[Hunt IO] Connector for importing C2 feed into OpenCTI

[m4r35]

Proposed changes

This PR introduces a new connector to integrate Hunt.io’s C2 (Command and Control) feed with OpenCTI. The connector retrieves, processes, and maps threat intelligence data into STIX-compliant objects and relationships to enhance threat visibility in OpenCTI.

Features

• API Integration: The connector fetches C2 feeds from the Hunt.io API in zip format.
• Response Handling: The compressed payload is unzipped, and its contents are processed into actionable threat intelligence.
• STIX Object Creation: Each entity in the feed is mapped to corresponding STIX objects/observables.
• Concurrency: To efficiently handle the large datasets, the connector spawns up to 4 worker threads, processing entities concurrently to mitigate buffer overflow risks.

Field Mapping

C2 Feed Fields	STIX2.1
ip - The IP address associated with the C2 scan	IPv4Address observable
port - The port number used in the C2 connection	NetworkTraffic object that maps IP to a specific port
hostname - The hostname or domain associated with the C2 scan	DomainName observable
timestamp - The timestamp of the scan	Used as a timestamp for different objects and observables
scan_uri - The URI of the scan target	Indicator with url:value pattern
confidence - The confidence score of the scan result	Used as confidence score for different objects and observables
malware_name - The name of the malware detected during the scan	Malware object
malware_subsystem - The subsystem of malware detected	Used for Malware object to represent a malware type

Relationships

Source	Relationship	Target
Infrastructure (malware_name)	controls	Malware (malware_name)
Infrastructure (malware_name)	consist-of	IPv4Address (ip)
Infrastructure (malware_name)	consist-of	DomainName (hostname)
Indicator (scan_uri)	indicates	Malware (malware_name)

Note

• For more details about Hunt’s C2 feed, visit the official documentation at https://apidocs.hunt.io/docs/c2-feed.

Related issues

• [HuntIO] Create the connector #3286

Checklist

• I consider the submitted work as finished
• I tested the code for its functionality using different use cases
• I added/update the relevant documentation (either on github or on notion)
• Where necessary I refactored code to improve the overall quality

Further comments

[Jipegien]

@helene-nguyen for your team to review

[helene-nguyen]

@m4r35 Thanks for the contribution !
All commits need to be signed and verified, could you please sign your commits to allow us to merge the PR ?

[helene-nguyen]

Everything looks great on our end, thanks again for the contribution !