mihari v6.0 releases: framework for continuous OSINT based threat hunting


Mihari is a helper to run queries & manage results continuously. Mihari can be used for C2, landing pages, and phishing hunting.

How it works

  • Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc., and extracts artifacts (IP addresses, domains, URLs, or hashes).
  • Mihari checks whether the database (SQLite3, PostgreSQL, or MySQL) contains the artifacts or not.
    • If it doesn’t contain the artifacts:
      • Mihari saves artifacts in the database.
      • Mihari creates an alert on TheHive.
      • Mihari sends a notification to Slack.
      • Mihari creates an event on MISP.

Mihari supports the following services by default.


  • TheHive alert examplemonitoring malicious hosts
  • Slack notification examplemonitoring malicious hosts
  • MISP event example

Changelog v6.0

Breaking Changes

Mihari v6.0.0 now requires Ruby 3.1+ and Ruby 2.7 is no longer supported. (Tested with Ruby 3.1 & 3.2)

What’s Changed

Install & Use

Copyright (c) 2019 Manabu Niseki