High Confidence Threat Hunting Playbook

New
  • Published on Nov 26, 2025
  • 1 minute(s) read
Prev Next

Eight battle-tested queries that caught real campaigns in 2025 (ClickFix, Latrodectus, Lumma, SmartApeSG, Fake Google Play, etc.). Copy → paste → detect.

#1 ClickFix – Reservation-ID Phishing Domains

Catches reservation-id8159.com-style malvertising domains.

Very High Confidence • 100–300 hits/week            

#2 PoisonSeed – SendGrid MFA Phishing

NICENIC + hyphenated + “sendgrid” = instant credential-phishing cluster.

High Confidence            

#3 SmartApeSG – Fake CAPTCHA → NetSupport RAT

Injected /abc/buf.js on compromised legit sites.

High Confidence • Hundreds of compromised sites            

#4 Fake Google Play Store (Gname + goog*)

Android trojan droppers like googlepfory.com.

Extremely High Confidence            

#5 Latrodectus C2 – Cloudflare 404 SSDEEP

One of the lowest FP queries of 2025.

Near Zero False Positives            

#6 Lumma Stealer – Domain-in-Title + Nginx/Ubuntu

Live C2 panels still active in late 2025.

High Confidence            

#7 Luna Moth – Helpdesk Callback Phishing

Law-firm extortion domains (NICENIC cluster).

High Confidence            

#8 ClickFix – recaptchallenge.css Fingerprint

Exact SHA-256 of reused fake ReCAPTCHA CSS.

Zero False Positives            

        Last updated November 2025 • Maintained by the Threat Hunting Team    

Related articles