ("Phoenix" / "Haozi") is a full-feature phishing platform with admin panels, tokenised APIs, and modular campaign management. One of the more mature ecosystems we've tracked. Analysis + detections 👇 urlscan.io/pricing/urlsca…
urlscan.io tweet media
English
0
7
13
1.4K
urlscan.io
urlscan.io@urlscanio·
New report 🚨 CY-Kit leverages socket-based communication and structured config files to manage phishing workflows. A flexible framework built for scalable campaign execution. The report is available on our public blog: urlscan.io/blog/2026/06/2…
urlscan.io tweet media
English
0
5
20
2.2K
urlscan.io retweetledi
Hunt.io
Hunt.io@Huntio·
🇮🇷 𝗔𝗯𝗮𝗯𝗶𝗹 𝗼𝗳 𝗠𝗶𝗻𝗮𝗯 𝗘𝘅𝗽𝗼𝘀𝗲𝗱: 𝗟𝗔 𝗠𝗲𝘁𝗿𝗼 𝗦𝗖𝗔𝗗𝗔 𝗕𝗮𝗰𝗸𝘂𝗽𝘀 𝗮𝗻𝗱 𝗜𝘀𝗿𝗮𝗲𝗹𝗶 𝗩𝗶𝗰𝘁𝗶𝗺 𝗗𝗮𝘁𝗮 𝗟𝗲𝗳𝘁 𝗢𝗽𝗲𝗻 𝗼𝗻 𝗮𝗻 𝗜𝗿𝗮𝗻𝗶𝗮𝗻 𝗦𝘁𝗮𝗴𝗶𝗻𝗴 𝗦𝗲𝗿𝘃𝗲𝗿 A pro-Iranian group called Ababil of Minab claimed destructive intrusions against targets in the US, Israel, Saudi Arabia, and Turkey, including a breach LA Metro confirmed in April. A later public report described the campaign but held back the rest of the victims. We found the operator's staging server sitting wide open and read the list ourselves. What AttackCapture captured at 5.255.127[.]55:8020: → 2,238 files across 545 subdirectories, around 5 GB of exfiltrated data → Over 1 GB of LA Metro SQL Server backups covering transit ops, personnel records, SCADA configs, and yard management → Named victims the public report withheld: Ruppin Academic Center, bac(.)org(.)il, adabroker(.)com(.)tr, courier(.)co(.)il, Ifat Media Group → The custom Flask receiver, the operator's bash history, plaintext Chrome password dumps, VPN credentials, and switch configs → A 404 handler that quietly redirected to fbi(.)gov to look harmless The server stayed up for at least four weeks, into late May, after the public report dropped and after the group went quiet on Telegram. That mistake handed us the full picture. Full research here 👇: hunt.io/blog/ababil-of…
GIF
English
1
16
30
3.6K
urlscan.io
urlscan.io@urlscanio·
New TI report 🚨 Lighthouse ("Lao Wang") uses Vue-based frontends and session validation to gate phishing flows and evade detection. A strong example of controlled access phishing infrastructure. Details and detections on urlscan Pro urlscan.io/pricing/urlsca…
urlscan.io tweet media
English
0
8
11
1.2K
urlscan.io
urlscan.io@urlscanio·
New TI report 📷 Duoyu stands out for its backend-driven flows, tracking identifiers, and distinctive handling patterns. Misconfigurations also provide useful detection opportunities. Dive in 📷 urlscan.io/pricing/urlsca…
urlscan.io tweet media
English
0
5
13
1.2K
urlscan.io
urlscan.io@urlscanio·
Oriental Gudgeon ("CoGUI") is a structured phishing kit built on reusable components, storage artifacts, and API-driven workflows. Designed for scale and persistence across campaigns. Detection details inside 👇 Public reporting: urlscan.io/blog/2026/06/0… - More on urlscan Pro
English
0
8
9
1.3K
urlscan.io
urlscan.io@urlscanio·
New TI report 📷 Chenlun (“Outsider”) is a feature-rich phishing kit using modern web frameworks, verification flows, and anti-bot techniques. A step up in sophistication across Chinese Phishing-as-a-Service ecosystems. Full analysis + detections 📷 urlscan.io/pricing/urlsca…
urlscan.io tweet media
English
0
9
24
4.1K
urlscan.io retweetledi
Hunt.io
Hunt.io@Huntio·
🇸🇦 🇮🇷 𝗡𝗲𝘄 𝗠𝗶𝗱𝗱𝗹𝗲 𝗘𝗮𝘀𝘁 𝗺𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗿𝗲𝗽𝗼𝗿𝘁: 𝟭,𝟯𝟱𝟬+ 𝗖𝟮 𝗦𝗲𝗿𝘃𝗲𝗿𝘀 𝗠𝗮𝗽𝗽𝗲𝗱 𝗔𝗰𝗿𝗼𝘀𝘀 𝟵𝟴 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿𝘀 Over a three-month window, we mapped more than 1,350 active C2 servers operating across 98 infrastructure providers in 14 Middle Eastern countries, covering telecoms, shared hosting, and VPS environments. 👉 Read the full report: hunt.io/blog/middle-ea… Here's what the data shows: → A single telecom carrier accounts for nearly 72% of all detected regional C2 activity, most of it tied to compromised customer endpoints rather than provider-level abuse → C2 infrastructure makes up over 96% of all observed malicious artifacts in the region → Tactical RMM leads the malware family breakdown with 92 unique C2 IPs, followed by Keitaro TDS (71) and Acunetix (38) → The malware mix covers a wide range of attack types - IoT botnets (Mozi, Hajime, Mirai), remote access tools (AsyncRAT, Sliver, Cobalt Strike), active scanning (Acunetix), and phishing infrastructure (Gophish, Keitaro TDS) → Campaigns in the dataset include Eagle Werewolf espionage operations, the DYNOWIPER destructive campaign targeting Poland's energy sector, and RondoDox botnet exploitation infrastructure on Iranian hosting The main takeaway is that malicious infrastructure in the region is not evenly spread. A small set of providers keeps showing up across unrelated campaigns and malware families, which is where the tracking value is. Provider-level visibility is what lets defenders get ahead of that pattern, rather than reacting to individual indicators that rotate daily. Full breakdown, including infrastructure observables, HuntSQL queries, and campaign examples, is in the report 👇 hunt.io/blog/middle-ea…
Hunt.io tweet mediaHunt.io tweet mediaHunt.io tweet media
English
0
14
31
3.1K
urlscan.io retweetledi
Jake | JCyberSec_
Jake | JCyberSec_@JCyberSec_·
This is a much smaller Chinese phishing framework🇨🇳 🪙I bet you won't have heard of it before! 🌐What makes this notable is the targeting of Chinese companies by the framework🔎 🎯This is a Pro only report ✉️Reach out to sales@ if you are not on the pro platform!
urlscan.io@urlscanio

New TI report on urlscan Pro 📷 Flyfish is a lightweight phishing kit built around simple but effective API endpoints. Despite its simplicity, it’s actively used for large-scale victim interaction and data capture. Detection patterns included 📷 urlscan.io/pricing/urlsca…

English
0
2
4
1.2K
urlscan.io
urlscan.io@urlscanio·
New TI report on urlscan Pro 📷 Flyfish is a lightweight phishing kit built around simple but effective API endpoints. Despite its simplicity, it’s actively used for large-scale victim interaction and data capture. Detection patterns included 📷 urlscan.io/pricing/urlsca…
urlscan.io tweet media
English
0
9
28
3.7K
urlscan.io retweetledi
Hunt.io
Hunt.io@Huntio·
🚨 NEW RESEARCH: TeamPCP's C2 fallback needs no attacker infrastructure. @wiz_io covered the delivery and flagged some payload behavior (great job!). However, nobody went deeper into the full toolkit itself, the GovCloud targeting, or the infrastructure. We did. Full analysis, IOCs, HuntSQL queries, and MITRE mapping: hunt.io/blog/teampcp-p…
Hunt.io tweet media
English
1
18
40
3.2K
urlscan.io
urlscan.io@urlscanio·
Last week we hosted a hands-on workshop at @pivot_con in Málaga. Participants learned how to hunt and cluster web-based phishing activity using our urlscan Pro platform. If you did not manage to get in, just send us a message and we'll give you a private tour of the platform!
urlscan.io tweet media
English
0
1
11
419
urlscan.io
urlscan.io@urlscanio·
New report: Darcula (“Magic Cat”) is one of the most active phishing frameworks we’re tracking. From API-driven infra to socket-based comms and fake shop deployments, this kit continues to evolve rapidly. Breakdown, detections: urlscan.io/blog/2026/05/1… Full report on urlscan Pro
urlscan.io tweet media
English
0
21
41
4K
urlscan.io
urlscan.io@urlscanio·
New urlscan report 🚨 We’re kicking off our Chinese phishing series with a deep dive into the Sailor framework. A modular kit leveraging client-side storage for session tracking and victim management at scale. Detection included 👇 urlscan.io/blog/2026/05/0…
urlscan.io tweet media
English
0
9
17
2K
urlscan.io retweetledi
Hunt.io
Hunt.io@Huntio·
🚨 NEW RESEARCH: xlabs_v1 DDoS-for-Hire IoT Botnet Exposed - One Open Directory. An Entire Operation Revealed. hunt.io/blog/xlabs-v1-… The operator built a full commercial DDoS-for-hire operation. Tiered pricing, 21 flood variants, competitor-killing routines baked in. Then left the whole toolkit on a public server with no login. Hunt.io AttackCapture tool had it indexed before they noticed. Key findings: - Botnet branded xlabs_v1, operator handle Tadashi, targeting game servers and Minecraft hosts - 21 flood variants including RakNet and OpenVPN-shaped UDP to dodge common filters - TCP/5555 observed open on 4M+ hosts in the past 180 days, any running ADB is a potential target - ChaCha20 encryption broken via known-plaintext, full nonce reuse across all 16 calls - C2, staging, distribution, and Monero cryptojacking all inside one bulletproof /24 in the Netherlands 👉 Full IOCs, MITRE mapping, and HuntSQL queries: hunt.io/blog/xlabs-v1-…
Hunt.io tweet mediaHunt.io tweet mediaHunt.io tweet mediaHunt.io tweet media
English
1
13
47
11.8K
urlscan.io retweetledi