Max Rogers
@maxrogers5.com
Sr. Director of SOC at Huntress. Ex-Mandiant/FireEye. Bringing security to the Fortune 5,000,000.
🚨 @HuntressLabs identified active exploitation of a Local File Inclusion vulnerability affecting Gladinet CentreStack and Triofox systems.
A temporary workaround is available while a patch is in development:
www.huntress.com/blog/gladine...
A temporary workaround is available while a patch is in development:
www.huntress.com/blog/gladine...
Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw | Huntress
Huntress has observed in-the-wild exploitation of a Local File Inclusion vulnerability in Gladinet CentreStack and Triofox products.
www.huntress.com
October 10, 2025 at 2:22 AM
🚨 @HuntressLabs identified active exploitation of a Local File Inclusion vulnerability affecting Gladinet CentreStack and Triofox systems.
A temporary workaround is available while a patch is in development:
www.huntress.com/blog/gladine...
A temporary workaround is available while a patch is in development:
www.huntress.com/blog/gladine...
1⃣ The Huntress team uncovered a campaign by a likely China-nexus threat actor. The most novel finding is use of a publicly available tool called Nezha as a post-exploitation C2 agent. This is the first public reporting of the tool I've seen.
www.huntress.com/blog/nezha-c...
www.huntress.com/blog/nezha-c...
The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors | Huntress
Beginning in mid-2025, Huntress discovered a new tool being used to facilitate webserver intrusions known as Nezha, which up until now hasn’t been publicly reported on. This was used in tandem with ot...
www.huntress.com
October 10, 2025 at 1:53 AM
1⃣ The Huntress team uncovered a campaign by a likely China-nexus threat actor. The most novel finding is use of a publicly available tool called Nezha as a post-exploitation C2 agent. This is the first public reporting of the tool I've seen.
www.huntress.com/blog/nezha-c...
www.huntress.com/blog/nezha-c...
Realizing the software getting exploited is owned by the same parent company who had a different app getting mass exploited in recent years.
spongebob squarepants is sitting at a table with a cup of coffee in a diner .
ALT: spongebob squarepants is sitting at a table with a cup of coffee in a diner .
media.tenor.com
August 22, 2025 at 5:44 PM
Realizing the software getting exploited is owned by the same parent company who had a different app getting mass exploited in recent years.
The gift that keeps on giving.
July 15, 2025 at 7:24 PM
The gift that keeps on giving.
Mac's don't get viruses, right? 🍏
Deepfake Zoom calls. AppleScript lures. Rosetta 2 abuse.
Plenty of custom malware: Nim backdoor, Go infostealer, Obj-C keylogger, and more!
Amazing write-up by @re.wtf , @stuartjash.bsky.social and Jonathan Semon 🔥
🔗 www.huntress.com/blog/inside-...
Deepfake Zoom calls. AppleScript lures. Rosetta 2 abuse.
Plenty of custom malware: Nim backdoor, Go infostealer, Obj-C keylogger, and more!
Amazing write-up by @re.wtf , @stuartjash.bsky.social and Jonathan Semon 🔥
🔗 www.huntress.com/blog/inside-...
Inside the BlueNoroff Web3 macOS Intrusion Analysis | Huntress
Learn how DPRK's BlueNoroff group executed a Web3 macOS intrusion. Explore the attack chain, malware, and techniques in our detailed technical report.
www.huntress.com
June 18, 2025 at 9:13 PM
Mac's don't get viruses, right? 🍏
Deepfake Zoom calls. AppleScript lures. Rosetta 2 abuse.
Plenty of custom malware: Nim backdoor, Go infostealer, Obj-C keylogger, and more!
Amazing write-up by @re.wtf , @stuartjash.bsky.social and Jonathan Semon 🔥
🔗 www.huntress.com/blog/inside-...
Deepfake Zoom calls. AppleScript lures. Rosetta 2 abuse.
Plenty of custom malware: Nim backdoor, Go infostealer, Obj-C keylogger, and more!
Amazing write-up by @re.wtf , @stuartjash.bsky.social and Jonathan Semon 🔥
🔗 www.huntress.com/blog/inside-...
As more companies deploy the Huntress SIEM, we've enjoyed finding the "Door Rattlers"🚪
We see an attacker failing to log in across a number of environments and then eventually succeeding in 1 organization.
Stopping attacks at initial access ❤️
We see an attacker failing to log in across a number of environments and then eventually succeeding in 1 organization.
Stopping attacks at initial access ❤️
May 22, 2025 at 12:49 AM
As more companies deploy the Huntress SIEM, we've enjoyed finding the "Door Rattlers"🚪
We see an attacker failing to log in across a number of environments and then eventually succeeding in 1 organization.
Stopping attacks at initial access ❤️
We see an attacker failing to log in across a number of environments and then eventually succeeding in 1 organization.
Stopping attacks at initial access ❤️
Reposted by Max Rogers
Huntress has observed in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in the Gladinet CentreStack enterprise file-sharing platform.
April 14, 2025 at 12:53 AM
Huntress has observed in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in the Gladinet CentreStack enterprise file-sharing platform.
All of these advances in AI and yet I still can't pass over a 1 page document and get a companion slide deck that doesn't look insane 🤦
April 7, 2025 at 2:32 PM
All of these advances in AI and yet I still can't pass over a 1 page document and get a companion slide deck that doesn't look insane 🤦
Reposted by Max Rogers
🌟New report out today!🌟
Fake Zoom Ends in BlackSuit Ransomware
Analysis and reporting completed by @pigerlin, UC1 and @Miixxedup
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/03/31/f...
Fake Zoom Ends in BlackSuit Ransomware
Analysis and reporting completed by @pigerlin, UC1 and @Miixxedup
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/03/31/f...
Fake Zoom Ends in BlackSuit Ransomware
Key Takeaways The threat actor gained initial access by a fake Zoom installer that used d3f@ckloader and IDAT loader to drop SectopRAT. After nine days of dwell time, the SectopRAT malware dropped …
thedfirreport.com
March 31, 2025 at 11:38 AM
🌟New report out today!🌟
Fake Zoom Ends in BlackSuit Ransomware
Analysis and reporting completed by @pigerlin, UC1 and @Miixxedup
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/03/31/f...
Fake Zoom Ends in BlackSuit Ransomware
Analysis and reporting completed by @pigerlin, UC1 and @Miixxedup
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/03/31/f...
Why are most "work management" tools still worse than a Google Sheet?
March 31, 2025 at 3:22 PM
Why are most "work management" tools still worse than a Google Sheet?
Want some entertainment? Our Tradecraft Tuesday show is LIVE right now: www.youtube.com/watch?v=5_H3...
Come listen to @antonlovesdnb.bsky.social and Dray Agha discuss tradecraft we're seeing in the wild.
Come listen to @antonlovesdnb.bsky.social and Dray Agha discuss tradecraft we're seeing in the wild.
Tradecraft Tuesday | The Most Boring (Not Really) Tradecraft Tuesday Ever
YouTube video by Huntress
www.youtube.com
March 11, 2025 at 5:07 PM
Want some entertainment? Our Tradecraft Tuesday show is LIVE right now: www.youtube.com/watch?v=5_H3...
Come listen to @antonlovesdnb.bsky.social and Dray Agha discuss tradecraft we're seeing in the wild.
Come listen to @antonlovesdnb.bsky.social and Dray Agha discuss tradecraft we're seeing in the wild.
It pains me when organizations take their limited security budgets and get tricked into buying products that don't lead to exponential value.
Heck these days, lots of VPN and Firewall products are the direct source of business ending intrusions.
Heck these days, lots of VPN and Firewall products are the direct source of business ending intrusions.
March 10, 2025 at 5:43 PM
It pains me when organizations take their limited security budgets and get tricked into buying products that don't lead to exponential value.
Heck these days, lots of VPN and Firewall products are the direct source of business ending intrusions.
Heck these days, lots of VPN and Firewall products are the direct source of business ending intrusions.
netscan.exe, psexec.exe, mstsc.exe, netsh.exe, reg.exe
March 3, 2025 at 9:10 PM
netscan.exe, psexec.exe, mstsc.exe, netsh.exe, reg.exe
Reposted by Max Rogers
ICYMI: In July 2023, Curated Intel members shared a brand new resource for the community called 'The Threat Actor Profile Guide for CTI Analysts'.
The Threat Actor Profile Guide for CTI Analysts (curatedintel.org)
The Threat Actor Profile Guide for CTI Analysts (curatedintel.org)
The Threat Actor Profile Guide for CTI Analysts
Threat actor profiles are made for a range of reasons. An example trigger for creating a new profile can include after an incident, e.g., a...
www.curatedintel.org
August 8, 2023 at 11:22 AM
ICYMI: In July 2023, Curated Intel members shared a brand new resource for the community called 'The Threat Actor Profile Guide for CTI Analysts'.
The Threat Actor Profile Guide for CTI Analysts (curatedintel.org)
The Threat Actor Profile Guide for CTI Analysts (curatedintel.org)
Attackers love taking over M365 identities 😬 In the past ~60 days, Huntress has tracked phishing pages used to steal M365 sessions. Seeing `.com` isn't surprising but having `.online` in second place caught my eye 👀
Interested in Adversary in the Middle attacks? www.huntress.com/blog/unmaski...
Interested in Adversary in the Middle attacks? www.huntress.com/blog/unmaski...
February 25, 2025 at 1:43 PM
Attackers love taking over M365 identities 😬 In the past ~60 days, Huntress has tracked phishing pages used to steal M365 sessions. Seeing `.com` isn't surprising but having `.online` in second place caught my eye 👀
Interested in Adversary in the Middle attacks? www.huntress.com/blog/unmaski...
Interested in Adversary in the Middle attacks? www.huntress.com/blog/unmaski...
When the SOC sees an RDP login and the source IP is a datacenter.
February 15, 2025 at 12:07 AM
When the SOC sees an RDP login and the source IP is a datacenter.
Wow, we're finding some scary stuff! All credit to HuskyHacks and the rest of the #ITDR team at Huntress.
For the past 6 months, Huntress has been investigating OAuth abuse – and what we found is terrifying. 🧵👇
www.huntress.com/blog/never-j...
For the past 6 months, Huntress has been investigating OAuth abuse – and what we found is terrifying. 🧵👇
www.huntress.com/blog/never-j...
6 Months of Researching OAuth Application Attacks | Huntress
There’s never just one termite. Huntress has spent the last 6 months researching and cracking down on malicious OAuth applications. Read about what we’ve found in this blog!
www.huntress.com
February 13, 2025 at 9:37 PM
Wow, we're finding some scary stuff! All credit to HuskyHacks and the rest of the #ITDR team at Huntress.
For the past 6 months, Huntress has been investigating OAuth abuse – and what we found is terrifying. 🧵👇
www.huntress.com/blog/never-j...
For the past 6 months, Huntress has been investigating OAuth abuse – and what we found is terrifying. 🧵👇
www.huntress.com/blog/never-j...
Didn’t yell MUSTARD long enough for me, personally.
February 10, 2025 at 1:40 AM
Didn’t yell MUSTARD long enough for me, personally.