Hackers rarely target an isolated business: they typically launch campaigns that hit multiple companies with similar tactics, techniques, and procedures (TTPs).

This means, by the time an attack hits you, it’s likely already been executed against other organizations. 

Why Threat Intelligence Is Your Early Warning System 

The challenge here is that attacks are becoming more sophisticated and widespread.

The opportunity is that if you have access to fresh, comprehensive threat intelligence data, you can detect these threats before they cause significant damage to your organization.  
 
When a suspicious IP address, domain, or file hash appears in your environment, there’s a high probability that the same indicator has already been observed in attacks against other market players. 
 
Fresh threat intelligence data provides you with: 

• Real-time indicators from ongoing campaigns targeting organizations similar to yours. 
• Behavioral patterns of emerging threats before they become widespread. 
• Attribution information that helps you understand the threat actor’s methods and motivations. 
• Contextual analysis that goes beyond simple indicator matching. 

Since over 15,000 SOC teams use it to investigate recent attacks, ANY.RUN’s Threat Intelligence Lookup serves as a comprehensive source for fresh threat data, offering more than just basic indicator searches.

Through advanced sandbox analysis, it provides a complete picture of threat behavior, helping security teams understand not just what they’re dealing with, but how these threats operate and evolve.  

Cut MTTR With Instant Threat Insights At No Cost 

Threat Intelligence Lookup offers a free plan, which provides immediate value to organizations of all sizes.

The free tier arms security analysts with access to essential intelligence, allowing them to search for information on indicators and threats without any upfront cost.  

Sign up to speed up threat detection and response with free threat intelligence from ANY.RUN 

Suppose your security team detects a suspicious IP address in your system logs. By running it through TI Lookup with a free plan, the team can instantly identify that the IP is associated with RedLine stealer:  

destinationIP:”91.92.252.249″ 

This quick search gives analysts a confirmed malicious IP for EDR systems, relevant indicators like ports and mutexes, and the understanding that the attack is ongoing. 

Beyond simple identification, the service finds in the Sandbox real-world malware samples where this IP was used, giving you context to assess the threat’s severity and respond effectively.  

Analyses are available with a limitation on the free plan, adding to the capabilities for rapid incident response. 

Optimize SOC Performance And Resources With Rich Data and Automation 

While the free plan is a great starting point, the Premium version of Threat Intelligence Lookup unlocks a wealth of additional data and automation capabilities, enabling you to scale your threat detection efforts.

With the Premium plan, you gain access to over 40 types of indicators and all search operators.

This enables more complex and diverse threat investigations that deliver actionable data to inform your entire security strategy. 

Another example. With a full access to TI Lookup capabilities, you can search for a dubious mutex:  

syncObjectName:”rmc-pjx7d8″ 

The search reveals the mutex’s attribution to Remcos RAT and sorts out sandbox detonations to observe the malware’s behavior and gather additional IOCs.  

The Premium plan also allows you to automate threat intelligence workflows and reduce response times by integrating TI Lookup via API and SDK with your security tools (e.g., SIEM, TIP, or SOAR systems). 

Request 50 trial searches to access the full capabilities of TI Lookup, protect your business proactively.

Proactive Defense: Stay Ahead Of Emerging Threats 

Threat Intelligence Lookup doesn’t just help you react it enables proactive defense.

By subscribing to real-time updates on your search queries, you can stay informed about the latest threats and adapt your defenses accordingly.

For example, to receive updates on malicious domains associated with Lumma stealer, click the bell icon in the top right corner of the search results and click “Subscribe”.  

threatName:”lumma” AND domainName:”” 

This proactive approach means your detection systems are updated with the latest indicators almost as soon as they’re identified, often before these threats begin targeting your organization directly. 

Conclusion: Fuel Better Business Decisions With Threat Intelligence 

Investing in comprehensive threat intelligence pays back in multiple ways: 

• Reduced Dwell Time: Early detection means threats spend less time in your environment, reducing potential damage. 

• Improved Analyst Efficiency: Instead of researching threats from scratch, analysts have immediate access to comprehensive background information. 

• Proactive Defense: Staying ahead of threats rather than constantly reacting to them. 

• Better Decision Making: Understanding the full threat landscape helps prioritize security investments and responses. 

Threat intelligence isn’t just about understanding what happened – it’s about understanding what’s happening and what’s likely to happen next. 

With threat actors increasingly targeting multiple organizations in coordinated campaigns, the intelligence gathered from one attack becomes invaluable for preventing the next one.

Whether you’re using the free plan to investigate a single indicator or harnessing the Premium plan’s automation and extensive indicator types, Threat Intelligence Lookup empowers you to protect your business before it’s too late. 

Identify more threats and contain them effectively with ANY.RUN: request 50 trial lookups now 

The post Want To Detect Incidents Before It’s Too Late? You Need Threat Intelligence appeared first on Cyber Security News.

It’s this blend of challenge, creativity, and impact that makes threat hunting not only fun but also a critical piece of modern cybersecurity. 

Why Business Should Take Threat Hunting Seriously 

Threat hunting is a proactive cybersecurity strategy that involves actively searching for indicators of compromise (IOCs) and threats that evade traditional security measures.

Unlike automated detection, which relies on predefined rules, threat hunting uses human intuition, data analysis, and advanced tools to uncover stealthy attacks. 

Cybercriminals constantly refine their tactics to bypass conventional security solutions. By incorporating threat hunting, organizations can: 

• Detect threats earlier, minimizing potential damage. 

• Reduce dwell time (the duration an attacker remains undetected within a network). 

• Strengthen overall security posture by identifying gaps in existing defenses. 

Threat Intelligence Tools And Techniques To Chase Malware 

 
Effective threat hunting requires the right tools to amplify professional intuition and expertise. SIEM systems, EDR platforms, and XDR solutions provide the raw data and visibility hunters need.  

But the real game-changer? Threat intelligence. These tools deliver actionable insights about known threats, attacker tactics, techniques, and procedures (TTPs), and emerging risks, giving hunters a head start in their search.   

1. Enrich Indicators With As Much Context As Possible  

Imagine a security analyst encountering a suspicious domain in their logs. They use ANY.RUN’s Threat Intelligence Lookup to investigate further: destinationIP:”185.156.175.43″
 
What do we get by a single search?

• The domain is flagged as malicious and deserves to be treated like one. 
• It is linked to well-known, recently active, and dangerous malware: AsyncRat and Remcos remote access trojans. 
• There is a bunch of associated IPs spotted in the same malware samples as the investigated one.  
• There are a number of other Indicators of Compromise from attacks featuring this IP and the associated IPs: file hashes, mutexes, ports. Each can be a main parameter for a new search — combined with other parameters from over 40 ones available in TI Lookup. 
• The domain was last spotted by ANY.RUN’s tools in a malware sample at the end of March, so it is a fresh and active indicator.  

Enrich your defense with wider threat context for any indicator  -> Contact ANY.RUN for 50 trial search queries 

2. Explore Full Attacks In Detail 

Pull a thread and untangle a complex malware attack: one indicator can be enough to dive deep into research and resurface with a defense plan.

Say, an analyst has just a suspicious file hash, searches it via TI Lookup and goes to the “Tasks” tab in the search results:

md5:”3DCAFE710A9252FE5210909D84EDBF3E”  

Here we have an analytic session of a malware sample conducted by ANY.RUN’s Interactive Sandbox user.  

We can view the analysis or restart it changing certain virtual machine settings (e.g. changing OS, proxy, VPN, etc).

We can explore the malware configuration, gather IOCs (for further TI Lookup searches), view malicious processes in action.  

3. Subscribe For Updates On Evolving Threats 

Even if you search regularly for updates on threats and indicators, it does not guarantee you from missing important new data.  
 
TI Lookup Search Updates feature lets you subscribe to the results of specific queries. Click on the bell icon in the top right corner of TI Lookup search results and click “Subscribe”. 

threatName:”asyncrat”

When new results appear, a notification is displayed in the dashboard. Fresh data is highlighted in green. 

Conclusion 

Threat hunting is an essential, dynamic process that transforms cybersecurity from reactive to proactive.

By leveraging advanced threat intelligence tools like ANY.RUN’s Lookup, organizations can enhance their ability to detect and mitigate threats before they cause harm.

With the right mindset, skills, and tools, threat hunting becomes not just an obligation but an engaging and rewarding challenge for security teams. 

Arm your team for hunting threats efficiently!  Request 50 searches trial with ANY.RUN 

The post Top 3 Techniques To Improve Threat Hunting In Your Company appeared first on Cyber Security News.

Nowhere is this more evident than in cyber threat intelligence, where raw data alone is powerless without context to give it meaning and direction. 
 
Threat intelligence platforms and SOC teams collect vast amounts of information on cyber incidents and attacks, such as IP addresses, file hashes, and domain names.

But this data only becomes actionable when enriched with context.

Context is achieved by: 

• Correlating Indicators of Compromise (IOCs) with known threats, campaigns, or adversaries. A suspicious IP address becomes more meaningful if linked to a specific APT group or malware strain. 
• Attributing threats based on tactics, techniques, and procedures (TTPs) observed in attack patterns to help teams understand the intent and sophistication of attackers. 
• Assessing real-time relevance by comparing emerging threats to historical attack data and industry-specific risks. 
• Enriching intelligence with external sources, such as open-source threat feeds, government advisories, and dark web monitoring. 

Let’s watch how it actually works on the examples of typical cyber security challenges. We shall employ Threat Intelligence Lookup by ANY.RUN.

It’s a search engine that helps explore indicators of compromise, attack and behavior, understand the tactics and techniques of adversaries. 

IP Context Enrichment 

When a detection and monitoring system warns the security team of a suspicious IP address, their first impulse is to block the traffic from the IP.

But understanding what exactly is happening, is no less important. Let’s explore an IP address via TI Lookup:

What Do We Now Know About This IP?  

Most importantly, it is associated with AsyncRat, a dangerous malware that turns a computer into a zombie totally controlled by hackers and leaking sensitive data.  

• It was spotted in malware samples analyzed in recent months, so it can be considered a part of an active malicious inventory. Measures must be taken immediately.  
• We can view the analytic sessions of these samples in the Interactive Sandbox 
• We see that the IP is used in C2C comm
• unications.
• There is a number of other IPs spotted in the same malware sample analyses, also tagged as malicious.  

Dive deep into the contextual data on IOCs  Try TI Lookup with 50 test requests  

Mutex Context Enrichment 

Mutexes are met in benign and malicious software alike. A mutex alone is rarely a definitive sign of infection. It must be correlated with other IOCs (e.g., network activity, process behavior, file hashes) to confirm a threat. 
 
Mutexes often generate false positive alerts in monitoring systems. Malware samples can contain the same objects as legitimate programs, and a lot of mutex names are generic.  
 
Let’s see what happens if we enrich a mutex with another mutex as a context combining them in a search request to TI Lookup:  

(syncObjectName:”PackageManager” or syncObjectName:”DocumentUpdater”) and syncObjectOperation:”Create” and threatName:”muddywater”

Now We Know That:  

• The combination of mutexes with such innocent general names as PackageManager and DocumentUpdater occurs in malware campaigns of MuddyWater APT group from Iran, which is exactly as dangerous as an APT group from Iran is supposed to be.  

• The mutexes are generated by MuddyWater’s BugSleep backdoor.   

• We can find more samples that use these mutexes in the Sandbox (see the Tasks tab in the search results). 

URL Context Enrichment 

You spot a link, say, to a suspicious file in your network traffic. You search this link via TI Lookup. 

A simple request, but now we know that:  

• The domain is a part of Phorpiex botnet infrastructure 
• It was detected in a sample analyzed less than a month ago, so Phorpiex can still be active and menacing while one might consider a botnet known since 2016 obsolete.  
• The domain in associated with a number of other malware strains and should be blocked in your network 

Conclusion 

In cyber threat intelligence, data alone is a ruler without direction only with context does it command the full power to defend, predict, and counteract threats effectively.

By enriching indicators with additional data, SOC teams can set up effective detection, monitoring, and responce, investigate phishing campaigns, and enhance proactive defenses. 

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post How Threat Hunters Enrich Indicators With Context  appeared first on Cyber Security News.

The approach requires researching deeply into the environment to locate malicious activity. To prevent these types of attacks, threat hunting is crucial.

Attackers or hackers can remain undetected in a network for months, stealthily accumulating login credentials and other sensitive information.

In this article, experts from Cyber Security News researched extensively and categorized the top 20 Best threat hunting tools.

Table of Contents

What is Threat Hunting?
Types of Threat Hunting 
Difference between threat hunting and Incident Response?
Best Threat Hunting Tools of Features
20 Best Threat Hunting Tools in 2025
1.ANY.RUN
2.CrowdStrike Falcon
3.YARA 
4.SolarWinds Security Event Manager
5.Wireshark
6.Rapid7 InsightIDR
7.Tcpdump
8.RITA
9.Elastic Stack
10.Sysmon
11.Trend Micro Managed XDR
12.Kaspersky Anti-Targeted Attack Platform
13.Cynet 360
14.Cuckoo Sandbox
15.Machinae
16.Exabeam Fusion
17.Splunk Enterprise Security
18.Intezer
19.Hunters XDR
20.YETI
Conculsion
Also Read

What is Threat Hunting?

Threat hunting aims to recognize and respond to threats that have avoided conventional security protocols such as firewalls, antivirus programs, and intrusion detection systems.

It requires technical skills, analytical ability, and an understanding cyber attackers’ latest threat trends and tactics.

Three phases comprise the threat-hunting methodologies: an initial trigger phase, an investigation phase, and a resolution phase.

• Trigger: Generally, threat hunting is a systematic process in which the hunter collects information about the environment, formulates thoughts about potential attacks, and selects a catalyst for future inquiry.
• Investigation: Once a trigger has been selected, the hunter’s attention is pulled to anomalies confirming or refuting the hypothesis.
• Resolution: During the preceding step, the hunter-gathers have sufficient knowledge about potential threats. This information is supplied to other teams and tools for evaluation, prioritization, analysis, or data storage during the resolution process.

Difference between threat hunting and Incident Response?

Best Threat Hunting Tools of Features

20 Best Threat Hunting Tools in 2025

• ANY.RUN
• CrowdStrike Falcon
• YARA 
• SolarWinds Security Event Manager
• Wireshark
• Rapid7 InsightIDR
• Tcpdump
• RITA
• Elastic Stack
• Sysmon
• Trend Micro Managed XDR
• Kaspersky Anti-Targeted Attack Platform
• Cynet 360
• Cuckoo Sandbox
• Machinae
• Exabeam Fusion
• Splunk Enterprise Security
• Intezer
• Hunters XDR
• YETI

1. ANY.RUN

ANY.RUN is an interactive malware analysis platform that enables real-time investigation of suspicious files and URLs in a secure virtual environment. 

It supports a wide range of file types, including executables, documents, and URLs, providing detailed reports on system changes, file activity, registry modifications, and network traffic. 

This level of insight helps organizations understand attack lifecycles and detect Indicators of Compromise (IOCs).

The platform features both private analysis options for confidentiality and a public database of shared malware samples, fostering collaboration and learning within the cybersecurity community. 

ANY.RUN is particularly valuable for identifying sophisticated threats like ransomware, spyware, and banking trojans. By offering real-time interactivity, it helps in understanding complex malicious behavior that static analysis might miss.

However, due to the expense and power of this package, it is likely to be more appealing to large firms than small organizations.

Features

• Fully interactive sandbox for manual investigation of malware behavior in real-time.
• Ability to simulate user interactions and custom scenarios to trigger hidden malware functionality.
• Real-time observation of malicious activity, including file creation, registry changes, and network communications.
• Support for multiple OS environments (Windows XP, 7, 10, 11) and browser testing for URL and phishing analysis.
• Detailed network activity logs, including domain, IP address, port, and protocol monitoring.

Price

You can get a free trial and personalized demo from here.

2. CrowdStrike Falcon

CrowdStrike Falcon is a cloud-based security product with an EDR called Insight and an XDR. The EDR integrates with CrowdStrike’s on-device systems, while the XDR incorporates SOAR.

CrowdStrike’s only product that operates on endpoints is Falcon Prevent, a next-generation antivirus solution, and this executes its threat detection and protection response.

If the Falcon Prevent purchaser also has a subscription to one of the cloud-based services, the AV is an agent for it.

Features:

• Falcon Prevent’s next-generation antivirus (NGAV) features protect your business from malware and malware-free threats.
• Machine learning to identify known malware, exploit blocking, IOA behavioral techniques, and unknown malware exploit identification.
• Falcon Discover monitors privileged user accounts and finds unapproved systems and apps for IT hygiene.

Price

You can get a free trial and personalized demo from here.

3. YARA 

YARA is a popular open-source threat-hunting tool for detecting and identifying malware.

It provides a simple yet powerful language for defining malware signatures and a flexible framework for scanning and matching files against those signatures.

It is often used for threat hunting, proactively searching for signs of malicious activity in an organization’s systems and networks.

With YARA, security analysts can create custom signatures to identify specific types of malware, such as those used in targeted attacks, and scan systems and networks to identify instances of that malware.

Features:

• It lets security experts define complicated behavior patterns and malware characteristics using a simple yet effective language for malware signatures.
• YARA scans executable, document, and memory dump files and matches them against custom signatures to find malware.

Price

You can get a free trial and personalized demo from here.

4. SolarWinds Security Event Manager

SolarWinds Security Event Manager is the optimal solution for system administrators that wish to retain everything in-house. The program runs on the server and investigates all other network destinations.

This system uses real-time network performance statistics derived from sources, including the Simple Network Management Protocol (SNMP) and log entries.

This threat hunting tool provides a centralized platform for collecting, analyzing, and responding to security events generated by various security technologies, including firewalls, intrusion detection systems, and endpoint protection solutions.

Features

• This cloud-based threat-hunting tool employs machine learning and behavioral analytics to detect and respond to security risks.
• Integrates with SIEMs, EDRs, and cloud infrastructure to deliver a complete security picture.
• It uses advanced analytics and automation to detect and investigate potential threat.
• Offers multiple security incident response options.
• Offers compliance and audit features to help firms meet regulations.

Price

You can get a free trial and personalized demo from here.

5. Wireshark

Wireshark is a popular open-source network protocol analyzer & threat hunting tool.

It is used for threat hunting, proactively searching for signs of malicious activity in an organization’s networks.

It allows network administrators and security professionals to capture, analyze, and inspect network traffic to identify potential security issues and understand network behavior.

With Wireshark, security analysts can capture network traffic and analyze it for unusual patterns of behaviors or other indicators of compromise.

Wireshark allows you to inspect individual packets, view the underlying protocols, and analyze traffic patterns, which can help identify anomalies and investigate security incidents.

Features

• Security experts can record and look at network data with Wireshark.
• It tells you a lot about the protocols that are used for network data.
• It works with many different network protocols, which lets it decode and show network data in a way that people can understand.
• Graphical models of network traffic are shown using graphs, statistics, and flow diagrams.

Price

You can get a free trial and personalized demo from here.

6. Rapid7 InsightIDR

Organizations use Rapid7 InsightIDR, a cyber intelligence software, to identify cybersecurity threats.

Using machine learning, the software identifies the most likely threat and gives actionable information.

The insights reveal what the threat is capable of, how it propagates, and who it affects.

Rapid7 InsightIDR automatically identifies unknown malware through computational analysis of files on a user’s computer or network share.

It also identifies new threats by analyzing file system modifications.

Features

• InsightIDR gives you a central dashboard for looking into security issues.
• InsightIDR connects to several threat intelligence feeds to give security events more meaning.
• InsightIDR uses machine learning to identify suspicious user activity patterns.
• Some security jobs, like sorting through alerts and fixing problems, can be done automatically by InsightIDR.

Price

You can get a free trial and personalized demo from here.

7. Tcpdump

Tcpdump is a network packet capture and analysis tool similar to Wireshark. It is a command-line-based tool that captures network traffic and displays it in a human-readable format.

Network administrators and security professionals often use it for network troubleshooting and analysis.

It is used as a part of a threat hunting process by capturing and analyzing network traffic for signs of malicious activity.

Tcpdump’s main advantage over Wireshark is its speed and efficiency.

It operates at the command line and does not have a graphical interface, making it well-suited for use on large networks and capturing large amounts of traffic.

Features

• It captures and displays human-readable network traffic.
• Command line operation makes network traffic capture and analysis fast and efficient.
• It lets you filter and display certain network traffic.
• It can save network traffic for study by writing its output to a file.

Price

You can get a free trial and personalized demo from here.

8. RITA

RITA (Real Intelligence Threat Analysis) is a security analytics threat hunting tool designed for threat hunting and incident response.

It is an open-source tool that allows you to collect, store, and analyze network logs and metadata to identify security threats.

Features

• Firewall, IDS, and system logs can be analysed to discover security threats.
• It detects aberrant network behavior and security threats using machine learning and data analysis.
• It alerts and reports about security threats.
• It graphs network activity.

Price

You can get a free trial and personalized demo from here.

9. Elastic Stack

The elastic stack is open-source Threat Hunting Tools for data collection, storage, analysis, and visualization.

It is commonly used for log analysis, security analytics, and threat hunting.

It comprises several components, including Elasticsearch, Kibana, Beats, and Logstash.

Elasticsearch is a distributed search and analytics engine used for storing and searching large amounts of data.

These tools provide a robust real-time data analysis, monitoring, and alerting platform.

Features

• It stores and retrieves enormous amounts of organized and unstructured data via distributed search and analytics.
• Ingestion and transformation of log data are handled by its pipeline.
• Explore and analyze Elasticsearch data with its web-based visualization and analysis tool.

Pros and Cons

Price

You can get a free trial and personalized demo from here.

10. Sysmon

Sysmon (System Monitoring) is a window system service and device driver that logs system activity to the Windows event log.

It provides detailed information about process creation, network connections, and other system events allowing you to monitor and analyze system activity for signs of security threats.

Features

• It has many system events.
• It lets you filter events by process name, process hash, or destination IP address to focus on relevant events and discover security issues.
• Tamper detection alerts you if the Sysmon service or configurations are changed.

Price

You can get a free trial and personalized demo from here.

11. Trend Micro Managed XDR

Trend Micro Managed XDR is a threat-hunting tool that helps organizations identify and respond to advanced threats.

It monitors endpoints, networks, and cloud environments to detect suspicious behavior and potential attacks.

The tool also uses machine learning to provide advanced threat analysis and offers automated response capabilities to contain and neutralize threats.

Managed XDR offers a centralized dashboard for threat management and a team of expert security analysts to provide additional support.

Features

• Continuous monitoring of endpoints, network, and cloud environments
• AI-powered danger analysis.
• Automation to contain and neutralize dangers.
• One threat dashboard.
• Support from qualified security analysts.

Price

You can get a free trial and personalized demo from here.

12. Kaspersky Anti-Targeted Attack Platform 

Kaspersky Anti-Targeted Attack Platform (Kaspersky ATAP) is a threat hunting tool that helps organizations detect and respond to targeted attacks, including advanced persistent threats (APTs).

It uses a combination of machine learning and human expertise to identify patterns and anomalies that may indicate an attack is underway.

Kaspersky ATAP offers a range of detection and response capabilities, including endpoint protection, network monitoring, and automated response.

Features

• Detecting targeted attacks and advanced persistent threats with machine learning and human knowledge.
• Network monitoring, endpoint protection, and automatic response.
• Centralized threat dashboard.
• Enhanced reporting and analysis.

Price

You can get a free trial and personalized demo from here.

13. Cynet 360

Cynet 360 is a threat hunting tool that provides a comprehensive platform for managing and responding to security threats.

The tool offers a range of capabilities, including endpoint protection, network monitoring, and automated response.

Cynet 360 also uses machine learning and behavioral analysis to identify suspicious behavior and potential threats. 

Features

• Endpoint protection, network monitoring, and automated response capabilities.
• Machine learning and behavioral analysis to identify suspicious behavior and potential threats.
• Centralized dashboard for threat management.
• Advanced reporting and analysis features.
• Dedicated threat response team for additional support.
• Managed services for platform deployment and configuration.

Price

You can get a free trial and personalized demo from here.

14. Cuckoo Sandbox

Cuckoo Sandbox is an open-source threat hunting tool that provides a virtual environment for analyzing suspicious files and URLs.

The tool allows security analysts to safely execute potentially malicious code in a controlled environment to observe and analyze the code’s behavior.

Cuckoo Sandbox supports many file formats and protocols, including Windows executables, PDFs, and network traffic.

The tool provides detailed reports on the behavior of the analyzed code, including network traffic, system calls, and registry modifications.

Additionally, Cuckoo Sandbox supports integrations with other security tools, such as IDS/IPS and SIEM solutions.

Features

• Virtual environment for analyzing suspicious files and URLs.
• Supports a wide range of file formats and protocols.
• Provides detailed reports on the behavior of the analyzed code.
• Supports integrations with other security tools.

Price

You can get a free trial and personalized demo from here.

15. Hurricane Labs Machinae

Machinae is an open-source threat-hunting tool from HurricaneLabs that automates gathering information about potential targets from various sources on the internet.

The tool uses a range of OSINT (open-source intelligence) techniques to collect information about domains, IP addresses, email addresses, and other identifiers.

Machinae then analyzes the collected data to identify potential vulnerabilities and security risks. Machinae provides integrations with other security tools, such as Metasploit and Shodan.

The tool is designed to be extensible and customizable, allowing security teams to add their modules and plugins to enhance its capabilities.

Features

• Automates gathering information about potential targets from various sources on the internet.
• It uses a range of OSINT (open-source intelligence) techniques to collect information about domains, IP addresses, email addresses, and other identifiers.
• Analyzes the collected information to identify potential vulnerabilities and security risk management.
• It is designed to be extensible and customizable.
• Provides integrations with other security tools.

Price

You can get a free trial and personalized demo from here.

16. Exabeam Fusion

Exabeam Fusion is a cloud-based threat hunting tool that uses machine learning and behavior analytics to detect and respond to security threats.

The tool integrates various security solutions, such as SIEMs, EDRs, and cloud infrastructure, to comprehensively view an organization’s security posture.

Exabeam Fusion uses advanced analytics and automation to detect and investigate potential threats and provides a range of response options to contain and remediate any security incidents.

Additionally, Exabeam Fusion provides a range of compliance and audit features to help organizations meet regulatory requirements.

Features

• Advanced endpoint protection and threat detection capabilities using behavioral analysis and machine learning.
• Comprehensive endpoint visibility to quickly identify and respond to security incidents.
• Provides a range of response options to contain and remediate any security incidents.
• Comprehensive compliance and audit features to help organizations meet regulatory requirements.

Price

You can get a free trial and personalized demo from here.

17. Splunk Enterprise Security

Splunk Enterprise Security, a threat hunting tool, is one of the most widely used SIEM management software. However, it separates itself from the market by integrating insights into the core of its SIEM.

Real-time network and device data monitoring is possible as the system searches for potential vulnerabilities and can indicate unusual activity.

In addition, the Notables function of Enterprise Security provides notifications that the user can personalize. Splunk Enterprise Security is a highly adaptable solution with the Splunk foundation package for data analysis.

Using the supplied rules, you can design your threat-hunting queries, analysis routines, and automated defensive rules. Splunk Enterprise Security is intended for all types of organizations.

However, due to the expense and power of this package, it is likely to be more appealing to large firms than small organizations.

Features

• Access tools that work well on mobile devices, get alerts on your phone, and act on those alerts to stay up to date on your business from anywhere.
• Allow people who aren’t SPL users to interact with your data and Splunk dashboards on the items.
• This will show them how valuable Splunk insights are.
• You can show your Splunk Dashboards on Apple TV, Android TV, or Fire TV in the office, NOC, or SOC, and use Splunk TV partner to control the media from afar.
• Using Spacebridge, an end-to-end encrypted cloud service, the Splunk Secure Gateway app lets you easily and safely connect to Splunk platform servers.
• You can now handle a large group of mobile devices at once.

Price

You can get a free trial and personalized demo from here.

18. Intezer

Intezer is a threat hunting tool that uses genetic malware analysis to identify and respond to security threats.

It analyzes the DNA of malware to identify code reuse and similarities across different malware strains.

This approach can help identify previously unknown malware and provide more effective detection and response to threats.

Intezer also offers a range of response options to contain and remediate any security incidents and provides a comprehensive set of compliance and audit features to help organizations meet regulatory requirements.

Features

• Intezer can analyze the code of unknown files to identify whether they contain malicious code or not.
• It uses a unique approach to malware analysis by comparing the genetic code of files to identify commonalities and relationships between different malware samples.
• Its platform can detect threats in real time, allowing for quick response and remediation.

Price

You can get a free trial and personalized demo from here.

19. Hunters XDR

Hunter’s XDR is a threat hunting tool that enables security teams to proactively detect and respond to cyber threats.

XDR stands for “extended detection and response,” which means that the tool integrates and correlates data from multiple sources, including endpoints, networks, and cloud services, to provide a comprehensive view of the organization’s security posture.

Features

• Hunter’s XDR provides access to a wide range of threat intelligence feeds to help security teams stay updated on the latest threats.
• The tool automatically detects and prioritizes potential threats using machine learning and other advanced techniques.
• Hunter’s XDR also provides advanced search and investigation capabilities, allowing security teams to conduct more detailed investigations into potential threats.
• The tool provides a range of response capabilities, including containment, isolation, and remediation.
• Hunter’s XDR integrates with many Threat Hunting Tools and platforms, including SIEMs, firewalls, and endpoint protection systems.

Price

You can get a free trial and personalized demo from here.

20. YETI

YETI is an open-source threat hunting platform that allows security researchers to collect, analyze, and visualize data from various sources in order to identify potential security threats.

It provides a framework for collaboration and automation, allowing analysts to share and reuse their workflows and tools.

YETI can aggregate data from various sources such as malware repositories, sandboxes, and threat intelligence feeds.

It then provides a set of tools to analyze and visualize this data, allowing analysts to identify potential threats and take appropriate action quickly.

Features

• YETI can collect data from various sources such as malware repositories, sandboxes, and threat intelligence feeds.
• YETI provides a set of Threat Hunting Tools for analyzing data, including a powerful query language and a built-in machine learning engine for classification.
• YETI allows analysts to collaborate on investigations and share their workflows and tools.
• YETI can be automated to perform routine tasks, freeing up analysts to focus on more complex investigations.
• YETI provides a variety of visualization tools to help analysts identify patterns and anomalies in data.

Price

You can get a free trial and personalized demo from here.

Conculsion

There are various options for Threat Hunting Tools, including on-premises software packages, SaaS platforms, and managed services.

When looking for compelling examples of threat-hunting software to recommend, we must remember that enterprises of different sizes and sorts will have distinct requirements.

Therefore, it is impossible to recommend a single package as the finest option available quickly.

Also Read

• Best UTM Software (Unified Threat Management Solutions)
• Best Android Password Managers
• Vulnerability Assessment and Penetration Testing (VAPT) Tools
• AWS Security Tools to Protect Your Environment and Accounts
• SMTP Test Tools to Detect Server Issues & To Test Email Security
• Best Advanced Endpoint Security Tools
• 10 Best SysAdmin Tools
• Best Free Penetration Testing Tools
• Dangerous DNS Attacks Types and The Prevention Measures

The post 20 Best Threat Hunting Tools – 2025 appeared first on Cyber Security News.

This work is important since a single successful hacker attack can lead to financial losses, operational disruptions, reputation damage, and all the other sorts of trouble. 

For example, a big British company KNP Logistics went bankrupt in September 2023 as a consequence of a ransomware attack.

A worldwide logistic operator claimed insolvency and fired 730 employees (81% of the staff) without warning or compensation.

The same autumn, an Australian insurance company Latitude Group lost $76 mln due to ransomware and narrowly escaped bankruptcy. 

To stay on top of emerging threats and gain deeper understanding of known ones, your cybersecurity team can employ a number of tools and information sources:

Threat Intelligence Solutions

Threat intelligence services gather, process, and enrich data to make it searchable and suitable for deriving analytical insights. ANY.RUN’s TI Lookup is an example of such a platform. It empowers users to:

• Investigate known threats: Malware names, IP addresses, URLs, domains, file names and hashes, and other entities known as Indicators of Compromise (IOCs) can be used as search queries. Complex search requests can be made combining several parameters.
• Discover emerging threats: Deeper research of Indicators of Compromise, Activity and Behavior (IOCs, AOCs, BOCs) exposes trouble that just may happen unless preventive measures are taken.

Grow users’ expertise: TI tools help to understand threat landscape and mechanics better. For instance, threats can be linked to known tactics, and vice versa, with such tools as the MITRE ATT&CK framework enriched by samples from real incidents analysis

MITRE ATT&CK Matrix lets you explore threats that employ particular TTPs — attackers’ tactics, techniques, and procedures.

On the screenshot above TI Lookup provides information on the tactic of encrypting system or network data in order to disrupt their functioning and demand a ransom.

Users can explore the examples of malware that employ this tactic and switch to the Interactive Sandbox to view any piece of malware in action.

For example, if you click on the second item in the list, from the third column you’d be able to choose a sandbox session and see how Babyk attacks a user’s computer:

Here are a couple of examples of Lookup searches:

1. threatName:”phishing” AND submissionCountry:”CA” NOT taskType:”url”

As a result, we see a selection of public analysis sessions run in ANY.RUN’s Interactive Sandbox by users from Canada. These are the sessions that include phishing documents, emails, and other types of content, but not URLs.

By clicking any item on the list, you can view the analysis session in the sandbox.

2. destinationIP:”78.110.166.82″

Unusual IP connections often trigger security alerts, but in many instances, these are legitimate IPs generating false positive signals. In order not to miss a malicious IP, addresses can be checked in TI Lookup -> Try TI Lookup with 50 free requests.

Threat Intelligence Feeds

Integrate real-time streams of data on malware, emerging threats and vulnerabilities with your cybersecurity systems (like SIEM) for continuous automated monitoring. For efficient intelligence:

• Correlate Information: Use multiple feeds to cross-reference threats and identify patterns.
• Customize for Your Needs: Focus on feeds that provide the most pertinent information for your industry or organization’s needs.

Threat Intelligence Feeds provided by ANY.RUN are easy to integrate in one click via API. You can test them via demo samples in STIX and MISP formats.

Publicly Available Reports

Cybersecurity companies regularly analyze attacks and vulnerabilities and publish their research. To get the most out of this source, your security team should:

• Integrate the recent report analysis into their routine;
• Keep their eye out for trends;
• Implement recommendations from the reports.

Dark Web Forums

Home sweet home for hackers. Security experts visit them there from time to time to see what they are up to. By monitoring these forums, they ferret valuable information about planned attacks, new exploit techniques, and stolen data. They need to:

• Use monitoring tools. Such tools can automatically track topics and discussions based on given keywords;
• Analyze information. Chatter is raw data; to make it of use, research the discussed threats, mentioned malware, attacks, victims and targets.

Data Mining

Analyzing the data on your corporate network performance allows your team to identify potential threats:

• Anomaly Detection: By scrutinizing network traffic and system logs, data mining techniques can reveal suspicious behavior that may indicate an attack in progress;
• Predictive Analytics: Historical data can predict future attack trends.

Deploying Honeypots

Honeypots are fake targets set up to attract cybercriminals and gather intelligence on their tactics and methods. To use honeypots effectively:

• Simulate Real Systems: Honeypots should mimic genuine vulnerabilities to lure attackers;
• Gather Attack Data: Record all interactions with the honeypot to study the attackers’ methods, tools, and behaviors in a controlled environment. 
  
• Power Your Threat Intelligence with TI Lookup

The best strategy is combining the most powerful tools and exploiting each of them to their full potential. And a threat intelligence platform like ANY.RUN’s TI Lookup is fit to be the core of your safety architecture.

It offers:

• Extensive and growing database: over 40 different threat data types, including system events and indicators of compromise (IOCs), indicators of behavior (IOBs), and indicators of attack (IOAs).
  
  Fresh Results: Access to the latest data collected over the past 180 days from thousands of sandbox sessions.
  
  Customizable Queries: choose from several dozens of parameters, combine multiple indicators, use wildcards and YARA rules.
  
  Integration with Sandbox: View sandbox sessions — malware detonated in safe environment of a virtual machine — where particular indicators or events were discovered.
  
  Real-time Updates: Receive timely alerts on relevant threats to ensure ongoing protection.

Want to have a go? Get 50 free requests and test all the features of TI Lookup

The post Top 6 Ways To Back Your Business Up With Cyber Threat Intelligence appeared first on Cyber Security News.

While the AV/EDR bypass tools are designed to evade detection by AV and EDR systems. These tools are often used by threat actors for several malicious purposes.

Cybersecurity researchers at Palo Alto Networks’ Unit 42 recently discovered that hackers have been actively using AV and EDR bypass tools from cybercrime forums to bypass endpoints.

EDRSandBlast to Bypass Defences

The investigation of an extortion incident uncovered two compromised endpoints running outdated Cortex XDR agents. 

These endpoints were being used to test an AV/EDR bypass tool named “disabler.exe,” it is a modified version of “EDRSandBlast” designed to disable security hooks in both user-mode libraries and kernel-mode callbacks.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

The investigation revealed a virtual machine (hostname: DESKTOP-J8AOTJS) containing sophisticated attack tools, including “Mimikatz” (a credential harvesting tool), “shellcode generators,” “kernel driver utilities,” and “code obfuscation tools.” 

Notable discoveries included “ContiTraining.rar” (containing leaked Conti ransomware playbooks), alongside files connecting to cybercrime forums XSS and Exploit through a user known as “Marti71” and “KernelMode”. 

However, the analysis of the system revealed connections to domains like ‘temp.vxsh.net’ (used for fake AV/EDR tokens), and evidence of tool testing via ‘Oracle VM VirtualBox.’ 

The threat actor’s operational security was compromised through artifacts including a Kazakhstan-based P-1 form, browser history showing visits to ya.ru and sourceforge.net, and video demonstrations recorded using OBS Studio that showed “WinBox” (Mikrotik router administration tool) usage under a username beginning with “Andry.” 

The endpoints contained a “Z:\freelance” directory structure that helped map connections between various criminal affiliates and their tools.

Besides this, the security investigation uncovered a sophisticated cyber attack with tactics matching the Conti ransomware playbook, specifically through several technical indicators like:- 

• Attackers used Atera for initial access and persistence.
• Deployed Cobalt Strike beacons (watermark ID: 1357776117) for C&C.
• Used PsExec for lateral movement.
• Leveraged Rclone for data theft. 

Analysis of the Cobalt Strike configuration revealed connections to approximately “160” unique IP addresses and domain names with some infrastructure overlapping with “Dark Scorpius” (aka ‘Black Basta’) ransomware operations. 

The breakthrough of the investigation came via the discovery of a compromised system labeled “DESKTOP-J8AOTJS,” which contained revealing artifacts like AV/EDR bypass tool demonstration videos and a P-1 expense form. 

These operational security failures led investigators to identify an individual named “Andry” from Kazakhstan, who appears to operate under the alias “KernelMode” on cybercrime forums. 

This individual is believed to be active in developing “sophisticated AV/EDR bypass tools” that are distributed via “subscription-based models” in underground markets. However, the direct evidence linking them to the actual network intrusion remains unclear.

The technical sophistication of the attack suggests the attack was interrupted before reaching its final stage which highlights the evolving nature of modern cyber threats that combine both “automated tools” and “human expertise.”

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

The post Hackers Using AV/EDR Tool “EDRSandBlast” To Bypass Endpoints appeared first on Cyber Security News.

Phishing attacks are executed via fraudulent emails and messages with malicious links that lead to fake websites. Not only that, but phishing remains one of the most dominant forms of cyber threats, with various types.

Microsoft Threat Intelligence researchers recently discovered a massive Midnight Blizzard Phishing attack that has been using weaponized RDP files.

Russian cyber threat group Midnight Blizzard (aka “APT29,” “UNC2452,” and “Cozy Bear”), operating under Russia’s Foreign Intelligence Service (SVR) initiated a sophisticated “cyber-espionage campaign” on October 22, 2024.

This espionage campaign targets multiple sectors:- 

• Government agencies
• Academic institutions
• Defense organizations
• Non-governmental organizations (NGOs)

The threat actors employed spear-phishing emails containing malicious “RDP configuration files,” (.RDP files) that connect the victims to attacker-controlled servers when opened.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

The campaign’s distinctive features include impersonation of Microsoft employees to appear legitimate, abuse of cloud service providers’ trust relationships, and deployment of specialized malware like “FOGGYWEB” and “MAGICWEB.” 

While all these malware specifically targets a critical authentication system “Active Directory Federation Services” (AD FS). 

The threat actor’s tactics also encompass stealing legitimate credentials by compromising “supply chains,” and “moving laterally from on-premises networks to cloud environments,” which affects the thousands of targets across more than 100 organizations primarily in the “United States” and “Europe.” 

This campaign has been independently confirmed by Ukraine’s “CERT-UA” (as UAC-0215) and “Amazon,” represents an unknown approach for this group through its use of “signed RDP configuration files,” marking an evolution in their persistent intelligence-gathering operations that date back to 2018.

In this malicious campaign the threat actors targeted thousands of users across 100+ organizations using misleading emails that impersonated “Microsoft,” “Amazon Web Services” (AWS), and “Zero Trust security concepts.” 

The malicious files enable bidirectional mapping of resources that expose sensitive data like “local hard drives,” “clipboard contents,” “printers,” “peripheral devices,” “audio systems,” and “Windows authentication features” (including ‘smart cards’ and ‘Windows Hello credentials’). 

This access allowed the threat actors to potentially install “malware,” “RATs” in AutoStart folders, and maintain persistent system access even after RDP sessions terminated. 

The campaign targeted its focus on entities in the “United Kingdom,” “Europe,” “Australia,” and “Japan.” 

Here the threat actors leveraged previously compromised legitimate email addresses from other organizations to distribute these phishing emails which makes the campaign appear more credible to targets. 

By exploiting the RDP connection’s configuration settings the threat actors gained access to multiple system components like “connected network drives,” “Point of Service (POS) devices,” “web authentication mechanisms” using passkeys, and security keys. 

This helps the threat actors to effectively create a comprehensive system compromise that could persist beyond the initial attack.

Mitigations

Here below we have mentioned all the mitigations:-

• Make sure to strengthen the operating environment configuration.
• Always strengthen endpoint security configuration.
• Make the antivirus configuration secure and robust.
• Double-check and secure Microsoft Office 365 settings.
• Secure email security configuration is necessary.
• Conduct user training.

IoCs

Email sender domains:

sellar[.]co.uk
townoflakelure[.]com
totalconstruction[.]com.au
swpartners[.]com.au
cewalton[.]com

RDP file names:

AWS IAM Compliance Check.rdp
AWS IAM Configuration.rdp
AWS IAM Quick Start.rdp
AWS SDE Compliance Check.rdp
AWS SDE Environment Check.rdp
AWS SDE Environment Check.rdp 
AWS Secure Data Exchange – Compliance Check.rdp
AWS Secure Data Exchange Compliance.rdp
Device Configuration Verification.rdp
Device Security Requirements Check.rdp
IAM Identity Center Access.rdp
IAM Identity Center Application Access.rdp
Zero Trust Architecture Configuration.rdp
Zero Trust Security Environment Compliance Check.rdp
ZTS Device Compatibility Test.rdp

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

The post Massive Midnight Blizzard Phishing Attack Via Weaponized RDP Files appeared first on Cyber Security News.

⁤While this mechanism is performed by simulating a valuable asset like a “server” or “application.” ⁤

⁤Not only that even it also serves as a lure that enables the organizations to “monitor” and “analyze” the ‘tactics’ and ‘techniques’ used by threat actors.

Christopher Schroeder, an ISC intern as part of the SANS[.]edu BACS program recently uncovered a new Linux honeypot to engage in real-time with threat actors, and this honeypot is dubbed “GPTHoney.”

Technical Analysis

GPTHoney is a groundbreaking advancement in honeypot technology by implementing the “LLMs” in a more convenient and professional way. 

This implementation enables them to do so by creating a smart and clever cybersecurity “research environment.”

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

This new approach mimics a “Linux-based operating system” to interface commands instead of simulating a terminal, which is capable of dealing with “SSH” connections on port 22 as the attacker’s executable input.

In contrast to traditional honeypots, GPTHoney provides individual, separate, self-contained shells for each IP address. Not only that even it also has, detailed command history logs which enables it to have session persistence. 

The system’s architecture incorporates three distinct plugin types:- 

• Type 1 for direct API communication.
• Type 2 for pre-API command processing.
• Type 3 for post-API response modification. 

GPTHoney is adept at constructing the most convincing corporate environments focused on “financial,” “healthcare,” or “technology.” 

With the help of a sophisticated “prompt.yml” configuration file, it creates those convincing corporate environments with ‘realistic file systems,’ ‘user management,’ and ‘command execution rules.’

The system seamlessly integrates with the latest models of “OpenAI” and “Anthropic.” Now here at this point via a “handle_cmd” function they process the commands that manage ‘logging,’ ‘plugin interactions,’ and ‘response delivery.’

This creates an engaging and tricky environment that can maintain attacker interest for an extended period of time.

To make sure that the simulation maintains authenticity while collecting “comprehensive logs” of attacker behavior in a controlled environment, it offers “delayed ping responses” (0.3-1.8 seconds) and “customizable SSH banners.”

Here below we have mentioned all the key features of GPTHoney:-

• Ultra-lightweight (<20KB)
• AI-generated responses to commands
• Real-time, dynamic environments for each actor
• Custom command handling via plugins
• Detailed logging
• OS changes via plain English prompts

In the architecture of the OS, the command history log serves as a “critical memory management system.” Through a “sophisticated logging mechanism,” it’s designed to track and store user interactions.

The system generates dedicated text files following the naming convention “commands_<IP>.txt” automatically when the users connect via their unique “IP addresses.”

All the device commands and LLM responses were recorded carefully. For each user session, this implementation creates “isolated environments.”

By storing “command histories,” “environment configurations,” and “execution states” the system maintains the session persistence. 

Upon reconnection, the system automatically reloads the previous session’s state via “JSON-formatted” logs.

This contains important metadata like ‘timestamps’ (in “Zulu” time zone), ‘session IDs,’ ‘action types’ (like “command_execution”), and ‘detailed command outputs.’ 

This comprehensive logging architecture enables seamless session management by facilitating “debugging processes,” and “supports advanced features.” 

The features include ‘simulated privilege escalation’ through ‘sudo commands.’ This makes it valuable for ‘security monitoring’ and ‘system administration tasks.’ 

The system’s ability to maintain distinct, isolated environments for each IP address ensures reliable long-term interaction tracking while preserving the exact state of “user sessions,” “directory structures,” and “environment variables between connections.”

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar

The post GPTHoney – New Linux Honeypot To Engage In Real Time With Threat Actors appeared first on Cyber Security News.

Hackers retrieve information usually encoded in DNS queries and responses. This allows them to “exfiltrate sensitive information” and maintain “C&C” over compromised systems.

Unit 42 of Palo Alto Networks recently discovered that hackers have been actively exploiting DNS tunneling services to bypass network firewalls.

Network Firewall Bypass Via DNS Tunneling

DNS tunneling converts human-readable domain names into machine-readable IP addresses (like “192.168.1.1”).

This attack targets port 53 (both “UDP” and “TCP”), which is commonly left open and unmonitored in organizational firewalls for DNS communications. 

In this attack method, threat actors “first infect a client system with malware,” then “encode stolen data within subdomain queries” (like ‘stolen-data.attacker-domain[.]com’). 

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

Then transmit it via “DNS requests” to their authoritative ‘DNS’ (aDNS) servers, which they control. 

The attack achieves stealth by using “recurring DNS servers” as mediators, which makes the malicious traffic appear as “legitimate DNS queries.” 

By encoding instructions in DNS responses the threat actors can also send commands back to infected systems. This helps in establishing a hidden “C2” channel. 

This technique has been notably employed by threat groups like “Evasive Serpens” (aka ‘OilRig’) and “Obscure Serpens” (aka ‘DarkHydrus’) against critical infrastructure. 

To maintain their attack infrastructure, they use specific attributes:-

• Consistent DNS configurations
• Payload encoding patterns
• Domain registration characteristics

Besides this, cybersecurity analysts have discovered 4 malicious campaigns, and they are, “FinHealthXDS,” “RussianSite,” “8NS,” and “NSfinder.”

⁤The “FinHealthXDS” campaign targets finance and healthcare industries using a customized DNS beaconing format for Cobalt Strike C2 communications. 

To indicate command requests it make use of the unique three-letter prefixes like “xds,” in ‘DNS queries.’ ⁤

⁤The campaign resolves to IPs like “40.112.72[. ⁤⁤]205” and uses “XOR calculations” on the last byte of the ‘IP’ to interpret commands. 

⁤⁤Data transfer is achieved via either “A records” (prefix “pro”) or “TXT records” (prefix “snd”). ⁤⁤The prefixes “txt” (‘short messages’) and “del” (‘long messages’) are used for exfiltration. ⁤

⁤The “RussianSite” tunneling campaign involves over “100 domains” sharing the nameserver “IP 185.161.248[. ⁤⁤]253” from Russia. ⁤⁤Most domains use the “TLD.site,” with a few using “.website.” ⁤

Here, the campaign’s subdomains consist of a “5-character alphanumeric payload” and a “1-2 letter padding.” ‘⁤⁤A’ records are globally distributed, but a valid “aDNS” IP is needed for tunneling, reads the Palo Alto report.⁤

⁤The “8NS” tunneling campaign involves “6 domains” with “identical DNS configurations” and “aDNS server IP 35.205.61[. ⁤⁤]67.” ⁤

⁤Each domain has 8 “NS records,” and all of them are found pointing to the same A record. ⁤The “NSfinder” campaign targets over “50 domains,” each named using three words with “finder” at the end.

⁤It lures victims through adult websites to ‘steal credit card info’ and is linked to Trojans like “IcedID” and “RedLine” stealer. ⁤

DNS tunneling campaigns share distinct “identifying attributes” like “infrastructure setup,” “DNS configurations,” “payload encoding methods,” “domain registration patterns,” and “target selection.”

All these elements make it a significant threat in the cybersecurity landscape.

IoCs

Domains

• avtomaty-bcg[.]online
• codeaddon[.]net
• dreyzek[.]com
• dtodcart[.]site
• foxxbank[.]com
• healthproreview[.]com
• juicyplaymatesfinder[.]com
• lifemedicalplus[.]net
• linkwide[.]site
• lustypartnersfinder[.]com
• mouvobo[.]site
• mponiem[.]site
• ns2000wip[.]com
• piquantchicksfinder[.]com
• pretorya[.]site
• sosua[.]cz
• soupandselfcare[].com
• unlimitedpartnersfinder[.]com
• yummyflingsfinder[.]com
• yummyloversfinder[.]com
• zzczloh[.]site

IP Addresses

• 88.119.169[.]205
• 185.161.248[.]253
• 185.176.220[.]80
• 185.176.220[.]212

Samples

• 0b99db286f3708fedf7e2bb8f24df1af13811fe46b017b6c3e7e002852479430
• c22d25107e48962b162c935a712240c0a4486b38891855f0e53d5eb972406782
• c3a29c2457f33e54298a1c72a967aa161a96b0ae62ffbefe9e5e1c2057d7f3f4
• dfb3e5f557a17c8cdebdb5b371cf38c5a7ab491b2aeaad6b4e76459a05b44f28

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar

The post Hackers Exploiting DNS Tunneling Service To Bypass Network Firewalls appeared first on Cyber Security News.

This project, inspired by the success of the Ransomware Tool Matrix, aims to catalog and analyze the tools commonly used by Russian state-sponsored hackers.

The initiative is designed to help defenders proactively detect and block intrusions by exploiting the fact that these groups often reuse tools.

The Russian APT Tool Matrix includes a wide range of threat groups affiliated with the GRU (Main Intelligence Directorate), SVR (Foreign Intelligence Service of the Russian Federation), and FSB (Federal Security Service of the Russian Federation).

Meet the CISOs, Join the Virtual Panel to Learn compliance – Join Free

Key findings from the project highlight the diverse toolsets employed by these groups:

• GRU Affiliates: EMBER BEAR, FANCY BEAR, and Sandworm were found to rely heavily on offensive security tools (OSTs) for their intrusions. EMBER BEAR notably used the most scanners among these groups.
• SVR Affiliates: COZY BEAR, affiliated with the SVR, was identified as the group with the highest total number of different tools used. Turla and COZY BEAR were also observed using a variety of tools and platforms for exfiltration.

The analysis revealed a significant reliance on publically available OSTs across multiple Russian threat groups, with up to 27 different tools recorded. The most commonly shared tools among these groups include:

• Mimikatz: Used by COZY BEAR, FANCY BEAR, BERSERK BEAR, Gamaredon, and Turla.
• Impacket: Utilized by COZY BEAR, FANCY BEAR, EMBER BEAR, Sandworm, and BERSERK BEAR.
• PsExec: Employed by COZY BEAR, EMBER BEAR, BERSERK BEAR, Gamaredon, and Turla.
• Metasploit: Used by FANCY BEAR, EMBER BEAR, Sandworm, and Turla.
• ReGeorg: Notably used by COZY BEAR, FANCY BEAR, EMBER BEAR, and Sandworm. ReGeorg, a network tunneling utility, is particularly noteworthy for its use by multiple Russian threat groups and its rarity in ransomware gangs.

The identification of these tools can help defenders determine if a Russian state-sponsored threat group conducted an intrusion.

For instance, ReGeorg and other top tools increase the likelihood of a Russian threat group involvement.

This tool matrix is a critical resource for cybersecurity professionals, incident responders, and managed detection and response teams.

By understanding the tools and tactics used by Russian APT groups, organizations can better protect themselves against these persistent adversaries.

Key Takeaways:

• Russian APT Groups: The tool matrix includes threat groups affiliated with the GRU, SVR, and FSB.
• Common Tools: Mimikatz, Impacket, PsExec, Metasploit, and ReGeorg are commonly used by multiple Russian threat groups.
• ReGeorg: A network tunneling utility that is rare in ransomware gangs but commonly used by Russian threat groups.
• Proactive Defense: The tool matrix helps defenders detect and block intrusions by exploiting the reuse of tools by Russian APT groups.

By leveraging this tool matrix, cybersecurity professionals can enhance their defensive strategies and mitigate the threats posed by Russian APT groups.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

The post Russian APT Hackers Tools Matrix Unveiled appeared first on Cyber Security News.