Threat Intelligence

We fed 95 EvilTokens campaign IPs into ClusterHawk and mapped the full infrastructure architecture: a Cloudflare CDN frontend, fragmented backend hosting with DocuSign lures and Exim mail servers, a bridge cluster with Google Trust Services certificates on compromised business domains, Cobalt Strike C2 via domain fronting, and an unreported IoT proxy layer of compromised Hikvision/Dahua surveillance cameras on Chinese telecom networks.

Over 1,500 IPs from Shodan's exposed Ollama index were analyzed through ClusterHawk. After filtering 60% honeypots, 13 of 27 clusters pointed to a single operator — XRUI TECHNOLOGY LIMITED — running identical nginx/MySQL/Ollama stacks with unauthenticated qwen3-vl inference across 35+ hosts alongside a Chinese sports gambling site. This is the largest identifiable exposed AI infrastructure we've found in one operator's hands.

We received 50 validated IPs linked to a suspected Russian state-sponsored APT. We profiled them through ClusterHawk and extracted a common fingerprint — then pivoted on that profile against internet scanning data and surfaced approximately 1,900 matching assets across 15 countries. We designate this infrastructure tracking effort OVERCAST.

Analyzing 1,602 internet-visible Modbus systems revealed not scattered misconfigurations but systematic patterns—95% shared TLS fingerprints, identical certificates, same CVEs across clusters. This isn't about individual negligence; it's how the entire ICS ecosystem deploys critical infrastructure in predictable, exploitable ways.

Through infrastructure clustering analysis, we identified a proxy network containing 832 compromised KeeneticOS routers operating across Russian ISPs. This investigation reveals how consumer devices become weaponized infrastructure in the modern threat landscape.

We confirm Trellix’s reporting on SideWinder’s PDF ClickOnce chain and targets, and we prove our methodology by deliberately injecting a broad VirusTotal communicated IPs pivot and then separating CDN/search noise (~85%) from a compact nginx micro-cluster (~15%) that’s worth watching. Below are ready-to-run hunts (SIEM/Sigma + Shodan/Censys) and cluster fingerprints you can use as predictive seeds.