Chawkr research

Threat intelligence

Analysis, IOCs, and threat trends from our research team

Our mission

We connect malicious activity to the people behind it, faster. Infrastructure analysis does most of the work: cluster the servers, read the metadata, follow operational habits until an actor takes shape. When attribution speeds up, defenders get ahead of campaigns instead of cleaning up after them.

What you'll find here

Threat analysis

In-depth analysis of APT groups, malware families, and active campaigns

Emerging trends

Early detection of new attack vectors and evolving adversary tactics

Actor profiling

Detailed profiles of threat actors, motivations, and capabilities

Expert discussion

Join discussions with security professionals and researchers

Latest threat intelligence

Stay ahead of emerging threats with our latest analysis and intelligence reports

Latest 4 posts

This content requires premium access. Subscribe for full threat intelligence reports and analysis.

Premium
Premium content

SILENTLOOM: A Reused Device Pool Behind a Quiet Microsoft 365 Password Attack

Premium access required

Free
doctrinemethodologyinfrastructure-analysis+6

Find the House, Not the Doormat: A Doctrine for Reading Infrastructure Metadata After the Attack

The single-indicator pivot dies against a tier-separated operator, stopping at the access surface. This doctrine proposes four moves for reading metadata after: seed from a behavioral cohort, mine persistent fingerprints, separate attack signature from residue, confirm with an independent source.

CR

Chawkr Reports

18/06/2026

Free
eviltokensphishingdevice-code+7

EvilTokens: Device Code Phishing Goes Industrial

We fed 95 EvilTokens campaign IPs into ClusterHawk and mapped a four-tier architecture. It spans a Cloudflare CDN frontend, DocuSign/Exim backend hosting, a bridge cluster on Google Trust Services certs, Cobalt Strike C2 via domain fronting, and an unreported IoT layer of Hikvision/Dahua cameras.

CR

Chawkr Reports

09/04/2026

Free
ollamallmjackingqwen+6

Profiling the Largest Identifiable Exposed AI Infrastructure on the Internet

Over 1,500 IPs from Shodan's exposed Ollama index were analyzed through ClusterHawk. After filtering 60% honeypots, 13 of 27 clusters pointed to one operator, XRUI TECHNOLOGY LIMITED, running identical nginx/MySQL/Ollama stacks with unauthenticated qwen3-vl inference across 35+ hosts.

CR

Chawkr Reports

13/03/2026

Join the discussion

Premium subscribers can join the discussion threads and compare notes with other security professionals.

SE

Swift Eagle

Nice write-up on the APT28 infrastructure changes, matches what we've been seeing in our own monitoring. The move to European hosting providers is what stood out to us...

MW

Mystic Wolf

Agreed, we're seeing the same shift on our end. Feels like they're just working around sanctions and regulatory pressure at this point...

Get premium threat intelligence

Full write-ups, exportable IOCs, and discussion threads with other analysts