The latest articles on DEV Community by Haider Khan (@shadowhunter89). https://dev.to/shadowhunter89 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3805945%2F9b7841bb-7e31-42f6-96ae-4a5fffd6722e.png https://dev.to/shadowhunter89 en Haider Khan Wed, 04 Mar 2026 13:57:01 +0000 https://dev.to/shadowhunter89/ghostwatch-an-open-source-covert-channel-detector-for-dns-tunneling-icmp-http-c2-beaconing-and-2lkm https://dev.to/shadowhunter89/ghostwatch-an-open-source-covert-channel-detector-for-dns-tunneling-icmp-http-c2-beaconing-and-2lkm <p>I built GhostWatch to detect what enterprise tools like Darktrace and <br> Vectra Miss—covert channels hidden inside normal-looking DNS, ICMP, <br> and HTTP traffic.</p> <p>It uses entropy analysis and behavioral detection instead of signatures. <br> so it catches real APT techniques like OilRig DNS tunneling and <br> SUNBURST-style beaconing.</p> <p>GitHub: <a href="https://github.com/ShadowHunter89/ghostwatch" rel="noopener noreferrer">https://github.com/ShadowHunter89/ghostwatch</a></p> <p>Would genuinely appreciate feedback from anyone who works in networks. <br> security or blue team. Still early stage.</p> networking opensource security showdev