Chawkr research
Threat intelligence
Analysis, IOCs, and threat trends from our research team
Our mission
We connect malicious activity to the people behind it, faster. Infrastructure analysis does most of the work: cluster the servers, read the metadata, follow operational habits until an actor takes shape. When attribution speeds up, defenders get ahead of campaigns instead of cleaning up after them.
What you'll find here
Threat analysis
In-depth analysis of APT groups, malware families, and active campaigns
Emerging trends
Early detection of new attack vectors and evolving adversary tactics
Actor profiling
Detailed profiles of threat actors, motivations, and capabilities
Expert discussion
Join discussions with security professionals and researchers
Latest threat intelligence
Stay ahead of emerging threats with our latest analysis and intelligence reports
Latest 4 posts
This content requires premium access. Subscribe for full threat intelligence reports and analysis.
Premium content
SILENTLOOM: A Reused Device Pool Behind a Quiet Microsoft 365 Password Attack
Premium access required
Find the House, Not the Doormat: A Doctrine for Reading Infrastructure Metadata After the Attack
The single-indicator pivot dies against a tier-separated operator, stopping at the access surface. This doctrine proposes four moves for reading metadata after: seed from a behavioral cohort, mine persistent fingerprints, separate attack signature from residue, confirm with an independent source.
Chawkr Reports
18/06/2026
EvilTokens: Device Code Phishing Goes Industrial
We fed 95 EvilTokens campaign IPs into ClusterHawk and mapped a four-tier architecture. It spans a Cloudflare CDN frontend, DocuSign/Exim backend hosting, a bridge cluster on Google Trust Services certs, Cobalt Strike C2 via domain fronting, and an unreported IoT layer of Hikvision/Dahua cameras.
Chawkr Reports
09/04/2026
Profiling the Largest Identifiable Exposed AI Infrastructure on the Internet
Over 1,500 IPs from Shodan's exposed Ollama index were analyzed through ClusterHawk. After filtering 60% honeypots, 13 of 27 clusters pointed to one operator, XRUI TECHNOLOGY LIMITED, running identical nginx/MySQL/Ollama stacks with unauthenticated qwen3-vl inference across 35+ hosts.
Chawkr Reports
13/03/2026
Join the discussion
Premium subscribers can join the discussion threads and compare notes with other security professionals.
Swift Eagle
Nice write-up on the APT28 infrastructure changes, matches what we've been seeing in our own monitoring. The move to European hosting providers is what stood out to us...
Mystic Wolf
Agreed, we're seeing the same shift on our end. Feels like they're just working around sanctions and regulatory pressure at this point...
Get premium threat intelligence
Full write-ups, exportable IOCs, and discussion threads with other analysts
