{"id":17852,"date":"2026-01-21T07:30:02","date_gmt":"2026-01-21T07:30:02","guid":{"rendered":"\/cybersecurity-blog\/?p=17852"},"modified":"2026-01-22T08:18:15","modified_gmt":"2026-01-22T08:18:15","slug":"ja3-hashes-threat-intelligence","status":"publish","type":"post","link":"\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/","title":{"rendered":"From Forgotten Tool to Powerful\u00a0Pivot:\u00a0Using JA3 to Expose Attackers&#8217; Infrastructure\u00a0"},"content":{"rendered":"\n<p>A growing skepticism around JA3 is&nbsp;evident,&nbsp;and&nbsp;quite&nbsp;understandable as well.&nbsp;Public lists are rarely updated, and initiatives like&nbsp;<a href=\"https:\/\/sslbl.abuse.ch\/ja3-fingerprints\/\" target=\"_blank\" rel=\"noreferrer noopener\">JA3-fingerprints<\/a>&nbsp;have been effectively frozen since 2021, creating the impression that this is&nbsp;a&nbsp;&#8220;yesterday&#8217;s&nbsp;technology.&#8221;&nbsp;<\/p>\n\n\n\n<p>However, JA3 fingerprints have not disappeared. Sensors continue to collect them, they appear in reports and threat intelligence interfaces; it&#8217;s just that many teams treat them formally, as yet another field in logs without meaningful analysis.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>JA3 fingerprints&nbsp;represent&nbsp;tool-level&nbsp;pyramid&nbsp;of pain, not disposable indicators like IPs or domains.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Frequency analysis of JA3 hashes can surface new malicious tooling&nbsp;early, before&nbsp;signatures exist.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>JA3&nbsp;can rarely&nbsp;be useful&nbsp;in isolation;&nbsp;context&nbsp;such as SNI, JA3S, URI, and host telemetry&nbsp;is&nbsp;critical.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Threat hunting with JA3 enables analysts to cluster activity across samples, sessions, and campaigns.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> operationalizes JA3 by enabling fast pivots from a hash to malware, infrastructure, and TTPs.&nbsp;<br>&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">JA3 Is&nbsp;Obsolete?&nbsp;That\u2019s&nbsp;Only Half the Truth&nbsp;<\/h2>\n\n\n\n<p>Technically, JA3 is straightforward to compute. It is built from TLS&nbsp;ClientHello&nbsp;parameters (version, cipher suites, extensions, supported groups\/elliptic curves, EC point formats), forming a JA3 string:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>version,ciphers,extensions,groups,ec_point_formats&nbsp;<\/code><\/pre>\n\n\n\n<p>Lists are separated by \u201c-\u201d,&nbsp;fields by \u201c,\u201d,&nbsp;and an MD5 hash is calculated from this string. Unlike an IP, domain, or file hash, JA3 describes a long-term network profile of a tool that tends to repeat across many samples using the same network module.&nbsp;&nbsp;<br>&nbsp;<br>This places JA3 at the Tools level in the Pyramid of Pain. The paradox is that threat intelligence feeds are often overloaded with &#8220;cheap&#8221; IOCs (IPs, domains, SHA256 hashes, etc.), while more resilient behavioral indicators like JA3 remain underutilized.&nbsp;<br>&nbsp;<br>There is, however, a downside: the same JA3 can appear in both legitimate and malicious applications (if they share the same TLS library), and attackers can deliberately mimic the profiles of popular clients \u2014 Google Chrome, Firefox, or Edge. Treating JA3 as a classic&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOC<\/a>&nbsp;(&#8220;hash \u2192 malware family&#8221;) without context is therefore risky: without&nbsp;additional&nbsp;data (SNI, URI, JA3S, host information, or session behavior), it can confuse SOC analysts more than help them.&nbsp;<\/p>\n\n\n\n<p>JA3 becomes&nbsp;truly powerful&nbsp;only when it is searchable, pivotable, and enriched with context.&nbsp;This is where ANY.RUN&#8217;s&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence&nbsp;Lookup<\/a>&nbsp;can&nbsp;assist&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intel-board-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">SOC<\/a>&nbsp;and Threat Hunting (TH) teams in turning JA3 from a mere log field into a practical investigation&nbsp;driver: quickly finding related&nbsp;malware samples,&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-pivoting\/\" target=\"_blank\" rel=\"noreferrer noopener\">pivoting<\/a>&nbsp;across infrastructure, and&nbsp;validating&nbsp;hypotheses with context. The approach ANY.RUN offers \u2014 backed by real-world case studies \u2014 is described below.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Applying JA3 in Practice&nbsp;<\/h2>\n\n\n\n<p>If a SOC systematically collects JA3 hashes and tracks their frequency, the dynamics of these values become informative on their own. A sudden spike in a previously rare JA3 hash often signals the emergence of a new tool, script, or automated client in the infrastructure. This anomalous growth enables early identification of potentially malicious components even before signatures or full behavioral profiles are available, turning JA3 into an early-warning indicator and a starting point for deeper investigation.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"686\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_0-1024x686.png\" alt=\"\" class=\"wp-image-17858\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_0-1024x686.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_0-300x201.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_0-768x515.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_0-370x248.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_0-270x181.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_0-740x496.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_0.png 1191w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Check JA3 hashes at https:\/\/intelligence.any.run<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>ANY.RUN used a similar&nbsp;methodology&nbsp;to select the JA3 hashes discussed here. We took all&nbsp;the&nbsp;unique&nbsp;analyses&nbsp;from&nbsp;our&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Sandbox<\/a>&nbsp;for&nbsp;the past 30 days, grouped them by JA3, and calculated the number of unique malicious and&nbsp;informational (info)&nbsp;analyses&nbsp;for each hash. We then filtered for suspicious JA3 hashes where info-&nbsp;analyses&nbsp;comprised&nbsp;less than 15% of malicious&nbsp;analyses&nbsp;and sorted by the number of unique malicious&nbsp;analyses&nbsp;(descending).&nbsp;<br>&nbsp;<br>One of the top suspicious JA3 hashes was a85be79f7b569f1df5e6087b69deb493, which is strictly associated with&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/remcos\/\" target=\"_blank\" rel=\"noreferrer noopener\">Remcos<\/a>&nbsp;RAT. Such fingerprints can be used directly in protective tools or for threat hunting without&nbsp;additional&nbsp;context:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522ja3:%255C%2522a85be79f7b569f1df5e6087b69deb493%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">ja3:&#8221;a85be79f7b569f1df5e6087b69deb493&#8243;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"496\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_1-1024x496.png\" alt=\"\" class=\"wp-image-17860\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_1-1024x496.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_1-300x145.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_1-768x372.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_1-1536x744.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_1-370x179.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_1-270x131.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_1-740x358.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_1.png 1627w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Search by ja3 hash in Threat Intelligence Lookup links it to known malware<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Note how TI Lookup highlights the&nbsp;threat&nbsp;landscape&nbsp;trends.&nbsp;It builds a real-time snapshot of industries and countries most associated with the threat or indicators you queried.&nbsp;It shows exactly how a given threat or indicator maps to specific sectors and countries, so you see whether it really matters for your business.&nbsp;TI Lookup with the&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/industry-geo-threat-landscape\/\" target=\"_blank\" rel=\"noreferrer noopener\">geo &amp; threat landscape functionality<\/a>&nbsp;is available to all Premium subscription users.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTurn JA3 hashes into investigation leads <br>and cut triage &#038; response time <span class=\"highlight\">with TI Lookup<\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=ja3-hashes-threat-intelligence&#038;utm_term=200126&#038;utm_content=linktotilookup#register?redirect-ref=intelligence.any.run\/analysis\/lookup\" target=\"_blank\" rel=\"noopener\">\nStart hunting here\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Now&nbsp;let&#8217;s&nbsp;consider a situation where JA3 is associated with malware, but clarifying context is needed. For example, JA3 hash e7d705a3286e19ea42f587b344ee6865 in the ANY.RUN&nbsp;Sandbox is strictly associated with&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/wannacry\/\" target=\"_blank\" rel=\"noreferrer noopener\">WannaCry<\/a>. Yet&nbsp;the hash itself belongs to&nbsp;an old version&nbsp;of TOR.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522ja3:%255C%2522e7d705a3286e19ea42f587b344ee6865%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">ja3:&#8221;e7d705a3286e19ea42f587b344ee6865&#8243;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"430\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_2-1024x430.png\" alt=\"\" class=\"wp-image-17861\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_2-1024x430.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_2-300x126.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_2-768x323.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_2-1536x645.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_2-370x155.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_2-270x113.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_2-740x311.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_2.png 1623w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Hash associated with WannaCry and TOR<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>SOC analysts should still pay attention to this hash and decide whether to add it as an IOC to&nbsp;monitoring&nbsp;tools.&nbsp;<br>&nbsp;<br>JA3 can also help detect riskware applications \u2014 useful for SOC teams if such software is not allowed in the infrastructure.&nbsp;In this example,&nbsp;LogMeIn Rescue&nbsp;remote support tool has been detected:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522ja3:%255C%2522fce646120fa6eda85228d13e972f19ed%255C%2522%2522,%2522dateRange%2522:30%7D\" target=\"_blank\" rel=\"noreferrer noopener\">ja3:&#8221;fce646120fa6eda85228d13e972f19ed&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"268\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_3-1024x268.png\" alt=\"\" class=\"wp-image-17862\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_3-1024x268.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_3-300x78.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_3-768x201.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_3-1536x402.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_3-370x97.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_3-270x71.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_3-740x194.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_3.png 1629w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Hash lookup reveals LogMeIn Rescue<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Using JA3 for Threat Hunting with ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>Now&nbsp;let&#8217;s&nbsp;examine a less straightforward case: JA3 hash e69402f870ecf542b4f017b0ed32936a. Here&nbsp;we\u2019ve&nbsp;got&nbsp;numerous&nbsp;info-analyses&nbsp;in absolute terms (though still &lt;15% of malicious&nbsp;ones). We cannot definitively label this as malware, but the example perfectly illustrates how JA3 can be effectively used in threat hunting:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522ja3:%255C%2522e69402f870ecf542b4f017b0ed32936a%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">ja3:&#8221;e69402f870ecf542b4f017b0ed32936a&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"486\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_4-1024x486.png\" alt=\"\" class=\"wp-image-17863\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_4-1024x486.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_4-300x142.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_4-768x364.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_4-1536x729.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_4-370x176.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_4-270x128.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_4-740x351.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_4.png 1631w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sandbox analyses featuring the JA3 hash found via TI Lookup<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/2f7ad5c7-9455-491f-8a10-baf80b48626f?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Let\u2019s take a representative analysis as an example<\/a>.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"134\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_5-1024x134.png\" alt=\"\" class=\"wp-image-17864\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_5-1024x134.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_5-300x39.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_5-768x101.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_5-1536x201.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_5-370x49.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_5-270x35.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_5-740x97.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_5.png 1724w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>View&nbsp;malware\u2019s&nbsp;network connections in the Sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In the Connections tab, filtered by the malicious process PID, you can see the IPs and domains it contacted.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTurn JA3 into actionable intel <br>Check your hash <span class=\"highlight\">with ANY.RUN TI Lookup<\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=ja3-hashes-threat-intelligence&#038;utm_term=200126&#038;utm_content=linktotilookup#register?redirect-ref=intelligence.any.run\/analysis\/lookup\" target=\"_blank\" rel=\"noopener\">\nTry now\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>The Connections tab also shows TLS handshake details for interactions with gofile.io and discord.com.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"307\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_6-1024x307.png\" alt=\"\" class=\"wp-image-17865\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_6-1024x307.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_6-300x90.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_6-768x231.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_6-370x111.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_6-270x81.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_6-740x222.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_6.png 1392w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Interactions with gofile.io<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Inspecting the HTTP stream reveals both the stolen data and the name of the tool responsible for exfiltration.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"272\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_7-1024x272.png\" alt=\"\" class=\"wp-image-17866\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_7-1024x272.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_7-300x80.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_7-768x204.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_7-1536x409.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_7-2048x545.png 2048w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_7-370x98.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_7-270x72.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_7-740x197.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Discord data&nbsp;exfiltration<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>As a result,&nbsp;we\u2019ve&nbsp;expanded the attacker\u2019s&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-ttps-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">TTPs<\/a>&nbsp;by&nbsp;identifying&nbsp;their exfiltration methods.&nbsp;Other sandbox analysis sessions found by this&nbsp;JA3 hash in ANY.RUN TI&nbsp;Lookup&nbsp;also reveal other exfiltration platforms used by the same tool or its fork, for example:&nbsp;<\/p>\n\n\n\n<p>Telegram \u2013&nbsp;<a href=\"https:\/\/app.any.run\/tasks\/313ab7ae-3562-4311-a4fd-5a26876b8289\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">in this analysis<\/a>:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"284\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_8-1024x284.png\" alt=\"\" class=\"wp-image-17867\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_8-1024x284.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_8-300x83.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_8-768x213.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_8-1536x426.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_8-2048x568.png 2048w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_8-370x103.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_8-270x75.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_8-740x205.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Data exfiltration via Telegram<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>GoFile&nbsp;\u2013&nbsp;<a href=\"https:\/\/app.any.run\/tasks\/a8ae72ee-4f47-45ca-8fd2-64d0a0bf2d0f\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">in this analysis<\/a>:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"195\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_9-1024x195.png\" alt=\"\" class=\"wp-image-17868\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_9-1024x195.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_9-300x57.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_9-768x147.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_9-1536x293.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_9-370x71.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_9-270x52.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_9-740x141.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/ja3_9.png 1750w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Data exfiltration via&nbsp;GoFile<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>From these cases, we can conclude that attackers are using the same Go-based utility (or its fork) belonging to the Skuld malware family to exfiltrate data via Discord, Telegram, and&nbsp;GoFile, often first checking the victim&#8217;s geolocation via&nbsp;ip-api[.]com.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat hunting<\/a>&nbsp;with&nbsp;JA3&nbsp;hashes allows&nbsp;SOC teams to expand the context of network threats:&nbsp;from a single suspicious session to a cluster of related activity,&nbsp;a persistent&nbsp;network profile, and recurring communication patterns. Combined with SNI, JA3S, URI, infrastructure indicators, and host telemetry, JA3 helps not only find similar network sessions and accelerate investigations but also confidently link activity to specific malware families and highlight characteristic TTPs,&nbsp;turning fragmented signals into a complete attack picture.&nbsp;<\/p>\n\n\n\n<p>ANY.RUN Threat Intelligence is designed to help with exactly these tasks. Start&nbsp;with&nbsp;checking your JA3 hash&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linktotilookup\" target=\"_blank\" rel=\"noreferrer noopener\">in TI Lookup<\/a>.&nbsp;&nbsp;<\/p>\n\n\n\n<p>A single query reveals&nbsp;associated&nbsp;malware families, exfiltration channels, dropped files, and related network activity. This&nbsp;dramatically accelerates pivoting, hypothesis validation, and&nbsp;threat&nbsp;hunting. For any SOC or Threat Hunting team looking to detect attacker tools earlier and more reliably, TI Lookup\u2019s JA3 search capability is an indispensable daily solution.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;provides interactive&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">malware analysis<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">threat intelligence solutions<\/a>&nbsp;used by 15,000 SOC teams to investigate threats and verify alerts. They enable analysts to&nbsp;observe&nbsp;real attacker behavior in controlled environments and access context from live attacks. The services support both hands-on investigation and automated workflows and integrates with SIEM, SOAR, and EDR tools commonly used in security operations.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ja3-hashes-threat-intelligence&amp;utm_term=200126&amp;utm_content=linktoenterpriseform\/#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">See ANY.RUN\u2019s solutions in action<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IOCs&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Remcos&nbsp;JA3-hash<\/strong>:&nbsp;a85be79f7b569f1df5e6087b69deb493&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>TOR JA3-hash<\/strong>:&nbsp;e7d705a3286e19ea42f587b344ee6865&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Logmeinrescue&nbsp;Riskware JA3-hash:<\/strong>&nbsp;fce646120fa6eda85228d13e972f19ed&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Malware Skuld IOC&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>(Ja3 + domains hunting context):&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>e69402f870ecf542b4f017b0ed32936a + gofile.io + discord.com + ip-api.com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>d113e8b9d55b97b77077806180483c96 + gofile.io + discord.com + ip-api.com&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Sha256:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>B86f00212f8c04cef7e360e309b1b54648335f7c61099d4677889513166555ef&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>72fa3ff5c1f473698df243455b7741b7a63ace3ce2903f65c8fe407d4ce9b435&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>&nbsp;IOC for exfil via Discord&nbsp;or Telegram:&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dropped file with exfiltrated data &#8211; %TEMP%\\browsers.zip&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>HTTP request body parameter &#8211; &#8220;username&#8221;:&#8221;necrograbber&#8221;&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>IOC for exfil via&nbsp;Gofile:&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dropped file with exfiltrated data &#8211; %TEMP%\\commonfiles.zip&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">FAQ&nbsp;<\/h2>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1768979768929\"><strong class=\"schema-faq-question\"><strong>What is JA3 used for in a SOC?<\/strong>\u00a0<\/strong> <p class=\"schema-faq-answer\">JA3 is used to\u00a0identify\u00a0recurring TLS client behavior and detect reused tools or malware network stacks.\u00a0<br\/><\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1768979798907\"><strong class=\"schema-faq-question\"><strong>Is JA3 an IOC?<\/strong>\u00a0<br\/><\/strong> <p class=\"schema-faq-answer\">Not in the classical sense. JA3 is a behavioral fingerprint that requires context to be reliable.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1768979818442\"><strong class=\"schema-faq-question\"><strong>Can attackers evade JA3 detection?<\/strong>\u00a0<br\/><\/strong> <p class=\"schema-faq-answer\">Yes, by mimicking popular clients or changing TLS libraries, but doing so increases their operational cost.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1768979827938\"><strong class=\"schema-faq-question\"><strong>Why\u00a0do\u00a0legitimate and malicious software sometimes share the same JA3?<\/strong>\u00a0<br\/><\/strong> <p class=\"schema-faq-answer\">Because they may use the same TLS libraries or frameworks.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1768979836994\"><strong class=\"schema-faq-question\"><strong>How should analysts investigate a suspicious JA3?<\/strong>\u00a0<br\/><\/strong> <p class=\"schema-faq-answer\">By pivoting across sessions, domains, JA3S, HTTP flows, and malware samples using TI platforms like TI Lookup.\u00a0<\/p> <\/div> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>A growing skepticism around JA3 is&nbsp;evident,&nbsp;and&nbsp;quite&nbsp;understandable as well.&nbsp;Public lists are rarely updated, and initiatives like&nbsp;JA3-fingerprints&nbsp;have been effectively frozen since 2021, creating the impression that this is&nbsp;a&nbsp;&#8220;yesterday&#8217;s&nbsp;technology.&#8221;&nbsp; However, JA3 fingerprints have not disappeared. Sensors continue to collect them, they appear in reports and threat intelligence interfaces; it&#8217;s just that many teams treat them formally, as yet [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":17854,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,58,34,40],"class_list":["post-17852","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-cybersecurity-training","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>JA3 Fingerprinting: How SOCs Detect Attacker Tools<\/title>\n<meta name=\"description\" content=\"Learn how JA3 helps SOC analysts uncover attacker tools and how TI Lookup enables effective JA3-based threat hunting.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"GridGuardGhoul\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\n\t    \"@context\": \"https:\/\/schema.org\",\n\t    \"@graph\": [\n\t        {\n\t            \"@type\": \"Article\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#article\",\n\t            \"isPartOf\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/\"\n\t            },\n\t            \"author\": {\n\t                \"name\": \"GridGuardGhoul\",\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"headline\": \"From Forgotten Tool to Powerful\u00a0Pivot:\u00a0Using JA3 to Expose Attackers&#8217; Infrastructure\u00a0\",\n\t            \"datePublished\": \"2026-01-21T07:30:02+00:00\",\n\t            \"dateModified\": \"2026-01-22T08:18:15+00:00\",\n\t            \"mainEntityOfPage\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/\"\n\t            },\n\t            \"wordCount\": 1844,\n\t            \"commentCount\": 0,\n\t            \"publisher\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"keywords\": [\n\t                \"ANYRUN\",\n\t                \"cybersecurity\",\n\t                \"cybersecurity training\",\n\t                \"malware analysis\",\n\t                \"malware behavior\"\n\t            ],\n\t            \"articleSection\": [\n\t                \"Malware Analysis\"\n\t            ],\n\t            \"inLanguage\": \"en-US\",\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"CommentAction\",\n\t                    \"name\": \"Comment\",\n\t                    \"target\": [\n\t                        \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#respond\"\n\t                    ]\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": [\n\t                \"WebPage\",\n\t                \"FAQPage\"\n\t            ],\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/\",\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/\",\n\t            \"name\": \"JA3 Fingerprinting: How SOCs Detect Attacker Tools\",\n\t            \"isPartOf\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"datePublished\": \"2026-01-21T07:30:02+00:00\",\n\t            \"dateModified\": \"2026-01-22T08:18:15+00:00\",\n\t            \"description\": \"Learn how JA3 helps SOC analysts uncover attacker tools and how TI Lookup enables effective JA3-based threat hunting.\",\n\t            \"breadcrumb\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#breadcrumb\"\n\t            },\n\t            \"mainEntity\": [\n\t                {\n\t                    \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979768929\"\n\t                },\n\t                {\n\t                    \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979798907\"\n\t                },\n\t                {\n\t                    \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979818442\"\n\t                },\n\t                {\n\t                    \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979827938\"\n\t                },\n\t                {\n\t                    \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979836994\"\n\t                }\n\t            ],\n\t            \"inLanguage\": \"en-US\",\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"ReadAction\",\n\t                    \"target\": [\n\t                        \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/\"\n\t                    ]\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"BreadcrumbList\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#breadcrumb\",\n\t            \"itemListElement\": [\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 1,\n\t                    \"name\": \"Home\",\n\t                    \"item\": \"https:\/\/any.run\/cybersecurity-blog\/\"\n\t                },\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 2,\n\t                    \"name\": \"Malware Analysis\",\n\t                    \"item\": \"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"\n\t                },\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 3,\n\t                    \"name\": \"From Forgotten Tool to Powerful\u00a0Pivot:\u00a0Using JA3 to Expose Attackers&#8217; Infrastructure\u00a0\"\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"WebSite\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"url\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN&#039;s Cybersecurity Blog\",\n\t            \"description\": \"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\n\t            \"publisher\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"SearchAction\",\n\t                    \"target\": {\n\t                        \"@type\": \"EntryPoint\",\n\t                        \"urlTemplate\": \"https:\/\/any.run\/?s={search_term_string}\"\n\t                    },\n\t                    \"query-input\": \"required name=search_term_string\"\n\t                }\n\t            ],\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Organization\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN\",\n\t            \"url\": \"https:\/\/any.run\/\",\n\t            \"logo\": {\n\t                \"@type\": \"ImageObject\",\n\t                \"inLanguage\": \"en-US\",\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"url\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\n\t                \"contentUrl\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\n\t                \"width\": 1,\n\t                \"height\": 1,\n\t                \"caption\": \"ANY.RUN\"\n\t            },\n\t            \"image\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"sameAs\": [\n\t                \"https:\/\/www.facebook.com\/www.any.run\/\",\n\t                \"https:\/\/twitter.com\/anyrun_app\",\n\t                \"https:\/\/www.linkedin.com\/company\/30692044\",\n\t                \"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"Person\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"name\": \"GridGuardGhoul\",\n\t            \"image\": {\n\t                \"@type\": \"ImageObject\",\n\t                \"inLanguage\": \"en-US\",\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"url\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul.jpeg\",\n\t                \"contentUrl\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul.jpeg\",\n\t                \"caption\": \"GridGuardGhoul\"\n\t            },\n\t            \"description\": \"I am a network security researcher and reverse engineer exploring malware, protocols, and exploits.\",\n\t            \"url\": \"#molongui-disabled-link\"\n\t        },\n\t        {\n\t            \"@type\": \"Question\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979768929\",\n\t            \"position\": 1,\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979768929\",\n\t            \"name\": \"What is JA3 used for in a SOC?\u00a0\",\n\t            \"answerCount\": 1,\n\t            \"acceptedAnswer\": {\n\t                \"@type\": \"Answer\",\n\t                \"text\": \"JA3 is used to\u00a0identify\u00a0recurring TLS client behavior and detect reused tools or malware network stacks.\u00a0<br\/>\",\n\t                \"inLanguage\": \"en-US\"\n\t            },\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Question\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979798907\",\n\t            \"position\": 2,\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979798907\",\n\t            \"name\": \"Is JA3 an IOC?\u00a0\",\n\t            \"answerCount\": 1,\n\t            \"acceptedAnswer\": {\n\t                \"@type\": \"Answer\",\n\t                \"text\": \"Not in the classical sense. JA3 is a behavioral fingerprint that requires context to be reliable.\u00a0\",\n\t                \"inLanguage\": \"en-US\"\n\t            },\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Question\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979818442\",\n\t            \"position\": 3,\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979818442\",\n\t            \"name\": \"Can attackers evade JA3 detection?\u00a0\",\n\t            \"answerCount\": 1,\n\t            \"acceptedAnswer\": {\n\t                \"@type\": \"Answer\",\n\t                \"text\": \"Yes, by mimicking popular clients or changing TLS libraries, but doing so increases their operational cost.\u00a0\",\n\t                \"inLanguage\": \"en-US\"\n\t            },\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Question\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979827938\",\n\t            \"position\": 4,\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979827938\",\n\t            \"name\": \"Why\u00a0do\u00a0legitimate and malicious software sometimes share the same JA3?\u00a0\",\n\t            \"answerCount\": 1,\n\t            \"acceptedAnswer\": {\n\t                \"@type\": \"Answer\",\n\t                \"text\": \"Because they may use the same TLS libraries or frameworks.\u00a0\",\n\t                \"inLanguage\": \"en-US\"\n\t            },\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Question\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979836994\",\n\t            \"position\": 5,\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979836994\",\n\t            \"name\": \"How should analysts investigate a suspicious JA3?\u00a0\",\n\t            \"answerCount\": 1,\n\t            \"acceptedAnswer\": {\n\t                \"@type\": \"Answer\",\n\t                \"text\": \"By pivoting across sessions, domains, JA3S, HTTP flows, and malware samples using TI platforms like TI Lookup.\u00a0\",\n\t                \"inLanguage\": \"en-US\"\n\t            },\n\t            \"inLanguage\": \"en-US\"\n\t        }\n\t    ]\n\t}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"JA3 Fingerprinting: How SOCs Detect Attacker Tools","description":"Learn how JA3 helps SOC analysts uncover attacker tools and how TI Lookup enables effective JA3-based threat hunting.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/","twitter_misc":{"Written by":"GridGuardGhoul","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/"},"author":{"name":"GridGuardGhoul","@id":"https:\/\/any.run\/"},"headline":"From Forgotten Tool to Powerful\u00a0Pivot:\u00a0Using JA3 to Expose Attackers&#8217; Infrastructure\u00a0","datePublished":"2026-01-21T07:30:02+00:00","dateModified":"2026-01-22T08:18:15+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/"},"wordCount":1844,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","cybersecurity training","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#respond"]}]},{"@type":["WebPage","FAQPage"],"@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/","url":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/","name":"JA3 Fingerprinting: How SOCs Detect Attacker Tools","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-01-21T07:30:02+00:00","dateModified":"2026-01-22T08:18:15+00:00","description":"Learn how JA3 helps SOC analysts uncover attacker tools and how TI Lookup enables effective JA3-based threat hunting.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#breadcrumb"},"mainEntity":[{"@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979768929"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979798907"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979818442"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979827938"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979836994"}],"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"From Forgotten Tool to Powerful\u00a0Pivot:\u00a0Using JA3 to Expose Attackers&#8217; Infrastructure\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"GridGuardGhoul","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul.jpeg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul.jpeg","caption":"GridGuardGhoul"},"description":"I am a network security researcher and reverse engineer exploring malware, protocols, and exploits.","url":"#molongui-disabled-link"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979768929","position":1,"url":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979768929","name":"What is JA3 used for in a SOC?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"JA3 is used to\u00a0identify\u00a0recurring TLS client behavior and detect reused tools or malware network stacks.\u00a0<br\/>","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979798907","position":2,"url":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979798907","name":"Is JA3 an IOC?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Not in the classical sense. JA3 is a behavioral fingerprint that requires context to be reliable.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979818442","position":3,"url":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979818442","name":"Can attackers evade JA3 detection?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Yes, by mimicking popular clients or changing TLS libraries, but doing so increases their operational cost.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979827938","position":4,"url":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979827938","name":"Why\u00a0do\u00a0legitimate and malicious software sometimes share the same JA3?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Because they may use the same TLS libraries or frameworks.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979836994","position":5,"url":"https:\/\/any.run\/cybersecurity-blog\/ja3-hashes-threat-intelligence\/#faq-question-1768979836994","name":"How should analysts investigate a suspicious JA3?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"By pivoting across sessions, domains, JA3S, HTTP flows, and malware samples using TI platforms like TI Lookup.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17852"}],"collection":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=17852"}],"version-history":[{"count":25,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17852\/revisions"}],"predecessor-version":[{"id":17954,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17852\/revisions\/17954"}],"wp:featuredmedia":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/17854"}],"wp:attachment":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=17852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=17852"},{"taxonomy":"post_tag","embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=17852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}