Tracking 3,900+ C2 servers, across 302 Eastern Europe providers
▲ 50 r/threatintel+3 crossposts

Tracking 3,900+ C2 servers, across 302 Eastern Europe providers

Over a three-month window Hunt.io mapped malicious infrastructure across 10 Eastern European countries and tracked more than 3,900 active C2 servers across 302 hosting providers.

A single Bulgarian host, Friendhosting, was running 2,100 of them, roughly 53.5% of the regional total. We also linked specific infrastructure to Cloud Atlas, ShinyHunters' PeopleSoft exploitation, and Nemesys ransomware sharing the same provider networks.

Read the full story: https://hunt.io/blog/eastern-europe-malicious-infrastructure-report

hunt.io
u/Straight-Practice-99 — 11 days ago

🇮🇷 An Iranian operator left their staging server wide open, and it named every LA Metro breach victim a public report withheld

Ababil of Minab is a pro-Iranian group that claimed destructive intrusions against targets in the US, Israel, Saudi Arabia, and Turkey this year. LA Metro confirmed their breach in April. A later report described the campaign but held back the additional victims.

Hunt.io researchers found the operator's own staging server filling that gap: 5 GB of data, the upload tooling, the bash history, and folders named after each target, including over a gigabyte of LA Metro SQL backups down to SCADA configs.

Read the full story here: https://hunt.io/blog/ababil-of-minab-iranian-hackers-exposed-la-metro-breach-open-directory

reddit.com
u/Straight-Practice-99 — 20 days ago
▲ 6 r/threatintel+2 crossposts

Ababil of Minab Exposed: LA Metro SCADA Backups and Israeli Victim Data Left Open on an Iranian Staging Server

Hunt.io researchers found around 5 GB of exfiltrated data sitting on an open server tied to Ababil of Minab, a pro-Iranian group that hit targets across the US, Israel, Saudi Arabia, and Turkey. 2,238 files across 545 subdirectories. A custom Flask upload tool, the operator's bash history, plaintext Chrome password dumps, and a 404 page that quietly redirected to fbi.gov to look harmless. The server stayed open for weeks after the campaign was already public, which let researchers recover the Israeli and Turkish victims a public report had withheld.

Full research here: https://hunt.io/blog/ababil-of-minab-iranian-hackers-exposed-la-metro-breach-open-directory

hunt.io
u/Straight-Practice-99 — 20 days ago
▲ 33 r/threatintel+5 crossposts

🐞 We Found PCPJack's Full Toolkit Sitting on an Open Directory. 230 Hijacked Servers, No Auth Required.

12 files sitting exposed on port 8444, source code, compiled binaries, and deployment state logs for a toolkit that hijacked 230 cloud servers to run a hidden SMTP relay network. A second open directory on port 9443 exposed the operator's live working directory including active scanners, exploitation tooling, and a live Sliver C2 config.

👉 Full breakdown here: https://hunt.io/blog/pcpjack-230-cloud-servers-smtp-proxy-network-sliver-chisel

hunt.io
u/Straight-Practice-99 — 1 month ago
▲ 13 r/threatintel+2 crossposts

Exposing a Smishing campaign across 19 countries: 1,628 malicious URLs tied to a single 128-char HTML fingerprint

1,628 phishing URLs across 33 backend IPs mapped from a single domain pivot. Infrastructure spans Tencent Cloud (15 IPs), Alibaba Cloud (3 IPs), Cloudflare anycast (14 IPs), and ALEXHOST Moldova (2 IPs).

Detection artifact: 128-character metadata hash present in every phishing page. HuntSQL queries included in the report below:

https://hunt.io/blog/massive-smishing-campaign-governments-postal-telecoms 

hunt.io
u/Straight-Practice-99 — 1 month ago
▲ 18 r/threatintel+2 crossposts

📡 One telecom carrier accounts for 72% of all Middle East-hosted C2 activity.

Hunt.io researchers spent the last 3 months mapping malicious infrastructure across Middle Eastern hosting providers.

Key findings:

  • 1,357 C2 servers across 98 providers in 14 countries
  • STC (Saudi Telecom) alone accounts for 72.4% of all regional C2 activity, 981 servers in 90 days
  • Türk Telekom leads in malware diversity: 6 distinct families across 9 C2 endpoints
  • Regxa (Iraq) carries the highest bulletproof rating of any provider in the dataset
  • Active campaigns include Eagle Werewolf espionage ops, DYNOWIPER hitting Poland's energy sector, and RondoDox botnet on Iranian hosting

A small set of providers keeps appearing across completely unrelated campaigns. That's the pattern worth tracking.

Full report: https://hunt.io/blog/middle-east-malicious-infrastructure-report

hunt.io
u/Straight-Practice-99 — 2 months ago
▲ 15 r/threatintel+4 crossposts

TeamPCP's Toolkit Survives C2 Takedowns. Here is How.

The Hunt.io research team dug into the second-stage Python toolkit TeamPCP drops after the Mini Shai-Hulud supply chain compromise. Wiz and others covered the delivery and flagged some payload behavior. We went deeper into what actually runs on the machine after that.

Key findings for anyone following this group:

  • FIRESCALE dead-drop: primary C2 down? The malware queries all public GitHub commit messages globally for a signed server redirect, verified with an embedded RSA-4096 key. Nothing to take down, no fixed repo, no fixed account. Watch for api.github.com/search/commits?q=FIRESCALE in egress logs.
  • Victim-account fallback: if FIRESCALE fails too, the malware uses the victim's own GitHub token to create a public repo and push the credential harvest there. Operator pulls it via the public API. Zero attacker infrastructure required. Look for repos matching two Slavic words plus three digits with description PUSH UR T3MPRR.
  • US government cloud in scope: both GovCloud partitions, us-gov-east-1 and us-gov-west-1, are explicitly in the AWS collector target list. Not accidental.
  • Geopolitical wiper: timezone and locale checks identify Israeli and Iranian machines. A 1-in-6 gate triggers audio at max volume then full file deletion. Russian-locale machines exit clean before any payload runs.
  • New infrastructure: HTTP header fingerprint pivot in HuntSQL surfaced four GCP addresses linked to this campaign not in any existing blocklist or prior report.

Full breakdown, IOCs, HuntSQL queries, and MITRE mapping: https://hunt.io/blog/teampcp-python-toolkit-firescale-github-c2-takedown

Drop questions below if you are tracking this.

hunt.io
u/Straight-Practice-99 — 2 months ago
▲ 6 r/threatintel+1 crossposts

CVE-2025-32975: The Open Directory Behind the KACE SMA Breach, 12K Exposed Instances, and 60+ Downstream Victims

CVE-2025-32975 is a CVSS 10.0 authentication bypass in Quest KACE SMA that allows an unauthenticated attacker to impersonate any user, including admins, without credentials. The patch dropped in May 2025. Active exploitation was tracked as recently as March 9, 2026.

On March 12, Hunt.io AttackCapture indexed an exposed directory at 216.126.225[.]156:8000 while it was still live. What was inside:

  • 219 files, 308 MB, no auth required
  • Full post-exploitation toolkit: Python reverse shell, custom TCP-multiplexed SOCKS5 tunnel, SMB credential sprayer, domain-wide WMI recon via runspace pool
  • Six Next.js prototype pollution payloads alongside the KACE toolkit, confirming parallel initial access vectors
  • A 512 MB MariaDB dump from a production KACE appliance belonging to HIQ, a Boston-area MSP
  • 60+ named downstream client organizations across law enforcement, government, healthcare, and education
  • Hardcoded credentials from at least two additional victim environments embedded in the scripts
  • LNK metadata identifying the operator's machine as a Windows Server 2019 VPS with hostname windows-utah-8g, running as built-in Administrator

The report includes a full script-by-script breakdown, operator OPSEC assessment, database analysis, IOCs, and the detection logic to find exposed KACE instances.

Over 12,000 K1000 appliances are still internet-facing and disclosing version strings below the patch threshold.

Full research: https://hunt.io/blog/cve-2025-32975-quest-kace-sma-open-directory-60-victims

hunt.io
u/Straight-Practice-99 — 2 months ago
▲ 5 r/threatintel+2 crossposts

If you are tracking Iranian-nexus activity in the Middle East, this one is worth your time.

Hunt.io's AttackCapture flagged an open directory on a UAE-hosted VPS that turned out to be a full active C2 environment tied to an intrusion against Oman's government. Toolkit, session logs, and exfiltrated data all exposed.

  • 12 ministries targeted, 26,000+ citizen records pulled from the Ministry of Justice along with judicial case data and SAM/SYSTEM registry hives
  • Custom ASPX webshells, six-version Python C2, GodPotato privilege escalation, Chisel tunneling, 50+ exploitation scripts covering ProxyShell, DNN SSRF, and national ID IDOR vulnerabilities
  • TTPs overlap with known MOIS-linked clusters, full analysis in the post

Full post and IOCs: https://hunt.io/blog/iranian-nexus-oman-government-intrusion

u/Straight-Practice-99 — 2 months ago
▲ 5 r/threatintel+1 crossposts

An exposed staging server in the Netherlands with no authentication required left the operator's full toolkit publicly accessible. Two ELF binaries, infection payloads, SOCKS5 credentials, and a target list, enough to fully reconstruct a commercial DDoS-for-hire operation.

Key findings:

  • Mirai-derived botnet sold as a tiered DDoS-for-hire service, game servers and Minecraft hosts as primary attack targets
  • ADB on TCP/5555 as the infection vector, over 4M hosts observed with that port open in the past 180 days, any running ADB is a potential recruit into the botnet
  • 21 flood variants including RakNet and OpenVPN-shaped UDP to bypass common filters
  • ChaCha20 string encryption broken via known-plaintext due to weak key material and full nonce reuse across all 16 decryption calls
  • Full operation inside a single bulletproof /24, Offshore LC, Netherlands, covering C2, staging, distribution, and co-located Monero cryptojacking infrastructure

Full IOC set, MITRE ATT&CK mapping, and HuntSQL queries in the report.

hunt.io/blog/xlabs-v1-ddos-for-hire-operation-exposed

u/Straight-Practice-99 — 2 months ago