Threat Intelligence Reports and Hunting Resources 2026-06-13T21:57:38+00:00 https://the-hunters-ledger.com/ The Hunter's Ledger https://the-hunters-ledger.com 2026-06-12T00:00:00+00:00 2026-06-12T00:00:00+00:00 https://the-hunters-ledger.com/reports/flaskc2-postex-toolkit-67-215-232-25/ The Hunter's Ledger https://the-hunters-ledger.com

A live single-host IIS/MSSQL post-exploitation staging operation pairing a bespoke Flask C2 beacon API with a sandbox-evading custom MSSQL CLR reverse-shell backdoor and a public SeImpersonate-to-Active-Directory escalation kit.

2026-05-17T00:00:00+00:00 2026-05-17T00:00:00+00:00 https://the-hunters-ledger.com/reports/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517/ The Hunter's Ledger https://the-hunters-ledger.com

Detailed profile of a financially-motivated operator weaponizing CVE-2026-41940 (cPanel CRLF auth bypass, CVSS 9.8) with a 45-file custom Python/Bash credential-harvesting toolkit, a live Flask C2 dashboard, and a Parklogic TDS monetization layer spanning 17+ operator-controlled domains.

2026-05-16T00:00:00+00:00 2026-05-16T00:00:00+00:00 https://the-hunters-ledger.com/reports/inkognito-russian-vpn-phishing-185-221-196-118-20260516/ The Hunter's Ledger https://the-hunters-ledger.com

Inkognito is a Russian-speaking multi-product fraud operator that has run continuously for nearly three years. The operator pairs a real commercially-billed VPN service with a 467+ brand-impersonation phishing subdomain library targeting US banking, enterprise SaaS, Chinese internet giants, and Russian telecom. Apex chameleon-decoy tradecraft, an 11-minute domain-to-live deployment pipeline, and infrastructure spanning two sanctioned bulletproof hosters (Aeza, Stark/Worktitans) define the operator footprint. This is the first public cross-brand documentation of the Inkognito portfolio.

2026-05-16T00:00:00+00:00 2026-05-16T00:00:00+00:00 https://the-hunters-ledger.com/reports/bellamain-turkish-phaas-79-137-192-3-20260516/ The Hunter's Ledger https://the-hunters-ledger.com

BellaMain is an operator-developed Turkish Phishing-as-a-Service panel and matched seven-kit brand-impersonation bundle, recovered in full PHP source from an open directory on Aeza Group OFAC-sanctioned hosting. The panel ships first-class operator tradecraft rarely visible at the source layer — USOM (Turkey CERT) blocklist self-monitoring, four-bot Telegram C2 with identity-vs-card role separation, three Telegram-triggered TRUNCATE evidence-destruction commands, mysqldump-to-Telegram backup-as-exfil, a 70/30 TRX/TRON revenue split via live Binance TRXTRY rate conversion, invite-only operator gating with one-time-consume referral codes, and a code-level Wadanz developer signature. First public source-code disclosure for this PhaaS family. Tracked under UTA-2026-008.

2026-05-15T00:00:00+00:00 2026-05-15T00:00:00+00:00 https://the-hunters-ledger.com/reports/opendirectory-79-137-192-3-20260515/ The Hunter's Ledger https://the-hunters-ledger.com

Three operationally separate threat actors share one Aeza bulletproof staging IP. Cluster C is a Rhadamanthys MaaS customer with a custom VS2019 loader, EAX-redirect hollowing into InstallUtil.exe, and a 34-month-stable Hostkey NL C2 that survived Operation Endgame Phase 3.

2026-05-06T00:00:00+00:00 2026-05-06T00:00:00+00:00 https://the-hunters-ledger.com/reports/opendirectory-62-60-237-100-20260506/ The Hunter's Ledger https://the-hunters-ledger.com

A Russian-speaking commodity-malware operator runs a live 15-month multi-vector phishing campaign delivering HijackLoader / Penguish / Rugmi into an AsyncRAT-class .NET RAT, staged from OFAC-sanctioned AS210644 infrastructure and beaconing to Spamhaus DROP-listed AS210558.

2026-04-30T00:00:00+00:00 2026-04-30T00:00:00+00:00 https://the-hunters-ledger.com/reports/opendirectory-45-130-148-125-20260430/ The Hunter's Ledger https://the-hunters-ledger.com

An open directory on a Uzbekistani VPS exposed a complete AdaptixC2 operator toolkit — 30 attack artifacts covering the full intrusion kill chain — with recovered RC4 config, Linux build-environment fingerprints, and operator-specific indicators enabling cross-campaign tracking under UTA-2026-006.

2026-04-23T00:00:00+00:00 2026-04-23T00:00:00+00:00 https://the-hunters-ledger.com/reports/open-directory-94-103-1-13-20260423/ The Hunter's Ledger https://the-hunters-ledger.com

Analysis of a private five-stage batch-to-PowerShell-.NET crypter delivering Chaos/TorBrowserTor ransomware from a bulletproof-adjacent open directory at 94.103.1.13. Documents four crypter behaviors with no located prior public reporting, including a Console.Title launch gate, tri-artifact anti-sandbox gate, cross-layer AES+XOR key reuse, and a Stage-5b UACME #41 UAC bypass with an 8/77 VT detection gap.

2026-04-17T00:00:00+00:00 2026-04-17T00:00:00+00:00 https://the-hunters-ledger.com/reports/shinyhunters-dls-91-215-85-22-20260417/ The Hunter's Ledger https://the-hunters-ledger.com

The clearnet host 91.215.85.22 is an active ShinyHunters Data Leak Site publishing approximately 1.1 TB of stolen data from 29 named victim organizations, hosted on PROSPERO bulletproof infrastructure (AS200593) with the actor identity domain segmented onto DDoS-Guard (AS57724). Attribution is DEFINITE (96%) to ShinyHunters / Scattered LAPSUS$ Hunters, corroborated by IC3 and CERT-EU advisories and by 28-of-29 victim matches in mainstream security press.

2026-04-08T00:00:00+00:00 2026-04-08T00:00:00+00:00 https://the-hunters-ledger.com/reports/new-files-found-20260408/ The Hunter's Ledger https://the-hunters-ledger.com

Continued analysis of UTA-2026-004 open directory reveals 106 additional files including a complete cracked Cobalt Strike 4.9.1 installation, a four-generation custom implant evolution chain (OpenStrike), CovertVPN Layer 2 tunneling, and an EAX-redirect process hollowing variant that bypasses standard EDR detection logic.

2026-04-06T00:00:00+00:00 2026-04-06T00:00:00+00:00 https://the-hunters-ledger.com/reports/open-directory-172-105-0-126-20260406/ The Hunter's Ledger https://the-hunters-ledger.com

First public analysis of OpenStrike, a novel multi-implant C2 toolkit recovered from an open directory on 172.105.0.126 before any known compromise, featuring a tripwired Cobalt Strike DLL and cross-platform Python beacon sharing an identical RSA-2048 key.

2026-04-04T00:00:00+00:00 2026-04-04T00:00:00+00:00 https://the-hunters-ledger.com/reports/shadow-xworm-opendirectory/ The Hunter's Ledger https://the-hunters-ledger.com

An exposed open directory at epgoldsecurity.com revealed a single operator running Shadow RAT v2.6.4.0 and XWorm 3.0-5.0 from the same C2 server, targeting US victims with tax-season lures during February 2026.

2026-04-03T00:00:00+00:00 2026-04-03T00:00:00+00:00 https://the-hunters-ledger.com/reports/open-directory-193-56-255-154-xiebroc2/ The Hunter's Ledger https://the-hunters-ledger.com

An open directory at 193.56.255.154 exposed a multi-framework C2 toolkit — XiebroC2 v3.1 Go implant and two Covenant stager builds — with infrastructure pivoting identifying a probable second operator server at 92.60.75.103 serving a novel undocumented beacon.

2026-03-17T00:00:00+00:00 2026-03-17T00:00:00+00:00 https://the-hunters-ledger.com/reports/zerotrace-74-0-42-25-20260316/ The Hunter's Ledger https://the-hunters-ledger.com

ZeroTrace's complete MaaS staging server exposed at 74.0.42.25 — 4,750 files including four simultaneous RAT families (XWorm, PureRAT, PureHVNC, ScreenConnect), 9.1 million stolen credentials, 500 pre-staged phishing links, and an on-demand ransomware module. Infrastructure confirmed active and undetected for over 16 months at time of discovery.

2026-03-01T00:00:00+00:00 2026-03-01T00:00:00+00:00 https://the-hunters-ledger.com/reports/sliver-open-directory/ The Hunter's Ledger https://the-hunters-ledger.com

A complete Sliver C2 build workspace exposed at 45.94.31.220 on bulletproof hosting, discovered approximately 6.75 hours after an automated build pipeline completed. The workspace contains a ScareCrow-wrapped Sliver implant with 15 layered EDR evasion techniques, custom evasion module source code, and an unencrypted fraudulent VMware code-signing certificate — recovered before confirmed victim deployment.

2026-02-08T00:00:00+00:00 2026-02-08T00:00:00+00:00 https://the-hunters-ledger.com/reports/webserver-compromise-kit-91-236-230-250/ The Hunter's Ledger https://the-hunters-ledger.com

A complete post-exploitation toolkit for IIS and .NET web servers, hosted on an open directory at 91.236.230.250. The three-component kit chains an ASP.NET reverse shell for initial access, PrintSpoofer for privilege escalation to SYSTEM, and a reverse SOCKS proxy (revsocks) for persistent network tunneling and lateral movement.

2026-02-04T00:00:00+00:00 2026-02-04T00:00:00+00:00 https://the-hunters-ledger.com/reports/remcos-opendirectory/ The Hunter's Ledger https://the-hunters-ledger.com

A CRITICAL-rated Remcos RAT campaign distributed via an open directory at 203.159.90.147, using a VB6-obfuscated dropper as the initial stage. The deployed RAT provides full remote control, continuous keylogging, screenshot capture, microphone recording, clipboard monitoring, and automated credential theft from browsers and system stores.

2026-02-02T00:00:00+00:00 2026-02-02T00:00:00+00:00 https://the-hunters-ledger.com/reports/nsminer-cryptojacker/ The Hunter's Ledger https://the-hunters-ledger.com

A multi-stage cryptojacking campaign distributed from an open directory at 125.19.150.122, using a trojanized NSIS installer to drop a VMProtect-packed Monero miner and a persistent downloader that pivots compromised FTP servers for payload distribution. The downloader component represents an ongoing secondary payload risk beyond cryptomining.

2026-01-27T00:00:00+00:00 2026-01-27T00:00:00+00:00 https://the-hunters-ledger.com/reports/arsenal-237-new-files/ The Hunter's Ledger https://the-hunters-ledger.com

Follow-up analysis of 11 new samples added to the Arsenal-237 open directory at 109.230.231.37, documenting a significant capability jump from the original 16 samples. New additions include BYOVD kernel driver abuse via a vulnerable Baidu antivirus driver, a kernel-mode rootkit with file hiding and API hooking, a CrowdStrike-specific EDR terminator, and enterprise-grade Rust ransomware targeting backup systems with ChaCha20 encryption.

2026-01-26T00:00:00+00:00 2026-01-26T00:00:00+00:00 https://the-hunters-ledger.com/reports/new-enc-exe/ The Hunter's Ledger https://the-hunters-ledger.com

# new_enc.exe: Arsenal-237 Rust Ransomware v0.5-beta **A Comprehensive, Evidence-Based Threat Assessment for Enterprise Security Decision-Makers** **Campaign Identifier:** Arsenal-237-New-Files-109.230.231.37 --- ## BLUF (Bottom Line Up Front) **Business Impact Summary** new_enc.exe is a CRITICAL-severity Rust-based ransomware deployed manually by skilled threat actors targeting enterprise backup infrastructure. This malware eliminates standard recovery options through aggressive VSS d...