Link: 9WOLF phishkit initial landing URI

calendar Jan 30, 2026  ยท
Share on: linkedin copy

Detects links containing the '?ai=xd' query parameter associated with 9wolf phishing service initial landing pages.

Sublime rule (View on GitHub)

 1name: "Link: 9WOLF phishkit initial landing URI"
 2description: "Detects links containing the '?ai=xd' query parameter associated with 9wolf phishing service initial landing pages."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // known 9wolf initial landing uri struct
 8  and any(body.links, strings.contains(.href_url.url, '?ai=xd'))  
 9
10attack_types:
11  - "Malware/Ransomware"
12tactics_and_techniques:
13  - "Evasion"
14detection_methods:
15  - "URL analysis"
16  - "Threat intelligence"
17id: "a165e206-61b3-5b08-9408-2fe3c2bf0810"
to-top