Powerful Pivots: Hunting with Infrastructure Fingerprints

Threat actors are lazy. They reuse the same server configurations, even when they host different campaigns. Instead of hunting for content (which changes), we can hunt for the server’s unique technical “fingerprint.”

The Example: A phishing domain harborfrieght[.]shop was identified.  The Technique: We can extract the server’s unique technical signatures. Even if the actor hosts a completely different lure (like a “jeans ad” found in the wild), the underlying server setup is often identical. 

The key indicators to pivot on are: 

HHV (HTTP Hash): f2bbb45599ecd7349b164c98a8 
JARM (TLS Fingerprint): 27d40d40d00040d00042d43d00041df04c41293ba84f6efe3a613b22f983e6 

The Goal: Run a query to find all domains hosted on infrastructure with these exact HHV and JARM fingerprints. This technique cuts through the noise of different domain names and content, tying disparate campaigns to a single actor.

The Result: This precise, multi-layered search successfully identifies high-fidelity phishing sites, such as the convincing clone gmaii.email, while completely ignoring legitimate Google infrastructure.

Try this example yourself using our free Community Edition: