Posts 2026 03 21 Daily Hunt Feed - 2026-03-21
Post
Cancel

Daily Hunt Feed - 2026-03-21

Fullstackreverser Mar 21 2026-03-21T20:19:21+09:00
18 min

Threat Hunt Feed (2026-03-21)

Hacker News: Best

Krebs on Security

  • Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker — Wed, 11 Mar 2026 16:20:13 +0000
    • Matched TTPs: Malware (T1588.001), Domains (T1584.001), Phishing (T1566), Software (T1592.002), Credentials (T1589.001), At (T1053.002)
  • Microsoft Patch Tuesday, March 2026 Edition — Wed, 11 Mar 2026 00:32:51 +0000
    • Matched TTPs: Vulnerabilities (T1588.006), Server (T1584.004), Software (T1592.002), Exploits (T1588.005), At (T1053.002)
  • Who is the Kimwolf Botmaster “Dort”? — Sat, 28 Feb 2026 12:01:57 +0000
    • Matched TTPs: Botnet (T1584.005), Email Accounts (T1585.002), Domains (T1584.001), Server (T1584.004), Email Addresses (T1589.002), Proxy (T1090), Phishing (T1566), Software (T1592.002), At (T1053.002)
  • ‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA — Fri, 20 Feb 2026 20:00:30 +0000
    • Matched TTPs: VNC (T1021.005), JavaScript (T1059.007), DNS (T1071.004), Hardware (T1592.001), Botnet (T1584.005), Domains (T1584.001), Server (T1584.004), Email Addresses (T1589.002), Proxy (T1090), Tool (T1588.002), Phishing (T1566), Multi-Factor Authentication (T1556.006), Software (T1592.002), Credentials (T1589.001), Malicious Link (T1204.001), At (T1053.002)
  • Kimwolf Botnet Swamps Anonymity Network I2P — Wed, 11 Feb 2026 16:08:11 +0000
    • Matched TTPs: DNS (T1071.004), Botnet (T1584.005), Domains (T1584.001), Proxy (T1090), Phishing (T1566), At (T1053.002)
  • Patch Tuesday, February 2026 Edition — Tue, 10 Feb 2026 21:49:53 +0000
    • Matched TTPs: Vulnerabilities (T1588.006), Botnet (T1584.005), Software (T1592.002), Exploits (T1588.005), Malicious Link (T1204.001), At (T1053.002)
  • Who Operates the Badbox 2.0 Botnet? — Mon, 26 Jan 2026 16:11:38 +0000
    • Matched TTPs: Malware (T1588.001), Hardware (T1592.001), Botnet (T1584.005), Email Accounts (T1585.002), Domains (T1584.001), Control Panel (T1218.002), Email Addresses (T1589.002), Proxy (T1090), Firmware (T1592.003), Software (T1592.002), Social Media (T1593.001), At (T1053.002)

CISA Alerts

  • Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure — Fri, 05 Dec 2025 14:35:38 EST
    • Matched TTPs: VNC (T1021.005), Acquire Infrastructure (T1583), Password Guessing (T1110.001), IP Addresses (T1590.005), Network Devices (T1584.008), Vulnerabilities (T1588.006), Virtual Private Server (T1583.003), Remote Services (T1021), Vulnerability Scanning (T1595.002), Defacement (T1491), Server (T1584.004), Active Scanning (T1595), Password Spraying (T1110.003), Gather Victim Org Information (T1591), Tool (T1588.002), Brute Force (T1110), Valid Accounts (T1078), Firmware (T1592.003), Software (T1592.002), Social Media (T1593.001), Credentials (T1589.001), At (T1053.002)
  • CISA Shares Lessons Learned from an Incident Response Engagement — Mon, 22 Sep 2025 11:12:49 EDT
    • Matched TTPs: Scheduled Task (T1053.005), System Owner/User Discovery (T1033), Acquire Infrastructure (T1583), IP Addresses (T1590.005), JavaScript (T1059.007), Malware (T1588.001), Local Account (T1136.001), Local Account (T1087.001), Cron (T1053.003), Vulnerabilities (T1588.006), SSH (T1021.004), System Information Discovery (T1082), Scheduled Task/Job (T1053), Virtual Private Server (T1583.003), Indirect Command Execution (T1202), Exploit Public-Facing Application (T1190), Domains (T1584.001), Vulnerability Scanning (T1595.002), Web Shell (T1505.003), Server (T1584.004), Active Scanning (T1595), System Network Configuration Discovery (T1016), Account Discovery (T1087), Proxy (T1090), Command and Scripting Interpreter (T1059), File and Directory Discovery (T1083), System Network Connections Discovery (T1049), Web Service (T1102), Web Services (T1584.006), Process Discovery (T1057), PowerShell (T1059.001), Tool (T1588.002), Phishing (T1566), Brute Force (T1110), Valid Accounts (T1078), Exploitation for Privilege Escalation (T1068), Multi-Factor Authentication (T1556.006), Software (T1592.002), Exploits (T1588.005), Credentials (T1589.001), BITS Jobs (T1197), Server Software Component (T1505), Remote System Discovery (T1018), Network Service Discovery (T1046), Ingress Tool Transfer (T1105), At (T1053.002)
  • Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System — Mon, 25 Aug 2025 09:36:40 EDT
    • Matched TTPs: Acquire Infrastructure (T1583), OS Credential Dumping (T1003), Data from Configuration Repository (T1602), IP Addresses (T1590.005), Create or Modify System Process (T1543), Network Devices (T1584.008), Password Cracking (T1110.002), Malware (T1588.001), Local Account (T1136.001), Vulnerabilities (T1588.006), SSH (T1021.004), Botnet (T1584.005), Network Sniffing (T1040), Network Topology (T1590.004), System Information Discovery (T1082), Application Layer Protocol (T1071), Data from Local System (T1005), Impair Defenses (T1562), Exploit Public-Facing Application (T1190), Protocol Tunneling (T1572), Network Device Configuration Dump (T1602.002), Disable or Modify System Firewall (T1562.004), Archive Collected Data (T1560), Remote Services (T1021), Deploy Container (T1610), Server (T1584.004), Trap (T1546.005), Active Scanning (T1595), SSH Authorized Keys (T1098.004), System Network Configuration Discovery (T1016), Proxy (T1090), Command and Scripting Interpreter (T1059), Indicator Removal (T1070), Virtual Private Server (T1583.003), Container Administration Command (T1609), Compromise Infrastructure (T1584), Network Device CLI (T1059.008), Web Services (T1584.006), File Transfer Protocols (T1071.002), Gather Victim Network Information (T1590), Trusted Relationship (T1199), Account Manipulation (T1098), Exfiltration Over Alternative Protocol (T1048), Tool (T1588.002), Multi-hop Proxy (T1090.003), Brute Force (T1110), Container Service (T1543.005), Non-Standard Port (T1571), Exploitation for Privilege Escalation (T1068), Obfuscated Files or Information (T1027), Network Boundary Bridging (T1599), Firmware (T1592.003), Encrypted Channel (T1573), Software (T1592.002), Exploits (T1588.005), Credentials (T1589.001), Non-Application Layer Protocol (T1095), Python (T1059.006), Obtain Capabilities (T1588), System Services (T1569), Clear Persistence (T1070.009), Command Obfuscation (T1027.010), Systemd Service (T1543.002), Create Account (T1136), Remote Desktop Protocol (T1021.001), SNMP (MIB Dump) (T1602.001), At (T1053.002), Modify Authentication Process (T1556), Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003), Local Accounts (T1078.003)
  • CISA and USCG Identify Areas for Cyber Hygiene Improvement After Conducting Proactive Threat Hunt at US Critical Infrastructure Organization — Tue, 29 Jul 2025 13:53:52 EDT
    • Matched TTPs: VNC (T1021.005), Adversary-in-the-Middle (T1557), Password Guessing (T1110.001), OS Credential Dumping (T1003), Network Devices (T1584.008), Password Cracking (T1110.002), Boot or Logon Autostart Execution (T1547), Hardware (T1592.001), Databases (T1213.006), Browser Extensions (T1176.001), Vulnerabilities (T1588.006), SSH (T1021.004), Password Managers (T1555.005), Application Layer Protocol (T1071), Impair Defenses (T1562), Remote Access Tools (T1219), Unsecured Credentials (T1552), Remote Services (T1021), Modify Registry (T1112), Server (T1584.004), Password Spraying (T1110.003), System Network Configuration Discovery (T1016), Command and Scripting Interpreter (T1059), System Network Connections Discovery (T1049), Downgrade Attack (T1562.010), Credentials In Files (T1552.001), PowerShell (T1059.001), One-Way Communication (T1102.003), Account Manipulation (T1098), Tool (T1588.002), Phishing (T1566), Brute Force (T1110), Data Manipulation (T1565), Hijack Execution Flow (T1574), Valid Accounts (T1078), Credential Stuffing (T1110.004), Firmware (T1592.003), Software (T1592.002), Credentials (T1589.001), Bidirectional Communication (T1102.002), Domain Accounts (T1078.002), Remote Desktop Protocol (T1021.001), Domain or Tenant Policy Modification (T1484), At (T1053.002), Local Accounts (T1078.003)
  • #StopRansomware: Interlock — Mon, 21 Jul 2025 10:11:24 EDT
    • Matched TTPs: System Owner/User Discovery (T1033), Rundll32 (T1218.011), Keylogging (T1056.001), IP Addresses (T1590.005), DNS (T1071.004), Match Legitimate Resource Name or Location (T1036.005), Boot or Logon Autostart Execution (T1547), Malware (T1588.001), Malicious File (T1204.002), Hardware (T1592.001), Vulnerabilities (T1588.006), SSH (T1021.004), DLL (T1574.001), System Service Discovery (T1007), Data from Cloud Storage (T1530), System Information Discovery (T1082), Steal or Forge Kerberos Tickets (T1558), Credentials from Password Stores (T1555), Exfiltration Over Web Service (T1567), Remote Access Tools (T1219), Domains (T1584.001), Masquerading (T1036), Process Injection (T1055), System Binary Proxy Execution (T1218), Remote Services (T1021), Credentials from Web Browsers (T1555.003), System Network Configuration Discovery (T1016), Proxy (T1090), Command and Scripting Interpreter (T1059), Indicator Removal (T1070), Web Service (T1102), Financial Theft (T1657), User Execution (T1204), PowerShell (T1059.001), File Transfer Protocols (T1071.002), Registry Run Keys / Startup Folder (T1547.001), Exfiltration Over Alternative Protocol (T1048), Tool (T1588.002), Phishing (T1566), Valid Accounts (T1078), Data Encrypted for Impact (T1486), Firmware (T1592.003), Software (T1592.002), Input Capture (T1056), Credentials (T1589.001), Exfiltration to Cloud Storage (T1567.002), Domain Accounts (T1078.002), File Deletion (T1070.004), Drive-by Compromise (T1189), Malicious Copy and Paste (T1204.004), Ingress Tool Transfer (T1105), Remote Desktop Protocol (T1021.001), Kerberoasting (T1558.003), At (T1053.002)
  • Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider — Thu, 12 Jun 2025 10:29:54 EDT
    • Matched TTPs: IP Addresses (T1590.005), Malware (T1588.001), Hardware (T1592.001), Vulnerabilities (T1588.006), Remote Services (T1021), Server (T1584.004), Software (T1592.002), Remote Desktop Protocol (T1021.001), At (T1053.002)
  • Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations — Tue, 20 May 2025 15:20:23 EDT
    • Matched TTPs: Rundll32 (T1218.011), Network Devices (T1584.008), Malware (T1588.001), Browser Extensions (T1176.001), Vulnerabilities (T1588.006), Spearphishing Link (T1598.003), Spearphishing Link (T1566.002), Spearphishing Attachment (T1598.002), Spearphishing Attachment (T1566.001), DLL (T1574.001), Automated Collection (T1119), System Information Discovery (T1082), Application Layer Protocol (T1071), Native API (T1106), Deobfuscate/Decode Files or Information (T1140), Domains (T1584.001), Masquerading (T1036), Browser Information Discovery (T1217), Server (T1584.004), PowerShell (T1059.001), Tool (T1588.002), Phishing (T1566), Obfuscated Files or Information (T1027), Software (T1592.002), Credentials (T1589.001), Query Registry (T1012), Web Protocols (T1071.001), Ingress Tool Transfer (T1105), At (T1053.002), Compression (T1027.015)
  • Russian GRU Targeting Western Logistics Entities and Technology Companies — Mon, 12 May 2025 12:49:12 EDT
    • Matched TTPs: Scheduled Task (T1053.005), Archive via Utility (T1560.001), Windows Management Instrumentation (T1047), Gather Victim Host Information (T1592), Password Guessing (T1110.001), OS Credential Dumping (T1003), IP Addresses (T1590.005), JavaScript (T1059.007), DNS (T1071.004), External Remote Services (T1133), Email Collection (T1114), Boot or Logon Autostart Execution (T1547), Malware (T1588.001), Domain Account (T1136.002), Domain Account (T1087.002), Malicious File (T1204.002), Hardware (T1592.001), Databases (T1213.006), Vulnerabilities (T1588.006), Spearphishing Link (T1598.003), Spearphishing Link (T1566.002), SSH (T1021.004), Spearphishing Attachment (T1598.002), Spearphishing Attachment (T1566.001), DLL (T1574.001), Automated Collection (T1119), Botnet (T1584.005), Scheduled Task/Job (T1053), Cloud Accounts (T1078.004), Cloud Accounts (T1586.003), Email Accounts (T1585.002), Email Accounts (T1586.002), Exploit Public-Facing Application (T1190), Unsecured Credentials (T1552), Content Injection (T1659), Shortcut Modification (T1547.009), Scheduled Transfer (T1029), Gather Victim Identity Information (T1589), Archive Collected Data (T1560), Remote Services (T1021), Server (T1584.004), Clear Windows Event Logs (T1070.001), Password Spraying (T1110.003), External Proxy (T1090.002), Email Addresses (T1589.002), Spearphishing Voice (T1566.004), Network Security Appliances (T1590.006), Business Relationships (T1591.002), Video Capture (T1125), Account Discovery (T1087), Proxy (T1090), Command and Scripting Interpreter (T1059), Indicator Removal (T1070), Compromise Accounts (T1586), Multi-Stage Channels (T1104), Execution Guardrails (T1480), Web Services (T1584.006), User Execution (T1204), Group Policy Preferences (T1552.006), Gather Victim Org Information (T1591), PowerShell (T1059.001), Registry Run Keys / Startup Folder (T1547.001), Trusted Relationship (T1199), Account Manipulation (T1098), Exfiltration Over Alternative Protocol (T1048), Tool (T1588.002), Phishing (T1566), Multi-hop Proxy (T1090.003), Brute Force (T1110), Hijack Execution Flow (T1574), Multi-Factor Authentication (T1556.006), Remote Email Collection (T1114.002), Forced Authentication (T1187), Firmware (T1592.003), Encrypted Channel (T1573), Software (T1592.002), Input Capture (T1056), Credentials (T1589.001), Python (T1059.006), Identify Roles (T1591.004), Windows Command Shell (T1059.003), Multi-Factor Authentication Interception (T1111), Visual Basic (T1059.005), Additional Email Delegate Permissions (T1098.002), Remote Desktop Protocol (T1021.001), Hide Infrastructure (T1665), NTDS (T1003.003), Malicious Link (T1204.001), At (T1053.002), Modify Authentication Process (T1556)
  • Fast Flux: A National Security Threat — Tue, 01 Apr 2025 15:00:21 EDT
    • Matched TTPs: IP Addresses (T1590.005), DNS (T1071.004), Malware (T1588.001), Fast Flux DNS (T1568.001), Vulnerabilities (T1588.006), Botnet (T1584.005), Domains (T1584.001), Server (T1584.004), Dynamic Resolution (T1568), Phishing (T1566), At (T1053.002)
  • #StopRansomware: Medusa Ransomware — Tue, 11 Mar 2025 10:52:42 EDT
    • Matched TTPs: Windows Management Instrumentation (T1047), OS Credential Dumping (T1003), Encrypted/Encoded File (T1027.013), IP Addresses (T1590.005), DNS (T1071.004), Permission Groups Discovery (T1069), Service Stop (T1489), Malware (T1588.001), Domain Account (T1136.002), Databases (T1213.006), Domain Groups (T1069.002), Vulnerabilities (T1588.006), SSH (T1021.004), DLL (T1574.001), Network Share Discovery (T1135), System Information Discovery (T1082), Application Layer Protocol (T1071), Clear Command History (T1070.003), Impair Defenses (T1562), Exploit Public-Facing Application (T1190), Exfiltration Over Web Service (T1567), Remote Access Tools (T1219), Remote Services (T1021), Server (T1584.004), LSASS Memory (T1003.001), Email Addresses (T1589.002), System Network Configuration Discovery (T1016), Proxy (T1090), Command and Scripting Interpreter (T1059), Indicator Removal (T1070), File and Directory Discovery (T1083), Web Service (T1102), Financial Theft (T1657), Software Deployment Tools (T1072), PowerShell (T1059.001), Tool (T1588.002), Phishing (T1566), Disable or Modify Tools (T1562.001), Obfuscated Files or Information (T1027), Data Encrypted for Impact (T1486), Firmware (T1592.003), Software (T1592.002), Credentials (T1589.001), Exfiltration to Cloud Storage (T1567.002), System Services (T1569), Windows Command Shell (T1059.003), Web Protocols (T1071.001), Create Account (T1136), Network Service Discovery (T1046), Ingress Tool Transfer (T1105), Remote Desktop Protocol (T1021.001), Service Execution (T1569.002), At (T1053.002), Inhibit System Recovery (T1490), Compression (T1027.015), System Shutdown/Reboot (T1529), MMC (T1218.014)

BleepingComputer

Darkreading

The Hacker News

Threat Hunt Feed (2026-03-21)

BleepingComputer

  • Trivy vulnerability scanner breach pushed infostealer via GitHub Actions — Sat, 21 Mar 2026 13:30:41 -0400
    • Matched TTPs: JavaScript (T1059.007), Malware (T1588.001), Hardware (T1592.001), Vulnerabilities (T1588.006), SSH (T1021.004), Private Keys (T1552.004), Server (T1584.004), Code Repositories (T1213.003), Shell History (T1552.003), Tool (T1588.002), Phishing (T1566), Software (T1592.002), Credentials (T1589.001), Python (T1059.006), Systemd Service (T1543.002), At (T1053.002)
  • Microsoft Azure Monitor alerts abused for callback phishing attacks — Sat, 21 Mar 2026 10:09:19 -0400
    • Matched TTPs: Malware (T1588.001), Hardware (T1592.001), Tool (T1588.002), Phishing (T1566), Software (T1592.002), At (T1053.002)

The Hacker News

security, hunt
threat-hunting ttp mitre-attack
This post is licensed under CC BY 4.0 by the author.
Contents

Daily Security Feed - 2026-03-20

Daily Security Feed - 2026-03-21

Comments powered by Disqus.