urlscan.io

Today we're launching urlscan Brand AI within our urlscan Pro portal. Brand AI will visually examine websites to determine the name of the brand the website claims to represent, a more robust approach than text-based queries. Read the details in our blog: urlscan.io/blog/2025/07/3…

This one is important, folks: Make sure that *all* of your API requests to urlscan.io are using authentication starting May 4th, otherwise your stuff *will* break: urlscan.io/blog/2026/03/1…

🇮🇷 New Research: Iranian Botnet Uncovered Through a Single Exposed Directory Threat actors make mistakes. This one left an entire directory open. hunt.io/blog/iran-botn… Our researchers caught it on February 24th via AttackCapture™. 449 files across 59 subdirectories, including scripts, configs, a compiled C2 binary, and a bash history documenting the full operation. What was inside: a 15-node relay network tied to one shared TLS certificate, a deployment script opening 500 concurrent SSH sessions and compiling a bot client directly on victim machines, and a C2 binary with reconnection logic that keeps infected hosts calling back on their own. The bash history covered three phases: tunnel deployment, live DDoS testing, and botnet development. Code comments written in Farsi throughout. Full write-up, infrastructure pivots, and IOCs here: 👉 hunt.io/blog/iran-botn… #ThreatIntelligence #ThreatHunting #Botnet #OSINT

Scammers are using fake "live support" pages to trick victims into installing legit remote tools like AnyDesk & TeamViewer. Once connected, attackers guide victims through real bank logins and MFA approvals. Report on urlscan Pro: urlscan.io/pricing/urlsca…

We have launched two new features on the urlscan Pro platform. Due to their sensitivity we can't describe either of them in detail, but customers can check out the changelog on the urlscan Pro feature. One feature is called "Scan Compare" and the other feature is a new pivot.

@iGotRootBlog I don't think I know a single dark mode page which looks pretty. We don't use it personally, but it was essentially "free" to implement. Also the dark mode template is a pre-built Bootstrap theme, so we didn't make the call on colors.

@urlscanio The blue on dark black doesn’t look pretty though, looks muddish. But my eyes will still be thankful for dark mode 😁

It took a while, but urlscan.io finally has dark mode now. This is a perfect example of a low-urgency feature that we were able to tackle now since it can be handed off to AI and is simple and low-stakes enough to do so.

🚨 🇮🇷 NEW RESEARCH: Mapping Iranian APT Infrastructure During Geopolitical Escalation hunt.io/blog/iranian-a… Tensions between the U.S., Israel, and Iran have escalated in recent weeks. When geopolitical conflicts reach this level, cyber operations rarely lag behind. In this research, we mapped infrastructure clusters tied to several Iranian-aligned threat actors using ASN patterns, certificate reuse, hosting providers, and exposed tooling discovered through Hunt.io Key findings: - MuddyWater open directory artifact → additional infrastructure via hash pivoting - Repeated ASN usage continues to expose Iranian infrastructure clusters - Open directories still reveal attacker tooling and staging artifacts - TLS SAN pivoting exposed backend C2 servers hidden behind Cloudflare - Infrastructure signals often appear weeks before active intrusion campaigns The investigation uncovered several previously unreported hosts, domains, and servers linked to Iranian-aligned operations. 🔎 Read the full analysis here: hunt.io/blog/iranian-a… #Iran #Israel #Cyberwarfare #ThreatIntelligence #War

We have launched improved versions of our Brand AI and ML verdicts feature. The combination of these improvements means we can detect more malicious sites more quickly and our customers have powerful selectors to search for and filter on. Live on urlscan Pro.

We recently updated the Hunt.io website and brand direction. Over time, the platform became more cohesive and more focused on infrastructure intelligence. OEM integrations became a larger part of how teams deploy Hunt.io. Investigations flow across certificates, fingerprints, hosting providers, and related infrastructure. The website and visual identity needed to reflect that. The new site brings: • A clearer infrastructure-first narrative • Greater visibility into OEM integrations and APIs • A darker, more deliberate visual direction • A more unified presentation of the platform This was less about redesigning a site and more about aligning the brand with what the platform has become. 👉 If you have not seen it yet: hunt.io

The urlscan Threat Research Team uncovered phishing clusters abusing Supabase as a credential-harvesting backend. * Bank phishing * Google/Facebook creds * Crypto targets The new Intel Report has been published on the urlscan Pro platform: urlscan.io/pricing/urlsca…

Here's an early version of urlscan.io from late 2016 just for kicks. The design hasn't changed that much, but we got a nicer logo and in the 9+ years since have added a ton of features and data.

Missed it by a day, but urlscan.io was registered almost exactly ten years ago. Time flies when you're having fun. We want to say "Thank You" to our community users and loyal customer base, here's to another 10 years! 🥳

Thank you @urlscanio for being #PIVOTcon26 Gold Sponsor 🥳 Read more about URLscan: urlscan.io URLscan is a sandbox for the web and a very useful threat research tool for pivoting Our sponsors: pivotcon.org/sponsors/ #ThreatIntel #CTI

🚨 CVE-2026-25253: Tracking 17,500 Exposed OpenClaw Instances on the Public Internet Our research team recently analyzed internet-exposed browser automation frameworks affected by #CVE202625253, including #OpenClaw, #Clawdbot, and #Moltbot. What we found points to a broad and measurable exposure pattern. Key observations from the analysis: - More than 17,500 exposed instances vulnerable to CVE-2026-25253 were identified. - The /api/export-auth endpoint allows unauthenticated access to stored API tokens. - Clawdbot Control represents 68.9% of observed deployments, followed by Moltbot (22.3%) and OpenClaw (8.8%). - Exposures span 52 countries, with the highest concentration in the United States and China. - 98.6% of instances are hosted on cloud or hosting infrastructure, led by DigitalOcean, Alibaba Cloud, and Tencent. The full write-up breaks down how these instances were identified at scale, including the infrastructure patterns we observed and the detection techniques used throughout the investigation. 👉 Read the full analysis here: hunt.io/blog/cve-2026-…

Want to stay one step ahead? Get proactive with deep and dark web detection. Our latest Intel Report on the urlscan Pro platform shows how urlscan Pro users can build their own deep and dark web monitoring capability using urlscan.io.

🚨 New Research: An exposed open directory on a live #BYOB C2 server revealed far more than it should have. That single misconfiguration exposed the entire infection chain, including droppers, stagers, payloads, persistence mechanisms, and supporting infrastructure, across #Windows, #Linux, and #macOS. Infrastructure reuse, dual-use XMRig nodes, and no reputation hits at discovery make this a clear case for infrastructure-first threat hunting. Full analysis here 👇 hunt.io/blog/exposed-b…

We have added AI-powered translated summaries to the scan result pages on urlscan Pro so that you can quickly understand who a potentially malicious website in a foreign language claims to represent.

Think urlscan is only useful for phishing? Think again. We break down how urlscan Pro can be leveraged to identify exposed malware C2 admin panels and support infrastructure hunting. New intel report published on urlscan Pro now.

🔴Cobalt Strike Hunting, Part 3 is now live! Part 3 of our #CobaltStrike hunting series just dropped. This chapter focuses on something that most teams struggle to automate: finding and mapping C2 infrastructure at scale without manually digging through thousands of IP addresses. Inside Hunt.io, a single pivot from one suspicious IP can expand into 1,000+ related indicators in minutes. Long-running servers, certificate reuse, repeated header signatures, cross-platform activity - everything gets surfaced automatically. In this new guide, we walk through: • The global C2 Overview dashboard • The C2 Listing view with 2.2k+ Cobalt Strike detections • A Cobalt Strike server active for more than a year • How certificate pivots + HuntSQL queries expand one hit into full C2 clusters • Practical mitigation steps for defenders If you work in threat hunting, DFIR, threat intel, or detection engineering, this one’s for you. 📄 Read Part 3 here: hunt.io/blog/guide-hun…

Happy New Year 2026 from us at urlscan! We don't arrive empty-handed, there were two neat additions to urlscan Pro over the holidays: HTTP request details & filters and the ability to change the visibility of your own scans retroactively.