THE HUNTER’S LEDGER
Reports
Threat Intelligence Reports
Original malware analysis and reverse engineering — each report ships with detection rules and machine-readable indicators. Filter by tag or search by name.
Report Series Multi-Actor AI-Agent Framework Abuse 6 reports · read in order
Part 1 of 6 · Start here
HIGH · Jun 2026
Multi-Actor AI-Agent Framework Abuse (8 Operators)
AI Abuse Multi-Family Threat Open Dir
Part 2 of 6
CRITICAL · May 2026
Russian Gemini CLI Credential Mill (213.165.51.115)
AI Abuse Cred Theft C2 Open Dir
Part 3 of 6
CRITICAL · May 2026
Turkish ARPA AI-Augmented Observability Compromise (209.38.205.158)
AI Abuse Exfil Cred Theft Open Dir
Part 4 of 6
HIGH · May 2026
Rovodev AI-Co-Authored Mirai Variant + Matrix C2 (87.106.143.220)
AI Abuse C2 Botnet Open Dir
Part 5 of 6
MED · May 2026
Korean Claude Code + OpenClaw Operator (221.150.15.104)
AI Abuse Persistence Open Dir
Part 6 of 6
HIGH · May 2026
GHOST Cryptojacker Kit — Vova75Rus Supply Chain (77.110.96.200)
Cryptominer Rootkit Toolkit Open Dir
MED · Jun 2026
Flask C2 & MSSQL CLR Backdoor on a Windows Post-Exploitation Staging Host
Post-Ex Priv Esc C2 Open Dir
HIGH · May 2026
CVE-2026-41940 cPanel Harvester Toolkit (216.126.227.49)
CVE Exploit Cred Theft Phishing Open Dir
Report Series Multi-Cluster Open Directory — 79.137.192.3 (Rhadamanthys / BellaMain / Inkognito) 3 reports · read in order
Part 1 of 3 · Start here
CRITICAL · May 2026
Rhadamanthys MaaS Customer Deep-Dive (79.137.192.3)
MaaS Stealer Loader Open Dir
Part 2 of 3
HIGH · May 2026
BellaMain Turkish PhaaS Panel (79.137.192.3)
PhaaS Phishing Cred Theft Open Dir
Part 3 of 3
HIGH · May 2026
Inkognito Russian VPN/Phishing Operator (INK VPN / INK Lens)
Phishing Fraud VPN Abuse Cred Theft
HIGH · May 2026
HijackLoader / Penguish / Rugmi to AsyncRAT Multi-Vector Phishing Campaign
Loader RAT MaaS Open Dir
HIGH · Apr 2026
AdaptixC2 Open Directory Exposure (45.130.148.125)
C2 Toolkit Open Dir Multi-Family
HIGH · Apr 2026
Chaos Ransomware (TorBrowserTor) Multi-Stage Loader (94.103.1.13)
Ransomware Loader Evasion Open Dir
HIGH · Apr 2026
ShinyHunters Data Leak Site (91.215.85.22)
Exfil Cred Theft Open Dir Threat
HIGH · Apr 2026
OpenStrike Expanded Toolkit — 106 New Files (2026-04-08)
Toolkit C2 Injection Open Dir
HIGH · Apr 2026
OpenStrike Beacon Toolkit (172.105.0.126)
Toolkit C2 Open Dir Evasion
HIGH · Apr 2026
Shadow RAT & XWorm Open Directory Campaign
RAT MaaS C2 Multi-Family
HIGH · Apr 2026
Open Directory at 193.56.255.154 — XiebroC2 v3.1 & Covenant C2
C2 Multi-Family Open Dir Injection
HIGH · Mar 2026
ZeroTrace Multi-Family MaaS Operation (74.0.42.25)
MaaS C2 Open Dir Multi-Family
MED · Mar 2026
Sliver C2 Toolchain with ScareCrow Loader (45.94.31.220)
C2 Loader Go Evasion
HIGH · Feb 2026
Webserver Compromise Kit (91.236.230.250)
Toolkit Priv Esc RCE .NET
CRITICAL · Feb 2026
Remcos RAT OpenDirectory Campaign
RAT Cred Theft Persistence Evasion
HIGH · Feb 2026
NsMiner: Multi-Stage Cryptojacking Operation
Cryptominer Dropper Persistence Evasion
Report Series Arsenal-237 — Threat Actor R&D Repository (109.230.231.37) 2 reports · read in order
Part 1 of 2 · Start here
CRITICAL · Jan 2026
Arsenal-237: Threat Actor R&D Repository Exposed
Toolkit Ransomware RAT Rust Go
Part 2 of 2
CRITICAL · Jan 2026
Arsenal-237 New Files: Advanced Toolkit Analysis
Ransomware BYOVD Rootkit Rust
HIGH · Dec 2025
Dual-RAT Analysis: Pulsar RAT vs. NjRAT/XWorm
RAT Injection .NET Cred Theft
CRITICAL · Dec 2025
PULSAR RAT (server.exe) — Technical Analysis & Business Risk Assessment
RAT Cred Theft Evasion .NET
MED · Nov 2025
Hybrid Loader/Stealer Ecosystem Masquerading as Sogou
Loader Stealer Cred Theft Evasion
MED · Nov 2025
Houselet.exe — The Go-Based Loader Masquerading as PlayStation Remote Play
Loader Stealer Go Injection
MED · Oct 2025
AdvancedRouterScanner
Scanner Python Exploitation
HIGH · Oct 2025
From Webshells to The Cloud
Webshell PHP Exfil C2
MED · Oct 2025
Quasar + XWorm + PowerShell
RAT Loader PowerShell Evasion

Reports are © Joseph. All rights reserved — free to read, but reuse requires written permission.