Unfurl

Unfurl v2025.02 Released

Unfurl v2025.02 adds parsing of obfuscated IP addresses, more Bluesky timestamps, and more!

Ryan Benson

Feb 19, 2025 • 2 min read

A new Unfurl release is here! v2025.02 adds new features and some fixes, including:

Parsing of IP addresses, including encoded or obfuscated variants
Resolving Bluesky handles to their backing identifiers (DIDs), and then looking up that DID in the plc.directory audit log to find its creation timestamp
Bug fixes and speed enhancements for bulk parsing

This is a relatively small release; but in addition to the new features, it fixes a few bugs (see the full changelog on the GitHub release page). Get it now, or read on for more details about the new features!

Parsing of IP Addresses (in many forms)

Unfurl previously only parsed domain names, but now can correctly recognize IP addresses. Not just IPs as they most typically appear (like 8.8.8.8 or 10.0.0.1), but in other forms, which are often used by attackers to try to obscure the actual destination (like http://example.com@1157586937). Below are more supported examples (from a Trustwave report); all examples point to a Google IP:

Dotted decimal IP address: https://216.58.199.78 (the most common)
Octal IP address: https://0330.0072.0307.0116 (convert each decimal number to octal)
Hexadecimal IP address: https://0xD83AC74E (convert each decimal number to hexadecimal)
Integer or DWORD IP address: https://3627730766 (convert hexadecimal IP to integer)

Unfurl parsing a deceptive URL with a username and encoded IP address

Parsing and Lookups of Bluesky Handles

Unfurl added support for parsing the embedded timestamps out of Bluesky post IDs ("TIDs") in the v2024.11 release; this latest release adds the ability to resolve a Bluesky handle to its underlying did , then consult the plc.directory audit log to see when that did was created.

Unfurl parsing a bsky.app URL, showing the handle creation and the post timestamps

ℹ️

Note: both the handle resolution and reading the creation timestamp from the audit log require a remote lookup, which is disabled by default in the local Python version. You can enable it by changing the unfurl.ini file.

Get it!

Those are the major items in this Unfurl release. There are more changes that didn't make it into the blog post; check out the release notes for more. To get Unfurl with these latest updates, you can:

use it online at dfir.blog/unfurl or unfurl.link
if using pip, pip install dfir-unfurl -U will upgrade your local Unfurl to the latest
View the release on GitHub

All features work in both the web UI and command line versions.