🚨 APT28 Turns EdgeRouters Into Attack Infrastructure cybersecuritynews.com/fancy-… Russia-linked APT28, also known as Fancy Bear, is shifting more of its operations onto compromised SOHO routers and edge devices. At the peak of the activity, more than 18,000 unique IPs across 120 countries were seen communicating with APT28-controlled servers. The group abused Ubiquiti EdgeRouters, targeted MikroTik and TP-Link routers, and routed malware traffic through trusted cloud services. Instead of using obvious C2 servers, Fancy Bear is hiding behind compromised routers and trusted cloud services. #ThreatIntelligence #FancyBear #APT28 #CyberSecurity

🚩 Iran-Linked Handala Targets US Water Utility securityaffairs.com/193565/u… The Iran-linked group Handala claims it breached Cal Water and leaked 5GB of data tied to around 2M customers. The reported entry point was an exposed RTKBase GPS tool used for field operations. That access allegedly led to billing data, plaintext credentials, and mapped district infrastructure. No OT disruption has been confirmed. #ThreatIntelligence #Handala #CyberSecurity

📌 Revisiting TeamPCP’s Python Toolkit and FIRESCALE Fallback Last month, we published our research on TeamPCP’s Python toolkit. Most early coverage focused on the poisoned npm and PyPI packages. Our report looked at what ran after delivery: a 13-file Python toolkit built for credential theft, fallback exfiltration, and resilient C2. It used a hardcoded primary C2, FIRESCALE as a GitHub dead-drop, and the victim’s own GitHub account as a final exfil path. Read the full article in our blog 👉 hunt.io/blog/teampcp-python-… #ThreatHunting #ThreatIntelligence #TeamPCP #CyberSecurity

⚠️ SPECTRALVIPER Returns in OceanLotus Campaigns Against Vietnam thehackernews.com/2026/06/oc… Vietnam-linked OceanLotus has been tied to two SPECTRALVIPER campaigns targeting domestic entities. One hit a Vietnamese infrastructure and transport construction firm, where access reportedly lasted until February 2026. The other abused FireAnt Metakit, a software platform used by stock investors in Vietnam, to serve malicious updates to a small set of users. OceanLotus appears to be leaning harder into domestic operations after years of mostly external targeting. #ThreatIntelligence #OceanLotus #SPECTRALVIPER #CyberSecurity

🚨 UNC3753 Hits US Law Firms With Vishing and Office Intrusions darkreading.com/cyberattacks… Silent Ransom Group (aka UNC3753) is targeting US law firms and other professional services with a mix of vishing, IT impersonation, and remote access tools. In some cases, the tactics got even bolder: attackers allegedly showed up at offices pretending to be IT staff. Once inside, the group can move fast. Some incidents went from compromise to data theft and ransom demands. #ThreatIntelligence #SilentRansomGroup #Vishing #CyberSecurity

🇮🇷 Comparing the Biggest Iran-Linked Threat Actor Footprints Iran-linked groups may share a country alignment, but their activity looks very different. In Hunt, the profiles shown here reveal very different IOC footprints across IPs, hosts, and SHA256 hashes. MuddyWater stands out with the largest IP and hash count, while APT35 shows the biggest host footprint by far. Tortoiseshell, APT42, and OilRig sit behind them with smaller but still active infrastructure and file indicators. Same country alignment, but very different groups, targets, and infrastructure patterns. That is why actor-level context matters. Go from actor name to real infrastructure context 👉 hunt.io/get-started #ThreatHunting #ThreatIntelligence #CyberSecurity

🔍 Detect and Break Down Phishing Infrastructure Phishing infrastructure changes fast. A page can go from active to parked or taken down before most teams ever look at it. Hunt’s Phishing Infrastructure Detection analyzes weaponized, not-yet-weaponized, and benign sites using analyst-written signatures. The goal is not just to label a page as phishing. It is to break it apart, track the infrastructure behind it, and measure pages over time to better understand the lifecycle of the attack. Start tracking phishing infrastructure before it disappears 👉 hunt.io/get-started #ThreatIntelligence #ThreatHunting #CyberSecurity

⚠️ ShinyHunters Targets Oracle PeopleSoft, Steals Data From 100 Orgs bleepingcomputer.com/news/se… ShinyHunters is targeting Oracle PeopleSoft servers in ongoing data theft attacks, claiming data from 300 instances across 100 organizations. The group is using a mix of old and zero-day flaws, with success depending on how each instance is configured. Exposed tooling also pointed to MeshCentral agents, credential spraying, SSH attempts against common PeopleSoft accounts, and ransom notes dropped on internal servers. #ThreatIntelligence #ShinyHunters #Oracle #CyberSecurity

🚀 Want to see how real-time curated C2 data improves detections? Hunt’s OEM C2 Feeds uncover 10× more live infrastructure than OSINT sources, all curated and validated daily for confidence and consistency. Get 14 days of free access and explore the latest 7 days of high-fidelity data in your own workflow. Apply now 👉 hunt.io/oem-c2-threat-feeds #ThreatHunting #ThreatIntelligence

💡JARM Fingerprints: A Practical Lens for Threat Hunters In our latest glossary entry, we break down JARM fingerprints and why they matter for TLS-based threat hunting. JARM helps analysts identify servers by how they handle TLS handshakes, not just by IPs, domains, or certificates. That makes it useful for spotting reused infrastructure, cloned servers, suspicious TLS behavior, and related C2 systems. In Hunt, analysts can search JARM fingerprints across internet-scale data, then pivot into certificates, open ports, HTTP responses, hosting providers, and related signals. Read the full article here 👉 hunt.io/glossary/jarm-finger… #ThreatHunting #ThreatIntelligence #CyberSecurity

#APT #Sidewinder targets #SriLankan #Navy 5th sightings for "mailsserver-lk[.]com" - Another Webpage tracked by @Huntio URL: sdgf9af72f31706769d32bf1ff66cdec1d1gkj5jg95jg5k0hkg95kg0tk[.]pages[.]dev Ref: x.com/volrant136/status/1988… @500mk500 @MichalKoczwara @malwrhunterteam

🚩 DPRK-Linked Campaign Targets Developers With Fake GitHub Tasks infosecurity-magazine.com/ne… North Korean hackers are targeting developers with fake coding tasks, job lures, and code-review requests. The emails link to GitHub or GitLab repos that look like normal assignments. Once opened in VS Code or Cursor, a hidden task runs and installs malware. The goal is to steal crypto wallets, browser data, saved passwords, cookies, and credentials. #ThreatIntelligence #Github #CyberSecurity

🕵️‍♂️ Query Recent Malware C2s With HuntSQL Malware infrastructure is easier to hunt when you can query it like a dataset. With HuntSQL, analysts can search Hunt’s confirmed C2 data using SQL and filter by malware family, IP, port, scan URI, or timeframe. The attached images use Cobalt Strike as the example: a query for recent activity from the last month, followed by a pivot into host context like ASN, risk, open ports, and related detections. Start with a malware family, then pivot into the infrastructure behind it 👉 hunt.io/get-started #ThreatHunting #ThreatIntelligence #CyberSecurity

⚠️ New Pink Group Targets Enterprise Users to Steal Cloud Credentials cybersecuritynews.com/new-pi… Pink is a new extortion group targeting enterprise users through vishing instead of traditional malware. Attackers impersonate internal IT staff, push victims to phishing pages, capture credentials and MFA codes, then use legitimate Microsoft tools to drain OneDrive and SharePoint data. They also use compromised accounts to send Teams messages and emails with payment demands. #ThreatIntelligence #Vishing #CyberSecurity

⚙️ Use Hunt’s API to Track Open Directory Exposure by Country Open directories are still one of the easiest ways to spot exposed tools, malware staging, leaked files, and attacker habits. With Hunt’s Attack Capture API, you can pull open directory stats with a simple GET request and filter by timeframe or country. The attached image shows a China query returning hostnames, malware tags like BlackMoon and CoinMiner, and MITRE tags tied to discovery activity. The response is snipped, as typical results include much more data. Turn an exposed directory into a full investigation 👉 hunt.io/get-started #ThreatHunting #ThreatIntelligence #CyberSecurity

🚩 China-Linked OP-512 Targets IIS Servers gbhackers.com/op-512-targets… OP-512 is a new China-linked cluster targeting IIS servers with a custom web shell framework built to avoid simple signature hunting. The shells are not copy-paste payloads. Each deployment is generated with different RSA keys, randomized names, junk code, and unique hashes. One shell reports its own URL through DNS, with HTTP as a fallback. The command handlers require signed, encrypted payloads before they run commands. #ThreatIntelligence #IIS #OP512 #CyberSecurity

Pivoting on another named C2, ashx.lhlsjcb[.]com, which resolved to 104.221.134[.]18 (eSited Solutions), a web page with a title of "34343" led to 9 additional servers on the same hosting network, hosting similar lhls* domains.

🚨 Magecart Turns Stripe Into a Malware Command Server cybersecuritynews.com/new-ma… A new Magecart attack is abusing trusted payment infrastructure in a nasty way. Instead of loading from attacker-owned domains, the skimmer uses Google Tag Manager for delivery and pulls card-stealing code from Stripe customer metadata. Stolen card data is then written back to Stripe as fake customer records, letting the traffic blend in with normal payment platform activity. Another variant uses Google Firestore the same way. #ThreatIntelligence #Magecart #Cybersecurity #Stripe

🚩 Almost 2K WordPress Sites Used Steam as C2 securityaffairs.com/192990/b… Almost 2,000 WordPress sites infected with malware have been found using Steam profiles as C2 infrastructure. The instructions were hidden inside Steam Community comments using invisible Unicode characters. To anyone looking quickly, the comments looked like ASCII art. To the malware, they decoded into payload instructions. The infection loaded fake-looking JavaScript, installed a PHP backdoor, and could rewrite plugin and theme files after partial cleanup. #ThreatIntelligence #WordPress #Steam #CyberSecurity

One IP rarely tells the full story. Our platform helps you spot the reuse behind it: shared certs, services, fingerprints, and infrastructure patterns. Turn one IP into a real hunting lead 👉 hunt.io/get-started #ThreatIntelligence #ThreatHunting