Today we're launching urlscan Brand AI within our urlscan Pro portal. Brand AI will visually examine websites to determine the name of the brand the website claims to represent, a more robust approach than text-based queries. Read the details in our blog: urlscan.io/blog/2025/07/30/b…

New TI report 📷 Duoyu stands out for its backend-driven flows, tracking identifiers, and distinctive handling patterns. Misconfigurations also provide useful detection opportunities. Dive in 📷 urlscan.io/pricing/urlscanpr…

Oriental Gudgeon ("CoGUI") is a structured phishing kit built on reusable components, storage artifacts, and API-driven workflows. Designed for scale and persistence across campaigns. Detection details inside 👇 Public reporting: urlscan.io/blog/2026/06/01/C… - More on urlscan Pro

New TI report 📷 Chenlun (“Outsider”) is a feature-rich phishing kit using modern web frameworks, verification flows, and anti-bot techniques. A step up in sophistication across Chinese Phishing-as-a-Service ecosystems. Full analysis detections 📷 urlscan.io/pricing/urlscanpr…

🇸🇦 🇮🇷 𝗡𝗲𝘄 𝗠𝗶𝗱𝗱𝗹𝗲 𝗘𝗮𝘀𝘁 𝗺𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗿𝗲𝗽𝗼𝗿𝘁: 𝟭,𝟯𝟱𝟬 𝗖𝟮 𝗦𝗲𝗿𝘃𝗲𝗿𝘀 𝗠𝗮𝗽𝗽𝗲𝗱 𝗔𝗰𝗿𝗼𝘀𝘀 𝟵𝟴 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿𝘀 Over a three-month window, we mapped more than 1,350 active C2 servers operating across 98 infrastructure providers in 14 Middle Eastern countries, covering telecoms, shared hosting, and VPS environments. 👉 Read the full report: hunt.io/blog/middle-east-mal… Here's what the data shows: → A single telecom carrier accounts for nearly 72% of all detected regional C2 activity, most of it tied to compromised customer endpoints rather than provider-level abuse → C2 infrastructure makes up over 96% of all observed malicious artifacts in the region → Tactical RMM leads the malware family breakdown with 92 unique C2 IPs, followed by Keitaro TDS (71) and Acunetix (38) → The malware mix covers a wide range of attack types - IoT botnets (Mozi, Hajime, Mirai), remote access tools (AsyncRAT, Sliver, Cobalt Strike), active scanning (Acunetix), and phishing infrastructure (Gophish, Keitaro TDS) → Campaigns in the dataset include Eagle Werewolf espionage operations, the DYNOWIPER destructive campaign targeting Poland's energy sector, and RondoDox botnet exploitation infrastructure on Iranian hosting The main takeaway is that malicious infrastructure in the region is not evenly spread. A small set of providers keeps showing up across unrelated campaigns and malware families, which is where the tracking value is. Provider-level visibility is what lets defenders get ahead of that pattern, rather than reacting to individual indicators that rotate daily. Full breakdown, including infrastructure observables, HuntSQL queries, and campaign examples, is in the report 👇 hunt.io/blog/middle-east-mal…

This is a much smaller Chinese phishing framework🇨🇳 🪙I bet you won't have heard of it before! 🌐What makes this notable is the targeting of Chinese companies by the framework🔎 🎯This is a Pro only report ✉️Reach out to sales@ if you are not on the pro platform!

New TI report on urlscan Pro 📷 Flyfish is a lightweight phishing kit built around simple but effective API endpoints. Despite its simplicity, it’s actively used for large-scale victim interaction and data capture. Detection patterns included 📷 urlscan.io/pricing/urlscanpr…

#PIVOTcon26 edition is over! Time to #pivot to #PIVOTcon27 Big thanks to our sponsors for making this happen! @silentpush @vtxproject @censysio @urlscanio @ValidinLLC @TalosSecurity @abuse_ch @SpamhausTech @ecrime_ch @epieos @sekoia_io @wearetlpblack @webscout_io @rationaledge 1/

🚨 NEW RESEARCH: TeamPCP's C2 fallback needs no attacker infrastructure. @wiz_io covered the delivery and flagged some payload behavior (great job!). However, nobody went deeper into the full toolkit itself, the GovCloud targeting, or the infrastructure. We did. Full analysis, IOCs, HuntSQL queries, and MITRE mapping: hunt.io/blog/teampcp-python-…

Last week we hosted a hands-on workshop at @pivot_con in Málaga. Participants learned how to hunt and cluster web-based phishing activity using our urlscan Pro platform. If you did not manage to get in, just send us a message and we'll give you a private tour of the platform!

New report: Darcula (“Magic Cat”) is one of the most active phishing frameworks we’re tracking. From API-driven infra to socket-based comms and fake shop deployments, this kit continues to evolve rapidly. Breakdown, detections: urlscan.io/blog/2026/05/11/C… Full report on urlscan Pro

New urlscan report 🚨 We’re kicking off our Chinese phishing series with a deep dive into the Sailor framework. A modular kit leveraging client-side storage for session tracking and victim management at scale. Detection included 👇 urlscan.io/blog/2026/05/04/C…

🚨 NEW RESEARCH: xlabs_v1 DDoS-for-Hire IoT Botnet Exposed - One Open Directory. An Entire Operation Revealed. hunt.io/blog/xlabs-v1-ddos-f… The operator built a full commercial DDoS-for-hire operation. Tiered pricing, 21 flood variants, competitor-killing routines baked in. Then left the whole toolkit on a public server with no login. Hunt.io AttackCapture tool had it indexed before they noticed. Key findings: - Botnet branded xlabs_v1, operator handle Tadashi, targeting game servers and Minecraft hosts - 21 flood variants including RakNet and OpenVPN-shaped UDP to dodge common filters - TCP/5555 observed open on 4M hosts in the past 180 days, any running ADB is a potential target - ChaCha20 encryption broken via known-plaintext, full nonce reuse across all 16 calls - C2, staging, distribution, and Monero cryptojacking all inside one bulletproof /24 in the Netherlands 👉 Full IOCs, MITRE mapping, and HuntSQL queries: hunt.io/blog/xlabs-v1-ddos-f…

This is going to be huge 🧨 🔎Myself and the team worked so hard on these. It is going to uncover and expose the true scale of multiple frameworks Watch this space...

This urlscan Pro Threat Intel Report covering Calendly-themed lures is now available on our public blog as well: urlscan.io/blog/2026/04/28/C…

New research drop 🚨 We're diving deep into Chinese-language phishing-as-a-service ecosystems powering large-scale global campaigns. From infrastructure to operations, this series uncovers how these platforms scale and evade detection. Starting May 4th: urlscan.io/blog/2026/04/27/C…

Apparent WordPress compromise of popular restaurant chain #TGIFridays observed with #clickfix infection chain delivering malicious MSI disguised as "Microsoft Endpoint DLP Module" TGIF? 👾 #malware #clickfix @executemalware

The completion dropdown for our search page is now also available on the community platform on urlscan.io. Enjoy!

🚨 🇷🇺 We tracked 1,252 active C2 servers across 165 Russian hosting providers over 90 days. Here's what's running inside those networks. C2 traffic accounts for 88.6% of all observed malicious artifacts. The rest splits between malicious open directories (5.3%), phishing infrastructure (4.9%), and public IOCs (1.2%). The hosting concentration is notable: - TimeWeb leads with 311 C2 detections - WebHost1 follows with 140, REG[.]RU with 138 - PROSPERO OOO hosts 80 C2s alongside 30 malicious open directories and 50 phishing sites - Yandex[.]Cloud carries the widest malware diversity: 11 distinct families across 39 C2 endpoints On the malware side: - Keitaro dominates with 587 unique C2 IPs - Hajime (191), Mozi (48), and Mirai (13) show IoT botnet infrastructure is still active - Cobalt Strike, Sliver, and Ligolo-ng are all present across the ecosystem Specific campaigns tied to this infrastructure include Latrodectus via ClickFix on TimeWeb, Lumma Stealer on REG[.]RU, Remcos RAT via SmartApeSG on Hosting Technology LTD, and intrusion activity attributed to Head Mare inside LLC Smart Ape. Full research with Host Radar breakdowns and HuntSQL queries 👇 hunt.io/blog/russian-malicio… #ThreatHunting #ThreatIntelligence #C2 #Malware #CyberSecurity

⚠️Public blog post is now live: urlscan.io/blog/2026/04/15/P…

We have just launched the public version of this urlscan Pro Intel Brief, check it out: urlscan.io/blog/2026/04/15/P…