Hunting Detections
Sigma, YARA & Suricata Rules
Detection logic from original research, mapped to MITRE ATT&CK. Free to use in your environment under CC BY-NC 4.0.
Subscribe β live Suricata rule feed
Every published detection here, consolidated into one auto-updating Suricata ruleset β point your sensor at it and pull on your own schedule. Free under CC BY-NC 4.0.
suricata-update add-source hunters-ledger https://the-hunters-ledger.com/feeds/suricata/hunters-ledger.rules
No items match that filter.
Detection Rules β Multi-Actor AI-Agent Framework Abuse (8 Operators)
Detection Rules β Flask C2 & MSSQL CLR Backdoor on a Windows Post-Exploitation Staging Host
Detection Rules β Korean Claude Code + OpenClaw Operator (221.150.15.104)
Detection Rules β Rovodev AI-Co-Authored Mirai Variant + Matrix C2 (87.106.143.220)
Detection Rules β GHOST Cryptojacker Kit β Vova75Rus Supply Chain (77.110.96.200)
Detection Rules β Turkish ARPA AI-Augmented Observability Compromise (209.38.205.158)
Detection Rules β Russian Gemini CLI Credential Mill (213.165.51.115)
Detection Rules β CVE-2026-41940 cPanel Harvester Toolkit (216.126.227.49)
Detection Rules β Inkognito Russian VPN/Phishing Operator (INK VPN / INK Lens)
Detection Rules β BellaMain Turkish PhaaS Panel (79.137.192.3)
Detection Rules β Multi-Cluster Open Directory 79.137.192.3 (Rhadamanthys MaaS / BellaMain / Inkognito)
Detection Rules β HijackLoader / Penguish / Rugmi to AsyncRAT Multi-Vector Phishing Campaign
Detection Rules β AdaptixC2 Open Directory Exposure (45.130.148.125)
Detection Rules β Chaos Ransomware (TorBrowserTor) Multi-Stage Loader (94.103.1.13)
Detection Rules β ShinyHunters Data Leak Site (91.215.85.22)
Detection Rules β OpenStrike Expanded Toolkit β 106 New Files (2026-04-08)
Detection Rules β OpenStrike Beacon Toolkit (172.105.0.126)
Detection Rules β Shadow RAT & XWorm Open Directory Campaign
Detection Rules β Open Directory at 193.56.255.154 β XiebroC2 v3.1 & Covenant C2
Detection Rules β ZeroTrace Multi-Family MaaS Operation (74.0.42.25)
Detection Rules β Sliver C2 Toolchain with ScareCrow Loader (45.94.31.220)
Detection Rules β Webserver Compromise Kit (91.236.230.250)
Detection Rules β Remcos RAT OpenDirectory Campaign
Detection Rules β NsMiner: Multi-Stage Cryptojacking Operation
Detection Rules β Arsenal-237: agent.exe (PoetRAT)
Detection Rules β Arsenal-237: agent_xworm.exe (XWorm RAT v6)
Detection Rules β Arsenal-237: agent_xworm_v2.exe (XWorm RAT v2.4.0)
Detection Rules β Arsenal-237: FleetAgentAdvanced.exe
Detection Rules β Arsenal-237: FleetAgentFUD.exe
Detection Rules β Arsenal-237: uac_test.exe
Detection Rules β Arsenal-237: enc/dec Ransomware Family
Detection Rules β Arsenal-237 New Files: killer.dll (BYOVD Process Termination)
Detection Rules β Arsenal-237 New Files: killer_crowdstrike.dll (CrowdStrike-Specific Termination)
Detection Rules β Arsenal-237 New Files: lpe.exe (Privilege Escalation)
Detection Rules β Arsenal-237 New Files: BdApiUtil64.sys (Vulnerable Baidu Driver)
Detection Rules β Arsenal-237 New Files: rootkit.dll (Kernel-Mode Rootkit)
Detection Rules β Arsenal-237 New Files: nethost.dll (DLL Hijacking Persistence)
Detection Rules β Arsenal-237 New Files: chromelevator.exe (Browser Credential Theft)
Detection Rules β Arsenal-237 New Files: enc_c2.exe (Rust Ransomware with Tor C2)
Detection Rules β Arsenal-237 New Files: dec_fixed.exe (Ransomware Decryptor)
Detection Rules β Arsenal-237 New Files: new_enc.exe (Human-Operated Rust Ransomware)
Detection Rules β Arsenal-237 New Files: full_test_enc.exe (Advanced Rust Ransomware)
Detection Rules β Dual-RAT Analysis: Pulsar RAT vs. NjRAT/XWorm
Detection Rules β PULSAR RAT (server.exe) β Technical Analysis & Business Risk Assessment
Detection Rules β Hybrid Loader/Stealer Ecosystem Masquerading as Sogou
Detection Rules β Houselet.exe β The Go-Based Loader Masquerading as PlayStation Remote Play
Detection Rules β AdvancedRouterScanner
Detection Rules β From Webshells to The Cloud
Detection Rules β Quasar + XWorm + PowerShell