Hunts

Threat Hunts

Hypothesis-driven hunts across endpoint, cloud, and identity environments. Real hunts, real findings.

True Positive Mar 31, 2026

Hunting an npm Supply Chain Attack: axios and UNC1069

Endpoints that ran npm install resolving axios@1.14.1 or axios@0.30.4 between 2026-03-31 00:21 and ~03:15 UTC executed a cross-platform RAT dropper. The postinstall hook, C2 connections, and platform-specific payloads are detectable in default EDR telemetry.

Full dropper chain and RAT execution confirmed via controlled detonation. No customer impact. Built behavioral D&R rules for npm postinstall abuse and cross-platform RAT delivery.

LimaCharlie T1195.002 T1059.007 T1036.005 T1070.004 T1571
Read full writeup →
True Positive Mar 29, 2026

Hunting a PyPI Supply Chain Attack: LiteLLM and TeamPCP

Endpoints that installed litellm v1.82.7 or v1.82.8 from PyPI on March 24 are compromised. The .pth trigger, openssl encryption chain, and systemd persistence are detectable in EDR telemetry.

Caught the .pth auto-exec trigger and openssl encryption pipeline on a compromised host. Built behavioral queries that detect the technique independent of IOCs.

LimaCharlie T1195.002 T1546.018 T1552.001 T1573.001 T1543.002 T1041
Read full writeup →
True Positive Mar 19, 2026

Hunting DeerStealer: DLL Sideloading Through Signed Binaries

Unsigned binaries and DLLs appearing in ProgramData subfolders that don't belong to known, installed software indicate DLL sideloading activity.

Found a DeerStealer variant using a Comodo-signed binary sideloading cmdres.dll, with HijackLoader injecting DeerStealer into a hollowed Q-Dir process.

LimaCharlie T1218.007 T1574.002 T1036.005 T1555.003 T1539
Read full writeup →
CTI Hunt Board

This Week's Hunt Board

A multi-agent swarm reviews the threat intel dashboard every day and adds the strongest new MDR-feasible hunts to a rolling 7-day board, ranked strongest first. These are working ideas grounded in current reporting, not published findings. Week of Jun 15 to Jun 21, 2026. Last updated Jun 19, 2026.

#1 Jun 19, 2026

Hunt @mastra easy-day-js postinstall that drops a stealer

Hypothesis: A compromised npm contributor account republished the @mastra scope with easy-day-js. The setup.cjs postinstall hook disables TLS validation, writes ~/.pkg_history or ~/.pkg_logs, downloads a second stage from 23.254.164.92:8000/update/49890878, then starts a detached payload from temp that targets browser, wallet, SSH, npm, GitHub, and cloud credentials.

Why it matters: This is not a package-presence hunt. The useful signal is the install-time process lineage: node or npm executing easy-day-js setup.cjs, TLS disabled through NODE_TLS_REJECT_UNAUTHORIZED, raw IP download, marker files, hidden temp execution, then credential store reads.

Starter hunt: On developer workstations and CI runners, hunt npm, pnpm, yarn, node, or a CI process executing easy-day-js setup.cjs. Require the postinstall child process to set NODE_TLS_REJECT_UNAUTHORIZED, write ~/.pkg_history or ~/.pkg_logs, connect to 23.254.164.92:8000/update/49890878, spawn a detached temp payload, or read credential stores.

Endpoint T1195.002 T1059.007 T1105 T1552 T1005
Source: A Forgotten Contributor Account Compromised the Entire Mastra npm Package Scope
#2 Jun 19, 2026

Hunt DragonForce Backdoor.Turn injected into DbgView64

Hypothesis: DragonForce stages Backdoor.Turn by abusing VirtualBox DLL hijacking with vboxrt.dll, loading a vulnerable driver for security tool termination, then injecting DbgView64.exe so the process can talk through Microsoft Teams TURN relay infrastructure while running LDAP search, browser credential access, and lateral movement.

Why it matters: This is better than a generic Teams traffic hunt. The source names Backdoor.Turn, DbgView64.exe, vboxrt.dll, vulnerable driver loading, LDAP search, browser credential access, and Teams TURN relay use in the same intrusion chain.

Starter hunt: Hunt DbgView64.exe making Teams or Skype TURN relay connections, then performing LDAP queries, spawning shells, reading browser credential stores, or starting remote execution. Correlate with nearby VirtualBox vboxrt.dll sideloading and vulnerable driver loads.

Endpoint T1574.001 T1068 T1562.001 T1055 T1059 T1087.002
Source: Cybercriminals mask malicious communications through Microsoft Teams relays
#3 Jun 19, 2026

Hunt M365 MFA method enrollment followed by BEC mailbox activity

Hypothesis: An attacker with a stolen or proxied Microsoft 365 session uses the already satisfied MFA state to add a second Authenticator method, then works the mailbox for BEC without another MFA prompt.

Why it matters: Mitiga saw the attacker enter My Access, change authentication details, and rely on the existing MFA state. The signal is the method change tied to mailbox actions, not a strange login by itself.

Starter hunt: In Entra audit logs, find user authentication method registration for Microsoft Authenticator or phone app notification where the preceding sign-in was already MFA satisfied. Within 24 hours require Exchange activity from the same user: MailItemsAccessed, inbox rule changes, forwarding, SendAs, or payment thread replies.

Identity T1550 T1556 T1098 T1114
Source: Advisory: Persistent MFA Circumvention in an Advanced BEC Campaign on Microsoft 365 Targets
#4 Jun 19, 2026

Hunt GentleKiller driver loads followed by security process kills

Hypothesis: Gentlemen ransomware operators stage GentleKiller or related EDR killers, load vulnerable or malicious drivers, then terminate security processes across multiple products before theft or encryption.

Why it matters: ESET names the framework and companion tools, including GentleKiller, HexKiller, ThrottleBlood, and HavocKiller. The hunting angle is the driver load plus multi-product security termination in the same chain.

Starter hunt: Search endpoint telemetry for new .sys driver service creation or driver load from a recently written file, followed within minutes by one process killing security tools from multiple vendors. Raise priority when the path or image name includes GentleKiller, GentlemenCollection, HexKiller, ThrottleBlood, or HavocKiller.

Endpoint T1562.001 T1068 T1543.003 T1014 T1486
Source: Killing me gently: Inside Gentlemen’s EDR killer framework
#5 Jun 19, 2026

Hunt Dropping Elephant Fondue.exe sideloading from C:\Users\Public

Hypothesis: Dropping Elephant delivers a China-themed shortcut that spawns PowerShell, stages payloads in C:\Users\Public, creates a scheduled task named GoogleErrorReport that runs every minute, and launches Fondue.exe so it loads APPWIZ.cpl from C:\Users\Public before mapping an in-memory RAT through Donut shellcode.

Why it matters: Rapid7 gave the artifacts that matter: GoogleErrorReport, Fondue.exe, APPWIZ.cpl in C:\Users\Public, Donut shellcode, and AMSI, WLDP, or ETW patching. That chain separates the hunt from normal Fondue.exe activity.

Starter hunt: Hunt .lnk or document process trees that spawn PowerShell and write to C:\Users\Public. Require a scheduled task named GoogleErrorReport, Fondue.exe loading APPWIZ.cpl from that same path, or AMSI, WLDP, or ETW patching before HTTPS beacons to gcl-power.org or /prjozifvkpkfhkr/gedhagammgjvvva/.

Endpoint T1204.002 T1059.001 T1053.005 T1574.001 T1620 T1562.001
Source: Malware à la Mode: Tracking Dropping Elephant Tradecraft Through a China-Themed Loader Chain
#6 Jun 19, 2026

Hunt PeopleSoft PSEMHUB staging followed by Azure-themed MeshCentral

Hypothesis: UNC6240 exploited Oracle PeopleSoft EMHub, staged unexpected JSP and XML content under PSEMHUB paths, then used MeshCentral agents named like Azure services to run commands, read psappsrv.cfg or WebLogic config.xml, and move laterally.

Why it matters: GTIG gave path names, filenames, C2 infrastructure, and recon files. The clearest hunting angle is the exploit follow-on chain on the application server, not perimeter logs or a generic vulnerable server list.

Starter hunt: On PeopleSoft or WebLogic servers, search EDR for new JSP files under PSEMHUB.war, files under envmetadata/transactions, or directories named logs, persistantstorage, or scratchpad. Correlate to meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, meshagent64-v2.exe, azurenetfiles.net, psappsrv.cfg, config.xml, or fanout.sh.

Endpoint T1190 T1059 T1105 T1219 T1083 T1021
Source: ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
#7 Jun 19, 2026

Hunt APT28 DNS rewrites that lead to M365 token replay

Hypothesis: APT28 rewrites DNS resolvers on compromised routers so Microsoft 365 authentication traffic passes through adversary infrastructure. Hunt the downstream identity trail: an MFA-backed browser sign-in followed minutes later by token-based Exchange or Graph access from a different ASN and mailbox collection or inbox rule changes.

Why it matters: Sekoia reported APT28 using compromised routers and DNS rewrites to funnel Microsoft 365 authentication through an adversary-in-the-middle path. The hunt stays in Entra and M365 audit data by looking for token replay tied to concrete mailbox actions, not generic sign-in noise.

Starter hunt: Correlate Entra sign-ins and M365 audit logs for a user who completes browser MFA, then has non-interactive Exchange or Graph activity from a different ASN within 5 to 30 minutes with no fresh MFA prompt. Require MailItemsAccessed, SearchQueryInitiatedExchange, New-InboxRule, Set-InboxRule, or bulk downloads in that same chain.

Identity T1557 T1528 T1550.001 T1114
Source: APT28, an evolution of tradecraft
#8 Jun 19, 2026

Hunt AUR PKGBUILDs that pull atomic-lockfile or js-digest and touch secrets

Hypothesis: Compromised Arch AUR build scripts pulled rogue npm packages named atomic-lockfile and js-digest. Hunt the package build chain: yay, paru, or makepkg spawning npm, bun, or node, then reading credential files, writing systemd, cron, ld.so.preload, or BPF artifacts, and opening outbound HTTPS.

Why it matters: Truesec reported injected AUR build commands that pulled those packages and delivered an infostealer and rootkit. The discriminator is secret access or rootkit persistence from the package build process, so it does not depend on knowing which AUR packages a tenant normally uses.

Starter hunt: Hunt yay, paru, or makepkg spawning npm, npx, bun, or node with atomic-lockfile or js-digest in the command line. Require one child in that lineage to read ~/.npmrc, SSH keys, cloud credential files, browser stores, or .env, then write /etc/systemd/system, /etc/cron.d, /etc/ld.so.preload, /sys/fs/bpf, or make outbound HTTPS.

Endpoint T1195 T1059 T1552 T1543 T1014 T1105
Source: Supply Chain Attack Compromising Arch Linux AUR Packages with Infostealer and Rootkit

Previous Weeks

Pick a week to see the hunt board the swarm built from that CTI window.

No older weeks yet. This week's board is the first one. Earlier weeks will show up here as the swarm keeps running.

Want to talk hunting?

Always down to connect about threat hunting methodologies, tooling, or anything security.

Get In Touch