This brief provides a technical analysis of how threat actors repurpose client-side proxy frameworks like Ultraviolet and its successor Scramjet for phishing campaigns, the observable network and page-level artifacts, and detection strategies for these novel evasion techniques.

Contents

• Service workers - A brief overview
• Ultraviolet Proxy Framework
• Case Study: Microsoft Login Phishing via Ultraviolet
• Emerging Trends: Scramjet
• Why Threat Actors Use Proxy Frameworks
• Conclusion
• References and further reading

Service workers - A brief overview

What if a website could quietly place a programmable layer inside your browser that controls how network traffic is handled? A service worker is JavaScript code that a website downloads into the web browser. Once installed, it sits inside the browser and acts like a helper for that website, handling some of the communication between the browser and the web server. The service worker can control what information is sent back and forth, store data to retrieve later, and run background operations. Service workers operate in the background, without an obvious difference to the end user.

At its core, a service worker operates like a proxy server sitting between the web application, the browser, and the network. However, it is intentionally restricted: service workers have no DOM access, run asynchronously on a different thread, and cannot use certain synchronous APIs such as synchronous XHR or Web Storage. Further reference reading on service workers (Mozilla - Service Worker API).

What service workers can do:

• Intercept network requests and provide custom responses.
• Cache resources to enable effective offline experiences.
• Support capabilities such as push notifications and background synchronization.

What they cannot do:

• Access or manipulate the DOM.
• Run synchronous operations or certain blocking APIs.
• Intercept network requests from browser tabs/windows other than its own

Service Worker Diagram - Source: https://web.dev/articles/workers-overview

Threat actors benefit significantly from using service workers as a proxy layer in credential-phishing campaigns because these workers can intercept and modify network requests while operating persistently in the background. A malicious service worker could alter responses, inject harmful content, or redirect victims to phishing pages, enabling attackers to capture sensitive information without the user’s knowledge. Once compromised, a worker may intercept all requests made by a web application and steal data or manipulate sessions, effectively positioning the attacker in a man-in-the-middle role. Additionally, because service workers can cache and serve modified responses and continue running after installation, they provide attackers with durable control over traffic flows - a capability that can help deliver malicious payloads directly to the browser and potentially evade traditional inspection points such as SSL/TLS proxies. Setting up a service worker is not a simple task which is why there are pre-configured frameworks already built allowing for simple and quick deployments.

Ultraviolet Proxy Framework

Ultraviolet is an open-source browser-based proxy framework originally designed to bypass censorship by relaying web content through a service-worker sandbox. When run in a user’s browser, Ultraviolet intercepts all HTTP requests for that window and reroutes them through an Ultraviolet server. This allows users to access arbitrary sites as if the content were hosted on the proxy domain itself.

Key features include:

• Handling CAPTCHAs and cookies
• Full client-side request interception and content rewriting
• URL encoding/decoding to obscure navigation paths

While intended for censorship circumvention, these capabilities make Ultraviolet attractive to threat actors, enabling them to host phishing pages, malware, or redirects behind seemingly benign domains, thereby evading URL-based filtering and static content analysis.

Case Study: Microsoft Login Phishing via Ultraviolet

This case study is based on an Unlisted scan conducted by the urlscan Threat Research Team and approved for release.

In a recent investigation https://urlscan.io/result/019be0f3-2e36-7549-aff2-f3b27a575a72 the urlscan Threat Research Team noticed a redirect was being abused from the legitimate Microsoft login domain to the malicious phishing domain. This led the urlscan Threat Research Team to investigate this process further.

During analysis we observed the page’s HTML and scripts loaded components from an Ultraviolet proxy. Specifically, the page pulled down uv.bundle.js, uv.config.js, and uv.handler.js. These filenames and the presence of a __uv$config JavaScript object and UVClient JavaScript functions in the scan capture are hallmarks of the Ultraviolet framework.

These scripts are not part of any legitimate Microsoft login page - they are the Ultraviolet client scripts that bootstrap the service worker proxy. In effect, when a victim’s browser visited the phishing link, the Ultraviolet worker redirected requests behind the scenes to the real Microsoft login server. This lets the phishing site display a genuine-looking login page without hosting it on the attacker’s domain.

In general, any page that loads uv.handler.js, uv.config.js, and uv.bundle.js or similar from a nonstandard host is likely using Ultraviolet (or a derivative).

The configuration json file is used to adjust how the proxy operates. The structure of the file is shown below.

  Prefix: The directory prefix users will see.
  Bare: Bare servers can run on directories, e.g., http://example.org/bare/.
  EncodeUrl: How you want the URL to be encoded (Examples: xor or base64).
  DecodeURL: How you want the URL to be decoded (Should match EncodeUrl).
  Handler: Path to the UV handler (Default: static/uv/uv.handler.js).
  Bundle: Path to the UV bundle file (Default: static/uv/uv.bundle.js).
  Config: Path to the UV config file (Default: static/uv/uv.bundle.js).
  SW: Path to the UV Service Worker script (Default: static/uv/uv.sw.js).

Using the case study scan the config file can be seen in the responses:

  self.__uv$config = {
      prefix: '/s/',
      bare: '/bare/',
      encodeUrl: Ultraviolet.codec.xor.encode,
      decodeUrl: Ultraviolet.codec.xor.decode,
      handler: '/uv/uv.handler.js',
      bundle: '/uv/uv.bundle.js',
      config: '/uv/uv.config.js',
      sw: '/uv/uv.sw.js',
  };

Importantly, urlscan’s phishing‐detection engine flagged this scan as malicious and branded the scan as impersonating Microsoft.

Emerging Trends: Scramjet

Scramjet is the successor to Ultraviolet and functions similarly, with comparable client-side artifacts and fingerprinting opportunities. Proactive detection is recommended by using a search for the key items liked to Scramjet deployments.

Why Threat Actors Use Proxy Frameworks

1. Infrastructure hiding: Attackers often host phishing pages on compromised or throwaway domains. Proxy systems let them further obscure the origin by funneling traffic through a proxy domain. To a casual observer or naive filter, the site may simply appear as a normal hosted portal (Google or Discord via proxy), not a credential phishing page.

2. Content authenticity: Because the proxy relays live content from legitimate sites, the phishing page can embed genuine UI elements. In our case, the Microsoft login form was real Microsoft HTML, not a hand‑crafted fake. This reduces the chance of obvious typos or missing images.

3. Filter evasion: Many network defenses whitelist popular content providers or CDN domains. By bouncing through an allowed domain, the attacker can slip past domain‑based blocks.

4. Unified control: The service‑worker model of Ultraviolet and Scramjet means an attacker can configure proxy rules centrally. They can redirect all requests to chosen endpoints (e.g. credential phishing login pages) without modifying each page. This flexibility is appealing for maintaining phishing kits or redirect infrastructures.

Because Ultraviolet and Scramjet were designed to bypass censorship, it is inherently evasive. Threat actors repurpose that feature set for malicious anonymity and persistence.

To support detection of these systems we have added a new label to urlscan Pro to allow detection of proxy frameworks including Ultraviolet and Scramjet. These can be used to detect an underlying proxy framework on a scan or filter based upon these detections.
tech.proxy.ultraviolet and tech.proxy.scramjet

Conclusion

Client-side proxy frameworks such as Ultraviolet and Scramjet are being repurposed by threat actors to cloak phishing campaigns. The case study demonstrates how attackers can proxy legitimate content (e.g., Microsoft login pages) through their own infrastructure, evading traditional URL-based and static detection.

Detection is achievable by analyzing artifacts, global objects, and configuration patterns in the page source, highlighting the importance of hunting using framework elements and rendered images and hashes.

By proactively monitoring these frameworks and correlating proxy behaviors with open redirects, defenders can identify and mitigate high-fidelity phishing campaigns before they reach and impact end users.

References and further reading

If you would like to know more about service workers, their potential abuse and impact on detections take a look at the following resources which provide good oversights into this topic.

• GitHub - Scramjet
• GitHub - Ultraviolet
• Medium @ahaz1701 - EvilWorker: AiTM attack leveraging service workers
• Mux.com - Service workers are underrated, and building media proxies proves it
• Web.dev - Service workers

Workshop: Uncovering Phishing Infrastructure
A Hands-On Workshop with urlscan.io

In this interactive workshop, we will show how analysts can transform a single suspicious URL into a deep investigation - uncovering entire phishing campaigns and the infrastructure behind them. Whether you’re new to urlscan.io or already using it in your workflow, this session is designed to give you practical techniques you can apply immediately.

During the workshop, we’ll walk through real-world investigation scenarios and demonstrate how to:

• Analyse suspicious websites safely using urlscan.io
• Pivot across domains, hostnames, and infrastructure
• Identify clusters of phishing activity using advanced search techniques
• Automate scans and monitor threats in the background
• Use features like live browsing, incident creation, and investigation workflows

Our focus is on hands-on, practical investigation techniques - not just theory.

Phishing campaigns are becoming more sophisticated, scalable, and interconnected. Being able to quickly pivot from a single indicator to a broader threat landscape is a critical skill for modern analysts.

This workshop will give you insight into:

• How real-world investigations are conducted by the urlscan Threat Research Team
• How to uncover infrastructure that isn’t immediately visible
• How to scale your investigations with automation

Meet the Team

Beyond the workshop, we would love to meet you in person. If you are attending PIVOTcon, come and chat with us. Share your success stories as well as where you might still be struggling!

Jake S

Senior Threat Researcher

Johannes 'Jojo' Gilger

Founder & CEO

Whether you are a customer already or just curious about our platform, we invite you to reach out and schedule a meeting with us around the date of the conference itself. Please reach out to info@urlscan.io to get this set up.

Vishing: the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.

A Typical Attack Flow

These campaigns usually begin with a cold call where the threat actor impersonates a trusted entity. The victim is directed to a single purpose landing page designed to look like a legitimate “live support” or “chat assistance” portal. From this page, the victim is instructed to download and install a legitimate remote access tool, most commonly AnyDesk, TeamViewer, or ConnectWise.

Once the software is installed, the threat actor requests the session code or in some cases guides the victim through installing a preconfigured client, enabling full remote access to the victim’s desktop.

At this stage, the threat actor may social-engineer the victim into logging into their bank or approving actions such as MFA prompts or payment confirmations. Because the activity originates from the victim’s own device and browser, fraudulent transactions often appear indistinguishable from normal user behavior.

• The software involved is legitimate and widely used for real IT support, which is a common tactic employed by threat actors, meaning behavioral fingerprints are harder to spot, as the actions of the remote desktop tool isn’t obscure.
• Financial transactions are executed through the genuine account holder’s account from their usual device and location, which means behavioral fraud detection systems often fail to trigger alerts.

Technical Clusters

Below are the structural clusters we use to group and hunt these setups. Each cluster includes the behavioral/structural signatures.

‘index/config.js’ Cluster

Pages use a consistent combination of index.js and config.js filenames. config.js frequently contains direct or proxied links for the remote desktop installer.

The index.js file produces the download buttons for Windows and Mac based on the visitor’s browser. It is notable in the cluster that Windows and Mac operating systems are differentiated in the download.

  import { WIN_DOWNLOAD_LINK, MAC_DOWNLOAD_LINK } from '../config.js';

  document.addEventListener('DOMContentLoaded', function () {
    const downloadButtons = document.querySelectorAll('.dl-btn');
    const winIcons = document.querySelectorAll('.dl-win');
    const macIcons = document.querySelectorAll('.dl-mac');
    const isMac = navigator.platform.startsWith('Mac');

    winIcons.forEach((icon) => icon.classList[isMac ? 'add' : 'remove']('hidden'));
    macIcons.forEach((icon) => icon.classList[isMac ? 'remove' : 'add']('hidden'));

    downloadButtons.forEach((button) => {
      button.addEventListener('click', function () {
        const downloadLink = isMac ? MAC_DOWNLOAD_LINK : WIN_DOWNLOAD_LINK;
        const link = document.createElement('a');
        link.href = downloadLink;
        document.body.appendChild(link);
        link.click();
        document.body.removeChild(link);
      });
    });
  });

The config.js file is a very basic file which points the index.js file to the executable download locations on the domain.

  export const WIN_DOWNLOAD_LINK = '/path/to/win.exe';
  export const MAC_DOWNLOAD_LINK = '/path/to/mac.dmg';

The brands targeted by this cluster are predominantly banking and financial companies.

Observed brands within this cluster are:

• BNZ - https://urlscan.io/result/019b6626-d717-7118-91f8-378b03838990
• Chase - https://urlscan.io/result/019acb3e-6ff2-7775-ab90-c35975f309f1
• American Express - https://urlscan.io/result/019ac9f1-d79b-7002-8eb7-505a4b469e95
• Bank Of America - https://urlscan.io/result/019a7070-6aca-744a-aca2-2928bf7ad6a2
• PayPal - https://urlscan.io/result/0198c996-c9fa-71dc-a6c1-ac5821187a6b

‘OSname’ Cluster

Pages which are part of this cluster include a small JavaScript snippet that inspects navigator.appVersion and assigns OSName, sets the dlButton text and href.

This cluster also looks for the operating system and then adapts the button text to the corresponding name

  $(document).ready(function () {
      if (navigator.appVersion.indexOf("Win") != -1) {
          OSName = "Windows";
          $("#dlButton").text("Open Live chat on Windows");
          $("#dlButton").attr("href", "https://download.anydesk.com/AnyDesk.exe");
      } else if (navigator.appVersion.indexOf("Mac") != -1) {
          OSName = "macOS";
          $("#dlButton").text("Open Live chat on Mac");
          $("#dlButton").attr("href", "https://download.anydesk.com/anydesk.dmg");
      } else {
          OSName = "Unknown";
          $("#dlButton").text("Not Available");
          $("#dlButton").attr("href", "javascript:void(0);");
      }
  });

A large number of brands are used as lures in this cluster. A sample set of brands from different verticals observed are:

• Banking
  • Bank of Ireland - https://urlscan.io/result/019b35e2-a87f-7128-b36d-3188d8e3602e
  • Barclays - https://urlscan.io/result/019b03b2-c4d8-72c7-a7ac-bf7c3d98266a
  • Comerica - https://urlscan.io/result/019c0603-69c9-72f2-83dc-2b4eca2af2ff
  • Huntington Bank - https://urlscan.io/result/019c2a52-fcf6-7782-b256-e37502e2a27b
  • Santander - https://urlscan.io/result/019abb35-bda6-73b8-8785-0661216037d4
  • US Bank - https://urlscan.io/result/019bb790-81e4-7348-b589-542b7272aeb4
  • Westpac - https://urlscan.io/result/019a99bb-8221-7225-81da-b3166cefddaa
• Crypto
  • Coinbase - https://urlscan.io/result/0196a048-a33a-72ef-8fe0-c25d651c1445
  • Ledger - https://urlscan.io/result/019c2496-1c1a-7561-aadd-e986d3cff6cf
• Online
  • Haveibeenpwned - https://urlscan.io/result/0199a98f-8446-74ba-b61d-f539f074f786

Direct-link Cluster

The simplest of the clusters has static HTML templates linking directly to the official AnyDesk download page on download.anydesk.com. This is really useful as using urlscan it is trivial to quickly spot copycats sites abusing the web links.

Predominantly financial institutions are targeted by this cluster. A small section of the brands associated are:

• Hampden Bank - https://urlscan.io/result/01967c63-9367-7676-aeff-b9d13ee681b8
• Kiwibank - https://urlscan.io/result/019abe17-c487-70f9-9cdf-89e2ebb51665
• Metro Bank - https://urlscan.io/result/4f11d391-ab70-47b6-85ed-dfd29e6f0e58
• Revolut - https://urlscan.io/result/0195f1f0-57c3-754e-8e4f-c606df805b86
• Scotiabank - https://urlscan.io/result/0195a9a1-8d97-7cca-9171-cb192e92ac64
• Westpac - https://urlscan.io/result/019bd7e8-de31-735c-8de2-2313d0a8a652

It should be noted that the OSname and Direct-link clusters share very similar code. This similarity may indicate a newer generation of the kit or the emergence of a splinter group. However, this does not preclude the presence of two distinct clusters, each with its own unique fingerprint.

The ‘killer’ Cluster

The pages in this cluster implement an initial anti-bot filter step using a geo filter and custom allowlist. Additionally, these pages use a backend, often Supabase, before loading the final “support” page. config.js usually exports constants like ENTRY_FILE, ACCESS_KEY, SUPABASE_URL, SUPABASE_KEY. The token names/strings often reuse terms like killer or brand shortcodes (e.g. anzkiller).

Representative config.js file:

  export const ENTRY_FILE = '/anz/index.html';
  export const ACCESS_KEY = 'anzkiller';
  export const SUPABASE_URL = 'https://xnixjkzqyaynqblknxcz.supabase.co';
  export const SUPABASE_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...';

There are multiple searches which can be used to find the pages associated with this cluster. Searches can also be refined to look for the initial landing pages which in some cases, depending on how the scan was performed, has been redirected, or searching for the page content on the anti-bot page. Due to the way the redirection logic is built, scans can still be hunted and matched.

• Landing page scan - ANZ Bank - https://urlscan.io/result/019b062e-5fad-77cd-b61c-1ab46e05aa1e
• Direct scans of the subpage - Virgin Money - https://urlscan.io/result/019b271e-7e19-70ae-8405-080033ee9bd7

The brands observed are predominantly geographically targeted with Australia and The United Kingdom being targeted the most. A sample of brands identified in this cluster are:

• ANZ Bank https://urlscan.io/result/01985cdc-a2fb-75bb-91fe-638c064fd650
• NAB https://urlscan.io/result/0199ff5d-c8d8-748d-ac7b-ee49192c61f9
• Westpac https://urlscan.io/result/01984e53-3838-72da-a6d0-a0b92bc9c69b
• Bank of Scotland https://urlscan.io/result/01961a0e-c8f2-723a-aae1-c70c024ba326
• Lloyds https://urlscan.io/result/d2f44a43-86a2-4b3e-9d2e-d506dcb4d2de
• Santander - https://urlscan.io/result/01957ac3-261e-7000-b553-60523a6504c4

Conclusion

The analysis of live support campaigns reveals a persistent threat model centered on social engineering and the abuse of legitimate remote access tools such as AnyDesk and TeamViewer. This approach allows threat actors to bypass traditional fraud detection mechanisms by initiating fraudulent transactions directly from the victim’s own, trusted device and location.

The campaigns exhibit a scalable structure, identifiable through four distinct technical clusters - the index/config.js cluster, the OSName cluster, the Direct-link cluster, and the regionally-focused "killer" cluster - which provide actionable signatures for defense. While various brands are impersonated, the core objective remains financially motivated, with a heavy emphasis on targeting banking and financial institutions, particularly in regions like the US, Australia and the UK.

Has this hostname/domain/IP/URL been observed hosting malicious content?

The API answers this question efficiently with predictable performance.

Background

A common use-case for customers of the urlscan platform is to check historical scan results to determine whether a particular item had been seen in connection with malicious activity. This type of lookup was always possible using the Search API, but was slow and relatively expensive to run across 10 years of history and billions of scan results. The new Malicious Lookup API was created to answer that simple questions more efficiently.

The API could be used as a cheap pre-check before performing more expensive actions: If a website has already (or recently) been seen in connection with malicious activity, then maybe it does not need to be scanned again.

API Reference

The Malicious Lookup API is available via the following endpoint:

GET /api/v1/malicious/{type}/{value}

The type parameter selects what kind of observable to query:

• ip – Look up an IP address (e.g. 192.0.2.1)
• hostname – Look up an exact hostname match (e.g. www.example.com)
• domain – Look up an apex domain, covering all subdomains (e.g. example.com)
• url – Look up an exact page URL (URL-encoded, e.g. https%3A%2F%2Fexample.com%2Fpath)

Note: URLs are canonicalised automatically: The protocol and query parameters are discarded before running the lookup.

The response includes the observable, its type, the number of malicious scan results it was seen in, and when it was first and last seen:

{
    "observable": "testsafebrowsing.appspot.com",
    "type": "hostname",
    "count": 2445,
    "firstSeen": "2023-05-22T06:17:07.535Z",
    "lastSeen": "2026-03-23T10:49:14.046Z"
}

cURL example

curl -X GET \
  'https://urlscan.io/api/v1/malicious/hostname/testsafebrowsing.appspot.com' \
  -H 'api-key: YOUR_API_KEY_HERE'

About the urlscan classification approach

A website will be flagged as malicious by urlscan under the following conditions:

• The website is hosting what appears to be phishing or brand impersonation.
• The website is not hosted on a legitimate domain for whatever brand or organisation it claims to represent.

urlscan does not flag hostnames or domains as malicious purely based on their domain name or community verdicts. Our main focus is the content of these websites. As a result, even legitimate domains and hostnames will be flagged when they host malicious content. A platform like Google Docs on docs.google.com could appear as malicious if there are some pages on that hostname which are hosting malicious content.

Availability

This endpoint is available to urlscan Pro customers. For full details, see the API documentation.

Brand AI 2.0

We are now using an improved model for our Brand AI feature. Brand AI dynamically recognizes the brand name of a website and makes it available as a searchable attribute in the visible.brandname field in the scans database. Using the visible brand name determined by Brand AI, customers can hunt for pages related to their brand more effectively than using pure text-based signals (such as text.content or page.title).

Searching for brand names using Brand AI can be as easy as:

visible.brandname:ezpass

Using the .keyword field for exact matches (no additional words):

visible.brandname.keyword:irs

Brand AI allows urlscan and our customers to quickly detect new phishing and brand-impersonation campaigns which deviate from previous templates and branding.

Searching for brand names using Brand AI on urlscan Pro

ML Verdicts 2.0

Our ML classifier has been retrained from scratch using a refined training data selection regime and additional classification features. The mis-classification rate should now be much lower. A side-effect of this new training run is that many newly observed domains and hostnames will be assigned a more aggressive score.

The ML verdicts can be queried using the verdicts.engines.score field, with values ranging from -100 (benign) to 100 (malicious). The ML verdicts do not automatically trigger detections using our traditional verified detections available via the brand.key fields.

Brand AI and ML Verdict on a scan result page

Brand AI and ML verdicts can be combined for targeted hunting:

visible.brandname:mygov AND verdicts.engines.score:>80

AI Summaries & Translations

We have launched an experimental new feature called AI Summaries and AI Translations. These will summarise and translate the content of the scan screenshot. The goal is to allow our customers to quickly understand the content of a website delivered in a foreign language without resorting to copy-pasting text into third-party platforms. This is a common requirement when investigating campaigns or malicious infrastructure and stumbling on a website in a foreign language.

AI Summary and Translation on a scan result page

• GET /api/v1/result/{scanId}/
• GET /dom/{scanId}/
• GET /responses/{fileHash}/

Make sure all of your API integrations are sending the urlscan API key via the appropriate api-key HTTP request header today.

Make sure to send API key headers for all requests against urlscan.io, even for API paths that do not require authentication today.

API Calls

This is what an authenticated API call looks like:

curl -i -X GET \
  'https://urlscan.io/api/v1/result/{scanId}/' \
  -H 'api-key: YOUR_API_KEY_HERE'

For more details please check the API docs.

Background

These changes are necessary to curb abuse of our platform and ensure its stability and availability for legitimate users.

Data Dumps provide pre-built, gzip-compressed JSONL files and tar archives containing the results of all public and unlisted scans (private scans are not included). Files are organised by time window and data type, and are available at per-minute, per-hour, and per-day granularity — so you can pick exactly the slice of data you need.

Why Data Dumps?

Until now, customers who needed large volumes of scan result data had to call the Result API individually for every scan UUID — often resulting in millions of API calls per day. Data Dumps change this fundamentally:

• Drastically reduced quota usage — download an entire day’s worth of scan results in a single request instead of hundreds of thousands.
• Higher throughput — retrieve large datasets as pre-built, compressed files over high-bandwidth connections rather than through rate-limited API endpoints.
• Simpler pipelines — integrate scan data into your own data warehouse or processing pipeline by periodically fetching a single file per time window.
• Multiple data types — dumps are available for API results, search results, screenshots, and DOM snapshots.

What’s included?

The available data types are:

Only public and unlisted scans are included in data dumps. Private scans are never exported. Dumps are available for a rolling 7-day window, so you can backfill up to 7 days of data at any time.

Availability

Data Dumps are available today for customers on the Ultimate and Enterprise plans. You can browse and download dump files directly from the urlscan Pro Data Dumps page, which also shows the available time windows, file sizes, and timestamps. The page also provides the corresponding API URL for each file so you can integrate downloads into your own tooling.

Using Data Dumps with urlscan-cli

Data Dump support is included in urlscan-cli v0.0.5 and later. The urlscan pro datadump command provides two sub-commands: list and download.

The path format is <time-window>/<file-type>/<date>, where:

• time-window is days, hours, or minutes
• file-type is api, search, screenshot, or dom
• date is an optional date in YYYYMMDD format

List available dump files:

# List all available daily API dumps
urlscan pro datadump list days/api

# List hourly API dumps for a specific day
urlscan pro datadump list hours/api/20260301

Download a specific file:

# Download a daily API dump
urlscan pro datadump download days/api/20260301.gz

# Download a specific hourly dump
urlscan pro datadump download hours/api/20260301/20260301-14.gz --extract

Use --follow to continuously sync all available files (up to the last 7 days). The --follow flag memoises which files have already been downloaded, so it is safe to run periodically as a cron job — only new files will be fetched:

# Download all available hourly API dumps (last 7 days)
urlscan pro datadump download hours/api/ --follow

# Download all hourly DOM dumps for a specific day
urlscan pro datadump download hours/dom/20260301/ --follow

Files can be saved to a specific directory with --directory-prefix / -P and automatically extracted with --extract / -x.

Full CLI reference: urlscan pro datadump

Using Data Dumps with urlscan-python

Data Dump support is included in urlscan-python v0.0.2 and later via the Pro client’s datadump attribute.

import os
from urlscan import Pro
from urlscan.utils import extract

with Pro("<your_api_key>") as pro:
    # List hourly API dump files for a specific day
    res = pro.datadump.get_list("hours/api/20260301/")

    # Download and extract each file
    for f in res["files"]:
        path = f["path"]
        basename = os.path.basename(path)

        with open(basename, "wb") as file:
            pro.datadump.download_file(path, file=file)

        extract(basename, "/tmp")

The get_list method accepts the same <time-window>/<file-type>/<date> path format as the CLI. The extract utility from urlscan.utils handles decompression of the downloaded .gz files.

Getting Started

Log in to urlscan Pro to explore the available dumps and get your API key. If you have any questions or feedback, please reach out to support@urlscan.io.

urlscan-cli

We have released a new version of urlscan-cli, our official command-line tool for interacting with the urlscan platform.

What’s New

Support for more Pro API endpoints as sub-commands:

$ urlscan pro
Pro sub-commands

Usage:
  urlscan pro [command]

Available Commands:
  brand            Brand sub-commands
  channel          Channel sub-commands
  datadump         Data dump sub-commands
  file             Download a file
  hostname         Get the historical observations for a specific hostname in the hostname data source
  incident         Incident sub-commands
  livescan         Livescan sub-commands
  saved-search     Saved search sub-commands
  structure-search Get structurally similar results to a specific scan
  subscription     Subscription sub-commands

Flags:
  -h, --help   help for pro

Use "urlscan pro [command] --help" for more information about a command.

For example:

# get hostname history (ref. https://docs.urlscan.io/apis/urlscan-openapi/hostnames/hostnamehistory)
$ urlscan pro hostname <hostname>
# download a file (ref. https://docs.urlscan.io/apis/urlscan-openapi/files)
$ urlscan pro file <file-hash>

Installation

To upgrade to the latest version:

# macOS (Homebrew)
brew upgrade urlscan/tap/urlscan-cli

# Or download the latest release from GitHub
https://github.com/urlscan/urlscan-cli/releases

For more details, please refer to the urlscan-cli documentation.

urlscan-python

We have also released a new version of urlscan-python.

What’s New

The python library now supports all the pro API endpoints. For example:

import datetime
import os

from urlscan import Pro

with Pro(api_key="<your_api_key>") as pro:
    # iterate over hostname history
    it = pro.hostname("<hostname>", limit=100)
    for result in it:
        print(result)

    # download a file
    with open("downloaded_file", "wb") as file:
        pro.download_file("<file-hash>", file=file)

Installation

To upgrade to the latest version:

pip install --upgrade urlscan-python

For more details, please refer to the official documentation.

Feedback and Support

We would love to get your feedback on these updates. For any suggestions about improvements or further functionality as well as general support and bug reporting, please open a GitHub issue in the respective repositories or reach out to our support team at support@urlscan.io.

urlscan API key activity tracking

Activity tracking tracks the following information per API key and per user:

• The number of requests for: Search API, Result API, Scan API, Livescan
• The last activity timestamp for each of these actions
• Activity statistics available in: minute, hour, day, and month granularity
• Response count grouped by status code: HTTP/200, HTTP/400, HTTP/404, HTTP/429
• The last HTTP User-Agent header observed - This helps to identify the system or code making those requests
• The last IP address observed using this key - This helps to identify the system or code making those requests

Activity tracking is shown in the urlscan.io UI on the API key management and team management pages.

Structured information is available via the following endpoints:

• /api/v1/activity/user
• /api/v1/activity/team

Background

Over the years we have worked with hundreds of customers, some of whom are using urlscan and urlscan Pro with with dozens or even hundreds of individual team members. Those types of customers would typically also have multiple API keys active at any one time: One for their SOAR platform, another one for integration testing, yet more keys for individual research projects. A frequent issue that came up was that customers would eventually lose track of where all of their API keys were active and how much each API key was consuming of their account-wide quota.

The new Activity tracking feature will help urlscan customers to identify issues with their automated urlscan usage more quickly and more confidently.

urlscan is excited to be a sponsor of CYBERWARCON for the third year in a row. We will be attending the conference and you are invited to meet up with us.

Like in the previous years, urlscan will be attending CYBERWARCON 2025 in Arlington, Virginia. We are proud to be sponsoring the conference for the third year in a row.

CYBERWARCON is the premier conference covering state-sponsored cyber threats. Each year it brings together hundreds of professionals from military and government, academia, the media, and the private sector. The conference takes place as a one-day event packed with talks and speakers of the highest caliber.

Connect with urlscan

Our executive team is attending the conference to get in touch with our customer base and get an opportunity to sit down face to face. Whether you are a customer already or just curious about our platform, we invite you to reach out and schedule a meeting with us around the date of the conference itself. Please reach out to info@urlscan.io to get this set up.