THE HUNTER’S LEDGER
IOC Feeds
Indicators of Compromise
Structured feeds ready for ingestion into your SIEM, EDR, or CTI platform. Licensed under CC BY-NC 4.0.
HIGH · Jun 2026
Multi-Actor AI-Agent Framework Abuse (8 Operators) — IOC Feed
AI Abuse Multi-Family Threat Open Dir
MED · Jun 2026
Flask C2 & MSSQL CLR Backdoor on a Windows Post-Exploitation Staging Host — IOC Feed
Post-Ex Priv Esc C2 Open Dir
MED · May 2026
Korean Claude Code + OpenClaw Operator (221.150.15.104) — IOC Feed
AI Abuse Persistence Open Dir
HIGH · May 2026
Rovodev AI-Co-Authored Mirai Variant + Matrix C2 (87.106.143.220) — IOC Feed
AI Abuse C2 Botnet Open Dir
HIGH · May 2026
GHOST Cryptojacker Kit — Vova75Rus Supply Chain (77.110.96.200) — IOC Feed
Cryptominer Rootkit Toolkit Open Dir
CRITICAL · May 2026
Turkish ARPA AI-Augmented Observability Compromise (209.38.205.158) — IOC Feed
AI Abuse Exfil Cred Theft Open Dir
CRITICAL · May 2026
Russian Gemini CLI Credential Mill (213.165.51.115) — IOC Feed
AI Abuse Cred Theft C2 Open Dir
HIGH · May 2026
CVE-2026-41940 cPanel Harvester Toolkit (216.126.227.49) — IOC Feed
CVE Exploit Cred Theft Phishing Open Dir
HIGH · May 2026
Inkognito Russian VPN/Phishing Operator (INK VPN / INK Lens) — IOC Feed
Phishing Fraud VPN Abuse Cred Theft
HIGH · May 2026
BellaMain Turkish PhaaS Panel (79.137.192.3) — IOC Feed
PhaaS Phishing Cred Theft Open Dir
CRITICAL · May 2026
Multi-Cluster Open Directory 79.137.192.3 (Rhadamanthys MaaS / BellaMain / Inkognito) — IOC Feed
MaaS Stealer Loader Open Dir
HIGH · May 2026
HijackLoader / Penguish / Rugmi to AsyncRAT Multi-Vector Phishing Campaign — IOC Feed
Loader RAT MaaS Open Dir
HIGH · Apr 2026
AdaptixC2 Open Directory Exposure (45.130.148.125) — IOC Feed
C2 Toolkit Open Dir Multi-Family
HIGH · Apr 2026
Chaos Ransomware (TorBrowserTor) Multi-Stage Loader (94.103.1.13) — IOC Feed
Ransomware Loader Evasion Open Dir
HIGH · Apr 2026
ShinyHunters Data Leak Site (91.215.85.22) — IOC Feed
Exfil Cred Theft Open Dir Threat
HIGH · Apr 2026
OpenStrike Expanded Toolkit — 106 New Files (2026-04-08) — IOC Feed
Toolkit C2 Injection Open Dir
HIGH · Apr 2026
OpenStrike Beacon Toolkit (172.105.0.126) — IOC Feed
Toolkit C2 Open Dir Evasion
HIGH · Apr 2026
Shadow RAT & XWorm Open Directory Campaign — IOC Feed
RAT MaaS C2 Multi-Family
HIGH · Apr 2026
Open Directory at 193.56.255.154 — XiebroC2 v3.1 & Covenant C2 — IOC Feed
C2 Multi-Family Open Dir Injection
HIGH · Mar 2026
ZeroTrace Multi-Family MaaS Operation (74.0.42.25) — IOC Feed
MaaS C2 Open Dir Multi-Family
MED · Mar 2026
Sliver C2 Toolchain with ScareCrow Loader (45.94.31.220) — IOC Feed
C2 Loader Go Evasion
HIGH · Feb 2026
Webserver Compromise Kit (91.236.230.250) — IOC Feed
Toolkit Priv Esc RCE .NET
CRITICAL · Feb 2026
Remcos RAT OpenDirectory Campaign — IOC Feed
RAT Cred Theft Persistence Evasion
HIGH · Feb 2026
NsMiner: Multi-Stage Cryptojacking Operation — IOC Feed
Cryptominer Dropper Persistence Evasion
MED · Jan 2026
Arsenal-237: agent.exe (PoetRAT) — IOC Feed
RAT C2
MED · Jan 2026
Arsenal-237: agent_xworm.exe (XWorm RAT v6) — IOC Feed
RAT C2
MED · Jan 2026
Arsenal-237: agent_xworm_v2.exe (XWorm RAT v2.4.0) — IOC Feed
RAT C2
MED · Jan 2026
Arsenal-237: FleetAgentAdvanced.exe — IOC Feed
Dropper Persistence
MED · Jan 2026
Arsenal-237: FleetAgentFUD.exe — IOC Feed
Dropper Evasion
MED · Jan 2026
Arsenal-237: uac_test.exe — IOC Feed
Priv Esc Evasion
CRITICAL · Jan 2026
Arsenal-237: enc/dec Ransomware Family — IOC Feed
Ransomware Rust
CRITICAL · Jan 2026
Arsenal-237 New Files: killer.dll (BYOVD Process Termination) — IOC Feed
BYOVD Evasion
CRITICAL · Jan 2026
Arsenal-237 New Files: killer_crowdstrike.dll (CrowdStrike-Specific Termination) — IOC Feed
Evasion BYOVD
CRITICAL · Jan 2026
Arsenal-237 New Files: lpe.exe (Privilege Escalation) — IOC Feed
Priv Esc
CRITICAL · Jan 2026
Arsenal-237 New Files: BdApiUtil64.sys (Vulnerable Baidu Driver) — IOC Feed
BYOVD Priv Esc
CRITICAL · Jan 2026
Arsenal-237 New Files: rootkit.dll (Kernel-Mode Rootkit) — IOC Feed
Rootkit Evasion
CRITICAL · Jan 2026
Arsenal-237 New Files: nethost.dll (DLL Hijacking Persistence) — IOC Feed
DLL Hijack Persistence
CRITICAL · Jan 2026
Arsenal-237 New Files: chromelevator.exe (Browser Credential Theft) — IOC Feed
Cred Theft .NET
CRITICAL · Jan 2026
Arsenal-237 New Files: enc_c2.exe (Rust Ransomware with Tor C2) — IOC Feed
Ransomware C2 Rust
CRITICAL · Jan 2026
Arsenal-237 New Files: dec_fixed.exe (Ransomware Decryptor) — IOC Feed
Ransomware Rust
CRITICAL · Jan 2026
Arsenal-237 New Files: new_enc.exe (Human-Operated Rust Ransomware) — IOC Feed
Ransomware Rust
CRITICAL · Jan 2026
Arsenal-237 New Files: full_test_enc.exe (Advanced Rust Ransomware) — IOC Feed
Ransomware Rust
HIGH · Dec 2025
Dual-RAT Analysis: Pulsar RAT vs. NjRAT/XWorm — IOC Feed
RAT Injection .NET Cred Theft
CRITICAL · Dec 2025
PULSAR RAT (server.exe) — Technical Analysis & Business Risk Assessment — IOC Feed
RAT Cred Theft Evasion .NET
MED · Nov 2025
Hybrid Loader/Stealer Ecosystem Masquerading as Sogou — IOC Feed
Loader Stealer Cred Theft Evasion
MED · Nov 2025
Houselet.exe — The Go-Based Loader Masquerading as PlayStation Remote Play — IOC Feed
Loader Stealer Go Injection
MED · Oct 2025
AdvancedRouterScanner — IOC Feed
Scanner Python Exploitation
HIGH · Oct 2025
From Webshells to The Cloud — IOC Feed
Webshell PHP Exfil C2
MED · Oct 2025
Quasar + XWorm + PowerShell — IOC Feed
RAT Loader PowerShell Evasion