All Reports

We fed 95 EvilTokens campaign IPs into ClusterHawk and mapped the full infrastructure architecture: a Cloudflare CDN frontend, fragmented backend hosting with DocuSign lures and Exim mail servers, a bridge cluster with Google Trust Services certificates on compromised business domains, Cobalt Strike C2 via domain fronting, and an unreported IoT proxy layer of compromised Hikvision/Dahua surveillance cameras on Chinese telecom networks.

Over 1,500 IPs from Shodan's exposed Ollama index were analyzed through ClusterHawk. After filtering 60% honeypots, 13 of 27 clusters pointed to a single operator — XRUI TECHNOLOGY LIMITED — running identical nginx/MySQL/Ollama stacks with unauthenticated qwen3-vl inference across 35+ hosts alongside a Chinese sports gambling site. This is the largest identifiable exposed AI infrastructure we've found in one operator's hands.

We received 50 validated IPs linked to a suspected Russian state-sponsored APT. We profiled them through ClusterHawk and extracted a common fingerprint — then pivoted on that profile against internet scanning data and surfaced approximately 1,900 matching assets across 15 countries. We designate this infrastructure tracking effort OVERCAST.

Analyzing 1,602 internet-visible Modbus systems revealed not scattered misconfigurations but systematic patterns—95% shared TLS fingerprints, identical certificates, same CVEs across clusters. This isn't about individual negligence; it's how the entire ICS ecosystem deploys critical infrastructure in predictable, exploitable ways.

Through infrastructure clustering analysis, we identified a proxy network containing 832 compromised KeeneticOS routers operating across Russian ISPs. This investigation reveals how consumer devices become weaponized infrastructure in the modern threat landscape.

We confirm Trellix’s reporting on SideWinder’s PDF ClickOnce chain and targets, and we prove our methodology by deliberately injecting a broad VirusTotal communicated IPs pivot and then separating CDN/search noise (~85%) from a compact nginx micro-cluster (~15%) that’s worth watching. Below are ready-to-run hunts (SIEM/Sigma + Shodan/Censys) and cluster fingerprints you can use as predictive seeds.

Methodology first. We seeded ClusterHawk with eSentire's published NetSupport indicators and clustered/scored the infrastructure behind ClickFix delivery. We then validated our results against eSentire TRU's reporting and IoCs. Outcome: our method reproduces the delivery chain and infra families eSentire describes and adds operator-centric cluster profiles, a predictive WinRM signature (issuer + JA3S/JARM + RDP/WinRM), and anomaly-led triage that prioritizes the right IPs fast.

Over 2,700 malicious IP addresses were analyzed in an explorative clustering experiment using ClusterHawk for trying to group adversarial infrastructure. The objective: to determine whether clusters of Command-and-Control (C2) servers could be automatically grouped by operational similarity — without relying on predefined family signatures.

We independently validated and extended Lumen's SystemBC findings using Chawkr's automated clustering, producing role-based infrastructure profiles, stability metrics, and anomaly scoring.

This guide teaches analysts how to read platform-generated reports, what to focus on, and how to validate claims against underlying artifacts, following the system methodology.

Threat actor profiles are structured, data-driven portraits of adversaries' persistent behaviors—infrastructure choices, operational cadence, cryptographic habits, naming schemes, product stacks—not just ephemeral artifacts like single IPs or hashes.