---
title: "High Confidence Threat Hunting Playbook"
slug: "high-confidence-threat-hunting-playbook"
updated: 2025-11-26T15:46:25Z
published: 2025-11-26T15:46:25Z
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.silentpush.com/llms.txt
> Use this file to discover all available pages before exploring further.

# High Confidence Threat Hunting Playbook

**Eight battle-tested queries** that caught real campaigns in 2025 (ClickFix, Latrodectus, Lumma, SmartApeSG, Fake Google Play, etc.). Copy → paste → detect.

### [#1 ClickFix – Reservation-ID Phishing Domains](/docs/usecase-01-clickfix-reservation.html)

[Catches](/docs/usecase-01-clickfix-reservation.html)`reservation-id8159.com`[-style malvertising domains.](/docs/usecase-01-clickfix-reservation.html)

[Very High Confidence • 100–300 hits/week](/docs/usecase-01-clickfix-reservation.html)

### [#2 PoisonSeed – SendGrid MFA Phishing](/docs/usecase-02-poisonseed-sendgrid.html)

[NICENIC + hyphenated + “sendgrid” = instant credential-phishing cluster.](/docs/usecase-02-poisonseed-sendgrid.html)

[High Confidence](/docs/usecase-02-poisonseed-sendgrid.html)

### [#3 SmartApeSG – Fake CAPTCHA → NetSupport RAT](/docs/usecase-03-smartapesg-bufjs.html)

[Injected](/docs/usecase-03-smartapesg-bufjs.html)`/abc/buf.js`[on compromised legit sites.](/docs/usecase-03-smartapesg-bufjs.html)

[High Confidence • Hundreds of compromised sites](/docs/usecase-03-smartapesg-bufjs.html)

### [#4 Fake Google Play Store (Gname + goog*)](/docs/usecase-04-fake-google-play.html)

[Android trojan droppers like](/docs/usecase-04-fake-google-play.html)`googlepfory.com`[.](/docs/usecase-04-fake-google-play.html)

[Extremely High Confidence](/docs/usecase-04-fake-google-play.html)

### [#5 Latrodectus C2 – Cloudflare 404 SSDEEP](/docs/usecase-05-latrodectus-ssdeep.html)

[One of the lowest FP queries of 2025.](/docs/usecase-05-latrodectus-ssdeep.html)

[Near Zero False Positives](/docs/usecase-05-latrodectus-ssdeep.html)

### [#6 Lumma Stealer – Domain-in-Title + Nginx/Ubuntu](/docs/usecase-06-lumma-stealer.html)

[Live C2 panels still active in late 2025.](/docs/usecase-06-lumma-stealer.html)

[High Confidence](/docs/usecase-06-lumma-stealer.html)

### [#7 Luna Moth – Helpdesk Callback Phishing](/docs/usecase-07-luna-moth-helpdesk.html)

[Law-firm extortion domains (NICENIC cluster).](/docs/usecase-07-luna-moth-helpdesk.html)

[High Confidence](/docs/usecase-07-luna-moth-helpdesk.html)

### [#8 ClickFix – recaptchallenge.css Fingerprint](/docs/usecase-08-clickfix-css.html)

[Exact SHA-256 of reused fake ReCAPTCHA CSS.](/docs/usecase-08-clickfix-css.html)

[Zero False Positives](/docs/usecase-08-clickfix-css.html)

Last updated November 2025 • Maintained by the Threat Hunting Team