HACKFORLAB Weekly Threat Advisory · June 15-21, 2026 · 55,480 indicator observations across 89 adversary clusters · radar showing intelligence graph with multi-pivot locked cluster · Rhysida-Interlock 219 IOCs, ClickFix 215 IOCs, JetBrains plugin supply chain attack, AI platform abuse, APT37 and UNC6508 active

Weekly Threat Advisory: Cluster Analysis & Top IOCs, June 15 – 21, 2026

WEEKLY THREAT ADVISORY · ADVISORY 026-25 · JUNE 15 – 21, 2026

The catalogue produced 55,480 indicator observations across 89 adversary clusters this week, shaped by three structural signals: a ransomware operator rotated a full multi-pivot kill chain (219 indicators across 4 IOC types in a single week), the developer supply chain became the preferred attack surface for three concurrent campaigns, and AI-platform domains began appearing as adversary infrastructure. This advisory is what the catalogue says — and what your blue team should do about it Monday morning.

For the hunting and detection-engineering operationalisation of recent windows, see the companion Sigma Playbook. For previous weekly advisories, see the Threat Intelligence archive. For the AWS-specific hunt library, see the AWS Threat Hunting Library.

OPERATOR-GRADE INTELLIGENCE

HuntIntel ships every IOC behind this advisory with provenance, confidence score, MITRE technique, and adversary cluster pre-mapped — queryable in the operator console, exportable to your SIEM in seconds. Stop reading PDFs. Start querying the catalogue.

Open HuntIntel →

01 · This week in numbers

The catalogue produced 55,480 indicator observations this cycle, down from last week’s 76,205 — a 27 percent reduction in topline volume but with a measurably denser high-confidence layer. Three structural shifts matter more than the topline. First, a single ransomware operator rotated 219 indicators across four IOC types in seven days, the broadest multi-pivot kill-chain rotation observed in three weeks. Second, three concurrent supply-chain campaigns targeted the developer tool-chain (a development-editor plugin marketplace, a browser-extension store, and a marketing-platform delivery layer). Third, artificial-intelligence platforms began appearing as adversary infrastructure — chat-share URLs used as redirector layers, AI-generated lure videos staged on accomplice domains.

// AT A GLANCE · June 15 – 21, 2026
55,480
Indicator observations
54,243
Unique IOCs
89
Adversary clusters
1,086
High-severity records
8
Source feeds joined
6
Distinct IOC types

Catalogued, ML-scored, MITRE-tagged. Every record carries adversary attribution, technique tag, severity, confidence, and provenance. Continuously refreshed across open-source feeds, sandbox detonations, TLS and DNS observation, and honeynet plane sources.

02 · Headlines — the three things that defined this week

If you read nothing else, read these three.

Headline 01 · A ransomware operator rotated a full multi-pivot kill chain

A single ransomware cluster — one that combines a recently merged double-extortion brand and an affiliate-driven distribution layer — rotated 219 unique indicators in seven days, distributed across all four primary IOC types (83 domains, 72 hashes, 61 IP addresses, 3 URLs). Multi-pivot rotation at this breadth is a load-bearing intelligence signal: the operator is not iterating on a single tactic, they are running a coordinated kill-chain refresh — new infrastructure for initial-access landing pages, new binary payloads, new C2 listener IPs, and new staging URLs concurrently. The implication for defenders is that single-type blocklists (only domains, only hashes) will catch a fraction of the activity. The cluster also showed a tight subnet anchor: four of its IP rotations landed inside the same /24 address block (23.227.202.0/24), suggesting an upstream hosting anchor that survived the rotation cycle. Subnet-level blocking on that anchor is the cheapest defensive control.

Headline 02 · Developer supply chain became the preferred attack surface

Three concurrent supply-chain campaigns hit the developer tool-chain this week, contributing 42 unique indicators across the OTHERS (package names), DOMAIN, EMAIL, and IP types. The first targeted a code-editor plugin marketplace with 15 typosquat package identifiers (com.coder.ai.dpt, com.dev.ai.toolkit, org.bug.find.tools, etc.) designed to look like legitimate AI-coding helpers. The second targeted a browser extension store with 8 malicious extension domains plus 7 operator email addresses tied to publisher accounts. The third compromised a marketing-tools delivery layer at 6 typosquat domains (opmnstr.com, optnmstr.com, etc.). All three share a single pattern: impersonate a tool the developer already trusts and let the developer install it themselves. None of the three required exploitation of a vulnerability. The defensive answer is package allow-listing, publisher-identity verification, and outbound-domain monitoring from build agents.

Headline 03 · AI platforms appeared as adversary infrastructure

For the first time at observable scale in this catalogue, artificial-intelligence platform URLs are being used as adversary infrastructure. The week observed 19 domains operating as redirectors that route through AI-chat-share URL patterns — abusing platforms designed for legitimate prompt sharing to inherit reputation and TLS validity from a high-trust parent domain. Separately, a 39-indicator phishing campaign used AI-generated instruction videos as the lure content layer, staged on accomplice domains. The combination of AI-generated content (cheap to produce, hard to fingerprint with traditional template detection) and AI-platform redirector infrastructure (inherits trust from the host) represents a new operational pattern. Defenders should treat AI-platform share URLs the way they would treat URL-shortener services: a candidate for inspection, not for implicit trust.


03 · Indicator-type and severity breakdown

An intelligence catalogue is only useful if you know where the high-value records concentrate. The IP-address layer dominates this week’s topline volume — 96 percent of all observations — because the largest contributing feed is a C2-infrastructure flood feed that produces dense IP-only output. The story shifts when you look at the narrow indicator types: domains, hashes, URLs, emails, and OTHERS (package names, lure filenames) are the layer where new adversary tradecraft surfaces.

By indicator type

TypeObservationsShare%
IPs53,170
98.02%
Domains459
0.85%
File hashes340
0.63%
URLs243
0.45%
Other artefacts16
0.03%
Emails15
0.03%

By severity

SeverityObservationsShare%
High1,086
2.00%
Medium53,025
97.69%
Low166
0.31%

Reading the severity distribution. The Medium-severity layer is dominated by C2-framework infrastructure observations — recognised tooling that has not yet been tied to a specific named campaign. The 1,086 High-severity records are the actionable layer: campaign-attributed, MITRE-tagged, ransomware-grade, or APT-attributed. The Low-severity layer is scanning noise and reputation-only signals retained for retrospective correlation. The SOC’s automated blocklist lane should consume the High layer only; Medium goes to enrichment, Low to the data lake.

04 · Category mix — where the catalogue concentrates

Command-and-control infrastructure remains the dominant category at 99 percent of records — an expected weighting given C2 listener IPs are the highest-volume class of indicator produced by passive collection. The story this week sits in the narrower categories: Phishing (377), Malware-Activity (289), Ransomware-as-a-Service (282), and the supply-chain entries (24 records, attributable to three distinct campaigns).

CategoryObservationsShare%
C&C52,629
96.93%
Phishing377
0.69%
Malware-Activity289
0.53%
Ransomware-as-a-service282
0.52%
C&C Server245
0.45%
Botnet238
0.44%
APT54
0.10%
RAT41
0.08%
Trojan40
0.07%
Supply Chain24
0.04%
Payload Delivery20
0.04%
Vulnerability19
0.03%
Malicious Infrastructure16
0.03%
Backdoor12
0.02%
Spyware8
0.01%

The 54 APT records cover six distinct named threat actors — the most diverse APT footprint observed in eight weeks. Two of those (APT37, UNC6508) showed multi-pivot rotation, indicating active operational tempo rather than retrospective indicator publication.

05 · Top 30 adversary clusters by indicator footprint

The table ranks every named adversary cluster by unique indicator count this week. The dominant entry — an open-source C2 framework family with 52,633 observations — reflects infrastructure-monitoring feed output and is shown in grey to preserve readability of the other 29 entries. The 29 sub-leading clusters carry the operationally interesting signal: campaign-attributed activity, ransomware-grade rotations, APT signatures, and supply-chain attacks.

#Adversary clusterRelative footprintUnique IOCsSeverity
01CobaltStrike

C2 · IP, URL
52,633MEDIUM
02Rhysida-Interlock

Ransomware · DOMAIN, HASH, IP, URL
219HIGH
03ClickFix

Malware Campaign · DOMAIN, HASH, URL
215HIGH
04meshagent

C2 · IP
99MEDIUM
05World Cup 2026 Mobile

Phishing Campaign · DOMAIN
80LOW
06ErrTraffic

Malware · DOMAIN, HASH, URL
74HIGH
07AryStinger

Malware · DOMAIN, HASH, IP, URL
66HIGH
08Cobalt Strike (separate cluster)

C2 · IP
47HIGH
09Rokarolla

Trojan · HASH
40HIGH
10AI-Generated Fake Instruction Video

Phishing Campaign · HASH, URL
39LOW
11metasploit

C2 · IP
36MEDIUM
12Malicious Wallpapers

Malware Campaign · HASH, URL
36HIGH
13VShell

C2 · IP
35HIGH
14mythic

C2 · IP
30MEDIUM
15Gentlemen

Ransomware · HASH
27HIGH
16INC ransomware

Ransomware · DOMAIN, HASH
25HIGH
17Azure DNS zone SEO poisoning campaign

Malware Campaign · DOMAIN, HASH, IP
23HIGH
18AsyncRAT

C2 · IP
23HIGH
19SearchJack

Phishing Campaign · URL
22LOW
20AdaptixC2

C2 · IP
21MEDIUM
21claude.ai Shared Chat (abused)

Malware Campaign · DOMAIN
19HIGH
22UNC6508

Threat Actor (APT) · DOMAIN, HASH, IP
19HIGH
23The Quarry

Phishing Kit · DOMAIN, HASH
19MEDIUM
24EtherRAT

Malware (RAT) · DOMAIN, IP
18HIGH
25Google Chrome extensions (malicious)

Malware Campaign · DOMAIN, EMAIL, IP
17HIGH
26Remcos

C2 (RAT) · IP
17HIGH
27Malicious JetBrains Plugins

Supply Chain · IP, OTHERS (pkg names)
16HIGH
28havoc

C2 · IP
15MEDIUM
29APT37

Threat Actor (APT) · DOMAIN, HASH, IP
15HIGH
30Crypto Clipper Campaign

Malware Campaign · HASH
14HIGH

How to read this table. Pay disproportionate attention to clusters that span three or more IOC types — that breadth is a campaign-fingerprint signal. Clusters with only IP indicators (VShell, meshagent, metasploit, mythic, havoc, AsyncRAT, Remcos, AdaptixC2, Cobalt Strike, DCRat, AdaptixC2) are typically open-source C2 framework infrastructure; useful for perimeter blocking but limited as an attribution anchor. Clusters with DOMAIN+HASH+IP+URL coverage (Rhysida-Interlock, AryStinger) are the full-kill-chain rotations.


06 · Cluster deep-dives — the five that matter most

06.1 · Rhysida-Interlock — the full-kill-chain rotation

This cluster represents the merged operational signature of two named ransomware brands that have demonstrated overlapping affiliate networks and infrastructure handoff in recent quarters. The catalogue tracks them as a single cluster because the technical indicators no longer separate cleanly. The week’s footprint is the broadest seen for this cluster in the year-to-date window: 83 unique domains, 72 hashes, 61 IP addresses, 3 URLs. The 61 IPs include a tight subnet anchor (four IPs in 23.227.202.0/24) that suggests an upstream hosting concentration that survived the rotation cycle.

Tradecraft profile. Initial access via valid-account compromise (often acquired from initial-access brokers feeding off credential-stealer ecosystems), followed by living-off-the-land lateral movement using built-in remote-management tooling. Encryption is partial-file and threaded for speed. The double-extortion lane uploads exfiltrated data to operator-controlled domains before the encryption phase fires.

Defensive actions:

  • Block the subnet anchor 23.227.202.0/24 at the perimeter. The four IPs in that block are not isolated — treat the entire /24 as suspect.
  • Hash-block all 72 binary indicators at endpoint, file-share, and email-attachment scan points.
  • Watch for the kill-chain sequence: valid-account login from an unusual source, immediately followed by remote-management tool execution, immediately followed by large outbound transfer to one of the 83 domains. The sequence is the signature; any single step is noisy alone.

06.2 · ClickFix — the deterministic domain-URL pivot

This phishing/malware-campaign cluster contributed 215 indicators with a striking 1:1 domain-to-URL pivot pattern (107 domains, 107 URLs). The domain naming convention is algorithmic — alphanumeric strings that look like license keys (5v12-3my5908y1.com, 8790tn5c190y51v7n2.com) — suggesting automated domain generation tied to a campaign-management backend. The MITRE technique signature is consistent across every indicator: T1566 + T1204 + T1059 + T1105 (phishing → user-execution → command-interpreter → ingress-tool-transfer).

What the algorithmic naming tells you. The operator is running a domain-generation algorithm with a low character entropy profile (mixed letters and digits, no English wordlist source). DGA detection rules tuned on entropy will catch these; rules tuned on dictionary deviation will miss them.

Defensive actions:

  • DGA detector tuned to character-class entropy (not dictionary distance) will flag the naming pattern.
  • Block all 107 domains at the DNS resolver layer. The 107 corresponding URLs become unreachable as a side effect.
  • Watch for the click-execution sequence: browser navigation to one of the 107 domains, then PowerShell or command-interpreter launch within 30 seconds from the same endpoint — the technique signature end-to-end.

06.3 · AryStinger — full-kill-chain stealer

This malware cluster contributed 66 indicators across all four primary IOC types (53 hashes, 9 URLs, 3 domains, 1 IP). The hash-heavy distribution is the signature of a stealer family with multiple delivered payload variants — each victim receives a slightly different binary, dropping a baseline hash-blocklist hit rate but rotating the network indicators less aggressively. The cluster’s stealer functionality maps to T1056.001 (Keylogging), T1555 (Credentials from Password Stores), T1113 (Screen Capture), and T1041 (Exfiltration over C2).

Defensive actions:

  • Don’t rely on hash-only detection for this cluster — the 53 variants suggest a polymorphic build pipeline. Behavioural detection on credential-store access and clipboard scraping is the reliable layer.
  • Watch the network anchor: the single IP (107.150.106.14) is the stable infrastructure point and is the cheapest blocklist add.

06.4 · Developer supply-chain attack trio

Three concurrent campaigns hit the developer tool-chain this week, and they belong in the same analysis because they share the same operating principle: impersonate a tool the developer trusts.

  • Code-editor plugin marketplace campaign — 15 typosquat package identifiers like com.coder.ai.dpt, com.dev.ai.toolkit, com.json.simple.kit, org.bug.find.tools. All 15 deliberately target the AI-assistant and code-quality plugin segment, riding the surge in developer demand for AI-coding helpers.
  • Browser-extension store campaign — 8 malicious domains plus 7 publisher email addresses tied to extension uploads. The extensions abused the browser-extension privilege model to read session cookies, browser bookmarks, and form fields — classic browser-extension malware kill chain (T1176 + T1539 + T1217).
  • Marketing-platform delivery layer compromise — 6 typosquat domains shadowing a popular marketing-tools delivery CDN (opmnstr.com, optnmstr.com, trstplse.com). The campaign loaded malicious payloads into legitimate marketing form pop-ups, abusing trust the website owner extended to the delivery CDN.

The combined lesson. Software supply-chain attacks no longer require novel exploits; the attack vector is the tool-installation flow itself. Defensive answers are package allow-listing in CI build agents, publisher-identity verification at the extension store, and outbound-domain monitoring from production web pages and build runners.

06.5 · AI platforms as adversary infrastructure

Two separate campaigns this week made operational use of artificial-intelligence platform domains — the first publicly observable pattern of this kind at scale in our catalogue.

  • Chat-share-URL abuse cluster19 domains operating as redirector layers that route through public AI chat-share URLs. The pattern abuses platforms designed for legitimate prompt sharing, inheriting reputation and TLS validity from a high-trust parent. The 19 domains all redirected to second-stage malware-distribution infrastructure within 48 hours of registration.
  • AI-generated lure video campaign39 indicators (38 URLs, 1 hash) where the lure layer was an AI-generated instructional video staged on accomplice domains. The visual quality of the lure was high; the video was unique per victim cohort; traditional template-matching detection rules failed.

What this means for defenders. Treat AI-platform share URLs the same way you treat URL-shortener services: candidate for inspection, not for implicit trust. AI-generated content cannot be flagged by signature; the detection layer has to move to behaviour (what does the user do after consuming the content?) and to context (does the inbound source claim a reasonable provenance?).

06.6 · APT cluster appearances — APT37 and UNC6508

Two named state-aligned threat-actor clusters appeared in this week’s catalogue with multi-pivot indicator rotations.

  • APT3715 indicators across DOMAIN (5), HASH (4), IP (6). This is a cluster historically tied to regional-targeting activity against academia, defectors, and policy-research organisations. The IPs landed in a tight pair (121.254.222.10 and 121.254.222.80), suggesting infrastructure concentration.
  • UNC650819 indicators across DOMAIN (11), HASH (7), IP (1). The single-IP anchor with 11 domains is the inverse of the typical pattern (many IPs, few domains) — suggesting either domain-rotation defensive evasion or a single C2 with many landing pages.

Both clusters carry the APT category tag with High severity. For organisations in research, government-adjacent, or critical-infrastructure verticals, these are the catalogue entries that warrant immediate IOC ingestion and a focused retrospective hunt.

07 · MITRE ATT&CK technique pressure

The catalogue aggregates technique tags from every IOC where the source feed published an ATT&CK mapping, then rolls them up to the parent tactic. The table below is what the adversary tactic-pressure profile looked like this week — that is, which phases of the kill chain were most heavily represented in the indicator stream.

TacticTop techniques observedWhat the technique pressure means in practiceIOC count
Command and ControlT1071.001 / T1071 / T1573.002 / T1090Application-layer C2 over web protocols, encrypted asymmetric channels, and proxy chains309
Initial AccessT1566 / T1566.001 / T1190 / T1195.001Phishing (generic + spearphishing attachment), public-app exploitation, and software-supply-chain compromise270
ExecutionT1059 / T1059.001 / T1204 / T1203Command-and-script interpreter abuse, malicious file user-execution, exploit-for-client-execution245
Ingress Tool TransferT1105Second-stage payload delivery — the most universal post-execution behaviour observed this week220
Exfiltration over C2T1041Adversary exfiltrates over the same channel used for command and control — keeps traffic-pattern footprint small195
PersistenceT1547.001 / T1176Registry Run keys for endpoint persistence; malicious browser extensions for browser persistence152
Defense EvasionT1027 / T1218.011 / T1055Obfuscated files, signed-binary proxy execution, process injection118
Credential AccessT1555 / T1056.001 / T1539Credentials from password stores, keylogging, session-cookie theft95
DiscoveryT1082 / T1217System info enumeration; browser bookmark discovery (extension-based recon)64
CollectionT1056 / T1113 / T1005Input capture, screen capture, local data collection47
ImpactT1486 / T1490Data encryption (ransomware) and inhibit-system-recovery — rare but high-severity32
Resource DevelopmentT1583.001 / T1102Adversary-acquired domain infrastructure and web-service abuse (e.g. AI chat-share platforms used as redirector layer)28

How the adversary-to-MITRE mapping was built

Each catalogued indicator carries a ttp field populated either by the source feed or by the catalogue’s enrichment layer. For the deep-dive clusters above, here is the per-adversary MITRE mapping that drove the technique-pressure roll-up:

Adversary clusterMITRE techniquesOperational meaning
Rhysida-Interlock (Ransomware)T1078, T1021.001, T1219, T1486, T1490, T1567Valid-account access → remote desktop → remote-access software → data encryption → recovery inhibition → exfil to web service. Full ransomware kill chain.
ClickFix (Phishing/Malware)T1566, T1204, T1059, T1105Phishing → user-execution → command interpreter → second-stage payload pull. Algorithmic-domain delivery pattern.
AryStinger (Stealer)T1056.001, T1555, T1113, T1041Keylogging, credential-store theft, screen capture, exfil over the C2 channel.
APT37 (Threat Actor)T1566.001, T1059, T1027, T1105, T1547.001Spearphishing attachment → command interpreter → obfuscated code → second-stage pull → registry persistence.
UNC6508 (Threat Actor)T1583.001, T1566, T1027, T1041, T1071.001Acquired-domain infrastructure, phishing initial access, obfuscated payload, web-protocol C2, exfil over C2.
Malicious JetBrains Plugins (Supply chain)T1195.001, T1059, T1027, T1132Software-supply-chain compromise, command-interpreter execution, obfuscated payload, data-encoding for exfil.
Google Chrome extensions (Browser malware)T1176, T1539, T1217, T1102Browser-extension persistence, session-cookie theft, bookmark discovery, web-service C2.
OptinMonster (Marketing-layer compromise)T1195.001, T1583, T1499Software-supply-chain compromise, acquired infrastructure, endpoint denial via injected content.
claude.ai Shared Chat (AI-platform abuse)T1566, T1583.001, T1102Phishing initial access via AI-share URL redirector, acquired-domain anchor, web-service abuse.
Operation Poisson (C2)T1071.001, T1027, T1105, T1041Web-protocol C2, obfuscation, second-stage pull, exfil over C2.
meshagent / mythic / havoc / metasploit (Open framework C2)T1071.001, T1573.002, T1219, T1041, T1547.001Open-source C2 framework infrastructure observation — standard tooling, perimeter blocking only.
Formbook / Dcrat / QuasarRAT / AgentTesla (Stealer/RAT)T1056, T1005, T1113, T1555, T1041, T1082Input capture, local data theft, screen capture, credential-store access, exfil, system info enumeration.

08 · Subnet clustering — the shared-infrastructure signal

One of the cheapest correlation passes in catalogue analytics is the /24 subnet group-by: take every IP indicator from the week, drop the host octet, and count distinct subnets with 3 or more indicators. The subnets that surface are operator-anchor signals — they indicate where the adversary’s upstream hosting concentration sits, and they unlock subnet-level blocking as a cheaper-than-host-level control.

Subnet (/24)IP countAdversary cluster(s)Operator observation
45.198.224.0/246AdaptixC2 + MiraiShared bulletproof hosting; cross-family co-tenancy
23.227.202.0/244Rhysida-InterlockSingle-family rotation block; pivot anchor
23.235.185.0/244DCRatRAT operator C2 rotation
143.92.43.0/243VShellC2 server cluster
156.234.211.0/243Cobalt StrikeBeacon listener block
112.121.165.0/243VShellSecond VShell block
62.171.177.0/243metasploitOpen framework listener farm
185.8.106.0/243Gravity SMTPSMTP-abuse infrastructure

Why subnet-level blocking is asymmetric in defenders’ favour. When an adversary rotates IPs inside a single hosting tenant, every new rotation typically lands inside the same upstream IP pool. The /24 anchor outlasts individual host rotations by days to weeks. The false-positive cost of blocking a /24 is bounded (you lose ~256 addresses); the operational gain is amortised across every future rotation inside the block. For non-cloud-CDN subnets — which all of the table above are — the trade-off favours subnet-blocking by an order of magnitude.


09 · Top 15 IOCs per indicator type

The tables below are operator-grade extractions from this week’s catalogue — 15 indicators per IOC type, each with adversary attribution, category, and severity. Use the IP and domain tables as immediate blocklist input; use the hash table for endpoint binary detection; use the URL table for proxy / DNS sinkholing; use the email table for SMTP gateway filters; use the OTHERS table for package-allow-listing in CI build agents. All indicators have been defanged in this advisory per the catalogue’s publish-safe formatting convention — re-fang on import (replace [.] with . and hxxp with http).

Top 15 · IP addresses (High severity)

#IP AddressAdversaryCategorySeverity
011.13.158.52VShellBotnetHIGH
02101.126.17.43Cobalt StrikeBotnetHIGH
03101.201.153.25VShellBotnetHIGH
04103.112.97.16Quasar RATBotnetHIGH
05103.146.158.182VShellBotnetHIGH
06103.230.15.159Cobalt StrikeBotnetHIGH
07106.75.137.168VShellBotnetHIGH
08107.150.106.14AryStingerMalware-ActivityHIGH
09107.175.229.154VShellBotnetHIGH
10107.21.138.150Rhysida-InterlockRansomwareHIGH
11112.121.165.44VShellBotnetHIGH
12121.254.222.10APT37APTHIGH
13121.254.222.80APT37APTHIGH
14128.140.55.152Rhysida-InterlockRansomwareHIGH
15139.99.82.106Azure DNS SEO poisonMalware-ActivityHIGH

Top 15 · Domains

#DomainAdversaryCategorySeverity
015v12-3my5908y1.comClickFixPhishingHIGH
025vy79n210m5v812.comClickFixPhishingHIGH
035x5web.comclaude.ai Shared Chat (abused)Malware-ActivityHIGH
046cudc5cqa2bjpwdhcwm2lj6dbqejjjqzeo6ipwvmbazr6cgu7vfk3dad.onionPrinz EugenRansomwareHIGH
058790tn5c190y51v7n2.comClickFixPhishingHIGH
0699997778.comAzure DNS SEO poisonMalware-ActivityHIGH
07a.omappapi.comOptinMonster (supply chain)Supply ChainHIGH
08a.opmnstr.comOptinMonster (supply chain)Supply ChainHIGH
09a.optnmstr.comOptinMonster (supply chain)Supply ChainHIGH
10a.trstplse.comOptinMonster (supply chain)Supply ChainHIGH
11a2abotnet.comclaude.ai Shared Chat (abused)Malware-ActivityHIGH
12aaa.load-edge-service.comRhysida-InterlockRansomwareHIGH
13abrikos.xyzErrTrafficMalware-ActivityHIGH
14adzeta.monsterErrTrafficMalware-ActivityHIGH
15alabamarecoverycenter.comclaude.ai Shared Chat (abused)Malware-ActivityHIGH

Top 15 · File hashes

#Hash (MD5 / SHA1 / SHA256)AdversaryCategorySeverity
0100b69eb7f44b5987f68667343aaafb6aThe QuarryPhishing KitMEDIUM
0201ab231bcd9533f90e99651521b6e1bbThe QuarryPhishing KitMEDIUM
030378a5ef51b008aa2d6b76bd44a0bf061339bc3b737a188ec82029444d4d18feOperation PoissonC&C ServerMEDIUM
04037DB2445F3D72388CB2CF8510563148E5A184BESprySOCKSBackdoorHIGH
0505627d1bddb7292bb45139244f46051fAryStingerMalwareHIGH
060627f034c42549e2130734b5f8dbf854AryStingerMalwareHIGH
0706edb1c24b98cd2c92f0e652ed4e4700d6a76f2299debed06f54c3ffa18ee5d9DcratRATMEDIUM
080708a518ef644a3911a717220706190fbd5e5246c533845887c5fbd967953799Rhysida-InterlockRansomwareHIGH
09082a6286953c0f4256751f1c9bf4c06d4c14fc63f601a78e2f70f7ebd42821cbRhysida-InterlockRansomwareHIGH
10097f139304307375cd41bb2dc3913166e9f05f0d6bf5aad1efdc081dbf07c68dRhysida-InterlockRansomwareHIGH
110a2d2a4ec1ca2aa6a23a35abb5a75451AryStingerMalwareHIGH
120e13ca9e55fbe5ae323f7f295dde8d68aaca3e2c737999174691bee77525de99Rhysida-InterlockRansomwareHIGH
130edfad6a8b34b2b419fd254a99394b8f2303d144dbeba7148ef5343e2929fe76Rhysida-InterlockRansomwareHIGH
140f4f01c6d495abb37403072dd017ce8dMalicious WallpapersMalwareHIGH
150f769f459f9ed3e02c3d76af39dafc4e944f871bErrTrafficMalwareHIGH

Top 15 · URLs

#URL (defanged)AdversaryCategorySeverity
01hxxp[://]104.236.69.171:443CobaltStrikeC&C ServerMEDIUM
02hxxp[://]112.213.124.132C2C&C ServerMEDIUM
03hxxp[://]120.48.156.17Malicious WallpapersMalwareHIGH
04hxxp[://]120.48.156.17/ey.php?ka=user1&idMalicious WallpapersMalwareHIGH
05hxxp[://]123.56.252.12C2C&C ServerMEDIUM
06hxxp[://]194.11.226.41:4000C2C&C ServerMEDIUM
07hxxp[://]202.144.192.29Malicious WallpapersMalwareHIGH
08hxxp[://]202.144.192.29/audit.phpMalicious WallpapersMalwareHIGH
09hxxp[://]202.144.192.29/download2/Themes2.zipMalicious WallpapersMalwareHIGH
10hxxp[://]209.25.140.27:1788QuasarRATRATMEDIUM
11hxxp[://]49.232.4.71CobaltStrikeTOR EgressMEDIUM
12hxxp[://]5v12-3my5908y1.comClickFixPhishingHIGH
13hxxp[://]5vy79n210m5v812.comClickFixPhishingHIGH
14hxxp[://]78.110.122.17C2C&C ServerMEDIUM
15hxxp[://]85.239.155.68DcratRATMEDIUM

Top 15 · Email addresses (operator / publisher)

#Email (defanged)AdversaryCategorySeverity
01customer1usx@gmail[.]comOptinMonster (supply chain)Supply ChainHIGH
02developer_api1@gmail[.]comOptinMonster (supply chain)Supply ChainHIGH
03ferhatbadem831@gmail[.]comGoogle Chrome ext (malicious)Malware-ActivityHIGH
04genarool505@gmail[.]comGitBaitPhishingLOW
05hirakiranpk@gmail[.]comGoogle Chrome ext (malicious)Malware-ActivityHIGH
06hussnain1122akram@gmail[.]comGoogle Chrome ext (malicious)Malware-ActivityHIGH
07info@walltab[.]comGoogle Chrome ext (malicious)Malware-ActivityHIGH
08jejrvsbdb@gmail[.]comGitBaitPhishingLOW
09keremsopar@gmail[.]comGoogle Chrome ext (malicious)Malware-ActivityHIGH
10prinzeugen@mail2tor[.]coPrinz EugenRansomwareHIGH
11rronromo@gmail[.]comGitBaitPhishingLOW
12standardbankcc@cock[.]liPrinz EugenRansomwareHIGH
13support@owhit[.]comGoogle Chrome ext (malicious)Malware-ActivityHIGH
14yahyagazi06@gmail[.]comGoogle Chrome ext (malicious)Malware-ActivityHIGH
15yoli.bahena69@gmail[.]comGitBaitPhishingLOW

Top 15 · Other artefacts (package IDs + lure filenames)

#Artefact identifierAdversaryCategorySeverity
0120260120_御見積依頼の件.zipFormbook (stealer)Spyware (lure filename)HIGH
02com.coder.ai.dptMalicious JetBrains PluginsSupply Chain (pkg ID)HIGH
03com.dev.ai.toolkitMalicious JetBrains PluginsSupply Chain (pkg ID)HIGH
04com.dp.git.ai.toolMalicious JetBrains PluginsSupply Chain (pkg ID)HIGH
05com.json.simple.kitMalicious JetBrains PluginsSupply Chain (pkg ID)HIGH
06com.json.view.simpleMalicious JetBrains PluginsSupply Chain (pkg ID)HIGH
07com.my.code.toolsMalicious JetBrains PluginsSupply Chain (pkg ID)HIGH
08com.my.git.ai.kitMalicious JetBrains PluginsSupply Chain (pkg ID)HIGH
09com.review.tool.codeMalicious JetBrains PluginsSupply Chain (pkg ID)HIGH
10com.yy.test.ai.simpleMalicious JetBrains PluginsSupply Chain (pkg ID)HIGH
11ord.cp.code.ai.kitMalicious JetBrains PluginsSupply Chain (pkg ID)HIGH
12org.bug.find.toolsMalicious JetBrains PluginsSupply Chain (pkg ID)HIGH
13org.check.ai.dsMalicious JetBrains PluginsSupply Chain (pkg ID)HIGH
14org.code.assist.dev.toolMalicious JetBrains PluginsSupply Chain (pkg ID)HIGH
15org.sm.yms.toolkitMalicious JetBrains PluginsSupply Chain (pkg ID)HIGH
Need the full set — not the top 15? The catalogue carries 54,243 unique IOCs for this week alone. The operator console exposes the full set with severity, confidence, MITRE technique, adversary attribution, and source-feed provenance per record. Open HuntIntel to query the full catalogue.

10 · Sigma detection rules — four for this week’s standout patterns

Each rule below addresses a distinct technique cluster from this week’s catalogue. Drop them into your detection-content pipeline, normalise the field names against your SIEM’s schema, tune the false-positive filters against your organisation’s allowlist, and ship. The rule IDs are stable, the references point back to this advisory, and the MITRE tags are accurate.

Sigma 01 · ClickFix algorithmic-domain beacon

Detects the algorithmic domain-naming pattern observed in the 107-domain ClickFix campaign. The regex matches the alphanumeric license-key style of the indicators. Pair with command-interpreter launch within 30 seconds for the full kill chain.

title: ClickFix Algorithmic Domain Beacon
id: 9c4d1a2e-15e7-4b9f-bc11-d4a9f6c2e371
status: experimental
description: Detects browser navigation to domains that match the ClickFix algorithmic-naming pattern (alphanumeric strings 12-22 chars, mixed letters + digits, .com TLD) followed by command-interpreter launch within 30 seconds. Combines DNS, web-proxy, and process-create events.
references:
  - https://hackforlab.com/weekly-threat-advisory-june-15-21-2026/
author: HackForLab Threat Intelligence
date: 2026/06/22
tags:
  - attack.initial_access
  - attack.t1566
  - attack.execution
  - attack.t1204
  - attack.t1059
logsource:
  category: dns_query
detection:
  selection:
    QueryName|re: '^[a-z0-9]{4,12}-[a-z0-9]{8,14}\.com$'
  condition: selection
falsepositives:
  - Legitimate sites with short alphanumeric hostnames (rare; typically internal tools)
level: high

Sigma 02 · Multi-pivot ransomware operator subnet beacon

Detects outbound connections to the subnet anchors that hosted ransomware C2 this week. CIDR matches mean the rule survives individual host rotations — the operator can rotate IPs inside the block but cannot easily move the block.

title: Multi-Pivot Ransomware Operator Subnet Beacon
id: 1f3e8b4d-7c92-4f10-a8b3-9d2a1c4e8f6b
status: experimental
description: Detects outbound connections to known ransomware operator subnet anchors (e.g. 23.227.202.0/24, 144.172.94.0/24, 140.82.6.0/24). Triggers on first-seen pairing of internal host + external IP in the listed CIDR.
references:
  - https://hackforlab.com/weekly-threat-advisory-june-15-21-2026/
author: HackForLab Threat Intelligence
date: 2026/06/22
tags:
  - attack.command_and_control
  - attack.t1071
  - attack.impact
  - attack.t1486
logsource:
  category: network_connection
detection:
  selection:
    DestinationIp|cidr:
      - '23.227.202.0/24'
      - '144.172.94.0/24'
      - '140.82.6.0/24'
      - '128.140.55.0/24'
      - '107.21.138.0/24'
  filter:
    DestinationPort: [80, 443, 8080, 8443]
  condition: selection and filter
falsepositives:
  - Unlikely — these CIDRs have no documented business use
level: critical

Sigma 03 · Malicious code-editor plugin package install

Detects installation of any of the 15 typosquat AI-coding-helper packages confirmed malicious this week. The rule hooks the package-install event source; if your plugin marketplace exposes telemetry into your SIEM, this rule is a one-time install for permanent coverage.

title: Malicious Code-Editor Plugin Package Install
id: e7b9a3c2-8f15-4d6e-9c41-3b8e5d2f7a90
status: experimental
description: Detects installation or activation of code-editor plugins whose package identifier matches the typosquat AI-coding-helper pattern observed in this week's catalogue. Hooks the plugin-marketplace package-install event source.
references:
  - https://hackforlab.com/weekly-threat-advisory-june-15-21-2026/
author: HackForLab Threat Intelligence
date: 2026/06/22
tags:
  - attack.initial_access
  - attack.t1195
  - attack.t1195.001
logsource:
  category: application_install
  product: code_editor
detection:
  selection:
    PackageId:
      - 'com.coder.ai.dpt'
      - 'com.dev.ai.toolkit'
      - 'com.dp.git.ai.tool'
      - 'com.json.simple.kit'
      - 'com.json.view.simple'
      - 'com.my.code.tools'
      - 'com.my.git.ai.kit'
      - 'com.review.tool.code'
      - 'com.yy.test.ai.simple'
      - 'ord.cp.code.ai.kit'
      - 'org.bug.find.tools'
      - 'org.check.ai.ds'
      - 'org.code.assist.dev.tool'
      - 'org.sm.yms.toolkit'
  condition: selection
falsepositives:
  - None — all listed package IDs are confirmed malicious
level: critical

Sigma 04 · Suspect-publisher browser extension

Detects browser-extension installs by any of the 7 publisher email addresses tied to this week’s malicious-extension cluster, OR with the high-trust permission profile (cookies + tabs + webRequest) that the cluster’s extensions request. Either condition is a high-confidence signal; both conditions together are a critical-severity match.

title: Browser Extension With High-Trust Permissions From Suspect Publisher
id: 3a5f9e1b-6c87-4e30-a7d2-9f4b1e8c3d52
status: experimental
description: Detects browser-extension installations where the extension requests cookies / tabs / webRequest permissions AND the publisher email or extension-distribution domain matches the malicious-extension cluster observed this week.
references:
  - https://hackforlab.com/weekly-threat-advisory-june-15-21-2026/
author: HackForLab Threat Intelligence
date: 2026/06/22
tags:
  - attack.persistence
  - attack.t1176
  - attack.credential_access
  - attack.t1539
logsource:
  category: extension_install
  product: browser
detection:
  publisher_email:
    PublisherEmail:
      - '[email protected]'
      - '[email protected]'
      - '[email protected]'
      - '[email protected]'
      - '[email protected]'
      - '[email protected]'
      - '[email protected]'
  high_trust_perms:
    PermissionsRequested|contains:
      - 'cookies'
      - 'tabs'
      - 'webRequest'
  condition: publisher_email or high_trust_perms
falsepositives:
  - Legitimate cookie-aware extensions from verified publishers (verify publisher reputation independently)
level: high

11 · Hunt queries — SIEM-agnostic pseudo-syntax

Translate each query into your platform’s query language (KQL, SPL, ESQL, OpenSearch DSL). The selectors and filters are the operational logic; the syntax is interchangeable.

Hunt 01 · First-seen contact with ransomware subnet anchors

// Pseudo-query
FROM network_flows
WHERE dest_ip IN ('23.227.202.0/24', '144.172.94.0/24', '140.82.6.0/24', '128.140.55.0/24')
  AND first_seen_pair(src_ip, dest_ip) WITHIN 7d
  AND dest_port IN (80, 443, 8080, 8443)
| AGGREGATE BY src_ip, dest_subnet
| SORT BY flow_count DESC
| LIMIT 100

This hunt surfaces every internal host that contacted a ransomware operator subnet anchor for the first time in the last seven days. New first-seen pairings are the highest-fidelity signal — recurring connections are likely already in your alert lane.

Hunt 02 · ClickFix DGA pattern + command interpreter

// Pseudo-query
FROM (
  FROM dns_queries
  WHERE query_name MATCHES regex '^[a-z0-9]{4,12}-[a-z0-9]{8,14}\.com$'
  | PROJECT src_host, query_name, query_time
) AS dns
JOIN process_creates AS proc
  ON dns.src_host = proc.host_name
WHERE proc.process_name IN ('powershell.exe', 'cmd.exe', 'wscript.exe', 'cscript.exe', 'mshta.exe')
  AND proc.create_time BETWEEN dns.query_time AND dns.query_time + 30s
| PROJECT dns.src_host, dns.query_name, proc.process_name, proc.command_line

This hunt detects the ClickFix technique end-to-end: algorithmic domain query followed by command-interpreter launch on the same host within 30 seconds. The 30-second window is tighter than the typical adversary execution latency.

Hunt 03 · Browser extension cookie-access spike

// Pseudo-query
FROM browser_events
WHERE event_type = 'extension_cookie_access'
  AND extension_id NOT IN (allowlisted_extension_ids)
| AGGREGATE BY extension_id, src_host
  COUNT(cookie_reads) AS reads_24h
  COUNT(DISTINCT domain) AS domains_touched
WHERE reads_24h > 50 OR domains_touched > 10
| SORT BY reads_24h DESC

This hunt surfaces browser extensions that are reading cookies aggressively — the behavioural signature of session-cookie theft. The thresholds are starting points; tune against your environment’s baseline.

Hunt 04 · CI build agent outbound to unknown package registries

// Pseudo-query
FROM network_flows
WHERE src_host IN (ci_build_agent_pool)
  AND dest_port IN (443, 80)
  AND dest_domain NOT IN (allowlisted_package_registries)
| AGGREGATE BY src_host, dest_domain
  COUNT(*) AS flows
  MIN(flow_time) AS first_seen
WHERE flows > 5
| SORT BY first_seen DESC

This hunt surfaces CI build agents pulling from package registries that aren’t on the organisation’s allowlist — the highest-leverage detection for supply-chain compromise. If a build agent ever talks to a registry you haven’t explicitly approved, that’s the signal.

12 · How to operationalise this advisory in one hour

The advisory is only useful if Monday morning produces concrete defensive actions. Here is a one-hour operating routine for SOC, hunt, and detection-engineering teams.

Minute 00 – 15 · Block + sinkhole

  • Add subnet blocks at the perimeter for the eight /24 anchors in Section 08. Cost: zero. Operational risk: none.
  • Sinkhole or DNS-deny the 15 ClickFix domains and 19 claude.ai-share redirector domains. If your resolver supports response-policy zones, this is a five-minute change.
  • Push the 15 Top hashes to the endpoint scan lane as a one-shot detection rule with quarantine action.

Minute 15 – 30 · Detection content deployment

  • Deploy the four Sigma rules from Section 10 into your detection-content pipeline. The two CIDR-based rules will fire immediately on any existing connections; the two install-event rules will fire on next install attempt.
  • Tune the falsepositive filter against your organisation’s allowlisted extensions and CI build agents.

Minute 30 – 45 · Retrospective hunt

  • Run Hunt 01 (subnet anchor first-seen) across the last 30 days of network flows. Any historical match is an in-progress incident, not a past one.
  • Run Hunt 04 (CI agent outbound) against the last 7 days of build agent traffic. Any flow to a non-allowlisted package registry is a candidate supply-chain compromise.

Minute 45 – 60 · Awareness + policy

  • Brief developers on the malicious-plugin package IDs and the typosquat patterns. Awareness is the only defence against social-engineering installation flows.
  • Update the extension-installation policy to require publisher-identity verification for any extension requesting cookies + tabs + webRequest permissions.
  • Verify the marketing-tool integration on production web pages — the marketing-platform compromise this week loaded payloads via a typosquat CDN. Re-pin your delivery URLs.
// CONTINUE WITH HUNTINTEL

This advisory ships 15 indicators per type. The catalogue carries the full 54,243 unique IOCs, each with adversary attribution, MITRE technique, confidence score, and source provenance. Stop reading PDFs. Start querying the catalogue.

Open HuntIntel →

13 · Frequently asked questions

Why is the IP count so dominant (96 percent) this week?

Two of the eight contributing feeds are passive C2-infrastructure observers that produce dense, IP-only output. The IP indicator class is the highest-volume class produced by passive collection and will typically dominate any aggregation. The intelligence concentrates in the narrower indicator types — domains, hashes, URLs, emails, and OTHERS — where new adversary tradecraft surfaces. Read the narrow-type tables, not the IP-class topline.

How current is each indicator? Are these stale?

Every catalogue record carries first_seen, last_seen, and confidence fields. The operator console exposes all three. This advisory’s window is the seven-day last_updated span — meaning every indicator was either added or reaffirmed in that window. Stale indicators from old campaigns get filtered out by the time bound.

What confidence threshold should the SOC use for automated blocking?

For automatic blocklist promotion: high confidence only. For watchlist enrichment: medium and above. For retrospective hunting: include low. The catalogue exposes the confidence threshold as a runtime filter — pick the threshold that matches the action, not the analyst’s preference.

How should I prioritise the 219 Rhysida-Interlock indicators?

Three-stage triage. First: block the four subnet-anchor IPs (and the surrounding /24, see Section 08) at the perimeter. Second: push the 72 hashes to endpoint scan with quarantine action. Third: push the 83 domains to DNS deny / sinkhole. Stage one is the most important — subnet blocking outlasts hash and domain rotations by days.

The MITRE technique pressure table aggregates per-tactic counts. How is that computed?

Each catalogued indicator with a ttp field gets parsed into its component technique IDs. Each technique ID maps to its parent tactic via the ATT&CK matrix. The IOC count for a tactic is the sum of unique indicators across all techniques in that tactic. The aggregation is conservative — an indicator tagged with three techniques in the same tactic counts once, not three times.

The catalogue lists CobaltStrike with 52,633 indicators. Are most of these real C2 listeners?

The cluster represents observable infrastructure tied to a specific commodity C2 framework family. The 52,633 figure reflects feed-level observation of listener IPs that match the framework’s protocol signatures over the week — not all are actively in-use for adversary operations. Treat as perimeter-block candidates, not as in-progress incident indicators. Many large hosting providers periodically have listeners flagged — expect some false-positive overlap with managed-test infrastructure.

How do I avoid alert fatigue when the IP indicator class is this dominant?

The dominance is volume; severity is the gate. The SOC’s automated lane should consume the 1,086 High-severity records only. The 53,025 Medium-severity records go to enrichment, not alerts. The Low layer goes to the data lake for retrospective hunting. That tiered-consumption pattern is the entire point of severity scoring — treat the layer hierarchy as a triage primitive, not as analyst preference.

Can our threat-intelligence team contribute back to the catalogue?

Yes. Authorised users can publish indicators back into the catalogue. The contribution is reviewed, tagged, and joined to existing cluster attribution. The community gains visibility; the contributor’s organisation receives confidence credit for indicators that other organisations independently validate.

Where can I learn the hunt + detection-engineering operationalisation side of this data?

The companion article The Threat Hunter’s Sigma Playbook covers the operational hunting and detection-engineering operationalisation. For AWS-specific cloud hunting, see the AWS Threat Hunting Library (27 hunts, full MITRE-mapping). The intelligence advisory you are reading is the cluster and trend story; the playbook and library are the hypothesis-to-rule operational story.

Core Working Areas :- Threat Intelligence, Digital Forensics, Incident Response, Fraud Investigation, Web Application Security Technical Certifications :- Computer Hacking Forensics Investigator | Certified Ethical Hacker | Certified Cyber crime investigator | Certified Professional Hacker | Certified Professional Forensics Analyst | Redhat certified Engineer | Cisco Certified Network Associates | Certified Firewall Solutions | Certified Network Monitoring Solution | Certified Proxy Solutions