{"id":35726,"date":"2020-06-25T15:52:10","date_gmt":"2020-06-25T15:52:10","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/"},"modified":"2020-06-25T15:52:10","modified_gmt":"2020-06-25T15:52:10","slug":"honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/","title":{"rendered":"Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute"},"content":{"rendered":"

Web traffic to the servers of the notorious Dutch-German Cyberbunker hosting biz was filled with all kinds of badness, including apparent botnet command-and-control and denial-of-service traffic, says SANS Institute.<\/p>\n

Cyberbunker, aka CB3ROB, was raided last September<\/a> by 600 German police gunmen who forced entry to the outfit’s Traben-Trarbach HQ.<\/p>\n

Following the raid, infosec biz SANS was able to set up a honeypot on former Cyberbunker IPs to analyse traffic passing through them \u2013 and the results shed light on just what kind of dubious traffic was passing through the servers.<\/p>\n

CB3ROB’s HQ was located inside a Cold War-era underground military bunker around 60 miles west of Frankfurt. Police boasted at the time of seizing 200 servers as well as CB3ROB’s dot-org domain, which for a while after the raid bore a US-style “domain seized” banner.<\/p>\n

After the inevitable arrests, CB3ROB’s personnel had to sell some of their assets to generate a legal defence fund. Sold-off assets included three IPv4 subnets: 185.103.72.0\/22; 185.35.136.0\/22; and 91.209.12.0\/24. Those were sold to Legaco Networks, which agreed to let SANS’ Internet Storm Centre erect a honeypot behind them for one week in April 2020.<\/p>\n

\"armed<\/p>\n

600 armed German cops storm Cyberbunker hosting biz on illegal darknet market claims<\/h2>\n

READ MORE<\/span><\/a><\/div>\n

Karim Lalji, SANS’ community instructor in the Penetration Testing curriculum, recounted in a paper<\/a> about his findings: “Close to 2,000 unique computer names and over 7,000 unique source IPs that follow a similar request pattern are present in the traffic sample collected.” He added that if single computer names were isolated within this traffic, “the intervals between requests were exactly 1min and 30sec \u2013 indicating automation and potential C2 [command and control]<\/em>.”<\/p>\n

Lalji also observed apparent phishing traffic passing through the honeypot, with impersonated services including the Royal Bank of Canada, Apple, Paypal, Chase Bank and others. He also found traffic that appeared be linking to extreme sex abuse “involving animals”, as well as what appeared to have been a criminal-oriented ad network.<\/p>\n

His detailed findings included 171,000 TCP retransmissions “with no payload data and different sequence numbers”, which Lalji concluded “likely indicates an error in crafted communication or a portion of a reflected Denial of Service (DoS) attack.”<\/p>\n

The research “explicitly filtered out” likely port-scanning traffic as well as “web directory brute forcing, SQL injection discovery, DNS zone transfer attempts, VoIP scans (primarily with SIPVicious), Telnet, SSH, FTP, and web-form brute force login attempts”. Lalji added: “Several of these events can be attributed to internet-wide scans that are not specific to the IP address space under examination.” Email traffic was also excluded as prosecutors were potentially interested in it.<\/p>\n

CB3ROB’s leading lights were charged last year<\/a> by prosecutors in Rheinland-Pfalz with hosting: a darknet market called Cannabis Road; a drugs, stolen data and malware souk called Wall Street Market; an “underground economy forum” imaginatively named Fraudsters; a Swedish drugs marketplace called Flugsvamp; various clearnet drug-peddling websites; various “fraudulent bitcoin lotteries, darknet marketplaces for narcotics, weapons, counterfeit money, murder orders” and child abuse images; and C2 servers for the Mirai botnet.<\/p>\n

Sven Olaf Kamphuis of CB3ROB said in a Facebook post shortly after the bunker raid last year: “ISPs do not need to know who the customer is, ISPs do not need to know what the customer does (and even if they do know, it doesn’t make them liable \u2013 as long as there is no ACTIVE cooperation in the activity).” \u00ae<\/p>\n

Sponsored:<\/span> Ransomware has gone nuclear<\/a><\/p>\n

READ MORE HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Botnet C2, denial-of-service, phishing \u2013 and that’s after filtering Web traffic to the servers of the notorious Dutch-German Cyberbunker hosting biz was filled with all kinds of badness, including apparent botnet command-and-control and denial-of-service traffic, says SANS Institute.\u2026 READ MORE HERE…<\/p>\n","protected":false},"author":2,"featured_media":35727,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-35726","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-register"],"yoast_head":"\nHoneypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2020-06-25T15:52:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"174\" \/>\n\t<meta property=\"og:image:height\" content=\"115\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute\",\"datePublished\":\"2020-06-25T15:52:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/\"},\"wordCount\":587,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute.jpg\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/\",\"name\":\"Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute.jpg\",\"datePublished\":\"2020-06-25T15:52:10+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute.jpg\",\"width\":174,\"height\":115},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/","og_locale":"en_US","og_type":"article","og_title":"Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2020-06-25T15:52:10+00:00","og_image":[{"width":174,"height":115,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute","datePublished":"2020-06-25T15:52:10+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/"},"wordCount":587,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute.jpg","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/","url":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/","name":"Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute.jpg","datePublished":"2020-06-25T15:52:10+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute.jpg","width":174,"height":115},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/honeypot-behind-sold-off-ip-subnet-shows-cyberbunker-biz-hosted-all-kinds-of-filth-says-sans-institute\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/35726","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=35726"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/35726\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/35727"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=35726"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=35726"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=35726"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}