Huntress
@huntress.com
Managed endpoint protection, detection and response designed to help the 99% fight back against today’s cybercriminals.
Timeline of the Attack:
🕛 00:45:43 UTC – VPN Compromise
➡️ A brute-force attack led to initial access. This was discovered through retrospective forensic analysis
➡️ Huntress' SIEM would have caught this had it of been deployed in the network
🕛 00:45:43 UTC – VPN Compromise
➡️ A brute-force attack led to initial access. This was discovered through retrospective forensic analysis
➡️ Huntress' SIEM would have caught this had it of been deployed in the network
May 13, 2025 at 4:31 PM
Timeline of the Attack:
🕛 00:45:43 UTC – VPN Compromise
➡️ A brute-force attack led to initial access. This was discovered through retrospective forensic analysis
➡️ Huntress' SIEM would have caught this had it of been deployed in the network
🕛 00:45:43 UTC – VPN Compromise
➡️ A brute-force attack led to initial access. This was discovered through retrospective forensic analysis
➡️ Huntress' SIEM would have caught this had it of been deployed in the network
🔑 Followed up with brute-force credential attacks tied to known Makop tooling.
🚀 Lateral Movement & Persistence: Deployed a renamed Mesh Agent via PsExec.
🔍 Attempted to disguise their remote access tool as a benign binary (wvspbind.exe).
🚀 Lateral Movement & Persistence: Deployed a renamed Mesh Agent via PsExec.
🔍 Attempted to disguise their remote access tool as a benign binary (wvspbind.exe).
May 8, 2025 at 3:30 PM
🔑 Followed up with brute-force credential attacks tied to known Makop tooling.
🚀 Lateral Movement & Persistence: Deployed a renamed Mesh Agent via PsExec.
🔍 Attempted to disguise their remote access tool as a benign binary (wvspbind.exe).
🚀 Lateral Movement & Persistence: Deployed a renamed Mesh Agent via PsExec.
🔍 Attempted to disguise their remote access tool as a benign binary (wvspbind.exe).
The bad guys authenticated using a suspicious IP and workstation name. But as you check out below, they began to stage files in the “Music” directory on the host.
Moving quickly, they pivoted to deleting shadow copies to prevent recovery after encryption.
Moving quickly, they pivoted to deleting shadow copies to prevent recovery after encryption.
May 6, 2025 at 3:42 PM
The bad guys authenticated using a suspicious IP and workstation name. But as you check out below, they began to stage files in the “Music” directory on the host.
Moving quickly, they pivoted to deleting shadow copies to prevent recovery after encryption.
Moving quickly, they pivoted to deleting shadow copies to prevent recovery after encryption.
[email protected] is a modern-day Doc Holliday. A lawman so feared that threat actors flee at the mere mention of his name…
Introducing Celestial Stealer, a notorious infostealer with a surprising connection to Huntress.
Introducing Celestial Stealer, a notorious infostealer with a surprising connection to Huntress.
May 5, 2025 at 3:27 PM
[email protected] is a modern-day Doc Holliday. A lawman so feared that threat actors flee at the mere mention of his name…
Introducing Celestial Stealer, a notorious infostealer with a surprising connection to Huntress.
Introducing Celestial Stealer, a notorious infostealer with a surprising connection to Huntress.
✅ The attacker used a compromised VPN account (no MFA) to log in with a malicious device.
✅ Explored the network, hid findings in a shady folder, & dug through browser cookies for auth info.
✅ Files were staged on the network file server, ready for exfiltration or encryption.
✅ Explored the network, hid findings in a shady folder, & dug through browser cookies for auth info.
✅ Files were staged on the network file server, ready for exfiltration or encryption.
April 30, 2025 at 7:40 PM
✅ The attacker used a compromised VPN account (no MFA) to log in with a malicious device.
✅ Explored the network, hid findings in a shady folder, & dug through browser cookies for auth info.
✅ Files were staged on the network file server, ready for exfiltration or encryption.
✅ Explored the network, hid findings in a shady folder, & dug through browser cookies for auth info.
✅ Files were staged on the network file server, ready for exfiltration or encryption.
Huntress continues to observe in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in Gladinet CentreStack and Triofox
April 22, 2025 at 1:07 PM
Huntress continues to observe in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in Gladinet CentreStack and Triofox
A threat actor brute forced a manufacturer's VPN appliance 🏭 Here’s what happened👇
📌 Successfully compromised one account for initial access
📌 Enumerated the domain, focusing on trust relationships and domain controllers
📌 Modified the registry and local firewall to enable lateral RDP movement
📌 Successfully compromised one account for initial access
📌 Enumerated the domain, focusing on trust relationships and domain controllers
📌 Modified the registry and local firewall to enable lateral RDP movement
April 17, 2025 at 2:57 PM
A threat actor brute forced a manufacturer's VPN appliance 🏭 Here’s what happened👇
📌 Successfully compromised one account for initial access
📌 Enumerated the domain, focusing on trust relationships and domain controllers
📌 Modified the registry and local firewall to enable lateral RDP movement
📌 Successfully compromised one account for initial access
📌 Enumerated the domain, focusing on trust relationships and domain controllers
📌 Modified the registry and local firewall to enable lateral RDP movement
➡️ A suspected ransomware group impaired Windows Defender using registry modifications to exclude *.DLL
➡️ Then with Windows Defender on the fritz they dropped a malicious GoLang DLL payload: rundll32.exe C:\\ProgramData\\HP\\Installer\\Temp\filter.dll,Entry
➡️ Then with Windows Defender on the fritz they dropped a malicious GoLang DLL payload: rundll32.exe C:\\ProgramData\\HP\\Installer\\Temp\filter.dll,Entry
April 16, 2025 at 3:29 PM
➡️ A suspected ransomware group impaired Windows Defender using registry modifications to exclude *.DLL
➡️ Then with Windows Defender on the fritz they dropped a malicious GoLang DLL payload: rundll32.exe C:\\ProgramData\\HP\\Installer\\Temp\filter.dll,Entry
➡️ Then with Windows Defender on the fritz they dropped a malicious GoLang DLL payload: rundll32.exe C:\\ProgramData\\HP\\Installer\\Temp\filter.dll,Entry
➕At the time of writing, Huntress has seen seven different orgs compromised
➕The flaw was recently added to CISA’s Known Exploited Vulnerabilities database and is related to hardcoded keys set by default in the CentreStack’s configuration file
➕The flaw was recently added to CISA’s Known Exploited Vulnerabilities database and is related to hardcoded keys set by default in the CentreStack’s configuration file
April 14, 2025 at 12:53 AM
➕At the time of writing, Huntress has seen seven different orgs compromised
➕The flaw was recently added to CISA’s Known Exploited Vulnerabilities database and is related to hardcoded keys set by default in the CentreStack’s configuration file
➕The flaw was recently added to CISA’s Known Exploited Vulnerabilities database and is related to hardcoded keys set by default in the CentreStack’s configuration file
Threat actors can gain access to your network through an account that’s already on your system.
The built-in Windows Guest account is often overlooked because it’s usually disabled by default—but that’s exactly what makes it a stealthy tool for attackers to exploit.
The built-in Windows Guest account is often overlooked because it’s usually disabled by default—but that’s exactly what makes it a stealthy tool for attackers to exploit.
April 8, 2025 at 5:19 PM
Threat actors can gain access to your network through an account that’s already on your system.
The built-in Windows Guest account is often overlooked because it’s usually disabled by default—but that’s exactly what makes it a stealthy tool for attackers to exploit.
The built-in Windows Guest account is often overlooked because it’s usually disabled by default—but that’s exactly what makes it a stealthy tool for attackers to exploit.
Threat actors used CrushFTPService.exe in order to then install an AnyDesk RMM instance, using the commands below:
April 7, 2025 at 6:10 PM
Threat actors used CrushFTPService.exe in order to then install an AnyDesk RMM instance, using the commands below:
CVE-2025-31161 is the latest example of a critical severity authentication bypass vulnerability in CrushFTP, a growing trend we’re seeing from attackers targeting managed file transfer (MFT) platforms.
April 4, 2025 at 9:56 PM
CVE-2025-31161 is the latest example of a critical severity authentication bypass vulnerability in CrushFTP, a growing trend we’re seeing from attackers targeting managed file transfer (MFT) platforms.
Things you might spot in a #smishing text ⬇️
✅ Sketchy phone number: Pretty sure the USPS isn’t sending out texts from the Philippines
✅ Unclickable links: On the off chance it actually was the USPS, they’d send a link you can click without basically having to solve a riddle
✅ Sketchy phone number: Pretty sure the USPS isn’t sending out texts from the Philippines
✅ Unclickable links: On the off chance it actually was the USPS, they’d send a link you can click without basically having to solve a riddle
April 1, 2025 at 6:19 PM
Things you might spot in a #smishing text ⬇️
✅ Sketchy phone number: Pretty sure the USPS isn’t sending out texts from the Philippines
✅ Unclickable links: On the off chance it actually was the USPS, they’d send a link you can click without basically having to solve a riddle
✅ Sketchy phone number: Pretty sure the USPS isn’t sending out texts from the Philippines
✅ Unclickable links: On the off chance it actually was the USPS, they’d send a link you can click without basically having to solve a riddle
✅ The telemetry gave our analysts a pivot point to trace the identity theft source
✅ They reviewed the endpoint and found evidence of the phish kit and landing page used to steal the victim’s credentials
Investigations don’t always start and end at an endpoint or in the cloud.
✅ They reviewed the endpoint and found evidence of the phish kit and landing page used to steal the victim’s credentials
Investigations don’t always start and end at an endpoint or in the cloud.
March 24, 2025 at 2:39 PM
✅ The telemetry gave our analysts a pivot point to trace the identity theft source
✅ They reviewed the endpoint and found evidence of the phish kit and landing page used to steal the victim’s credentials
Investigations don’t always start and end at an endpoint or in the cloud.
✅ They reviewed the endpoint and found evidence of the phish kit and landing page used to steal the victim’s credentials
Investigations don’t always start and end at an endpoint or in the cloud.
Do you detect phishing from the endpoint or the cloud? 🎣 If you’re part of our Security Operations Center, the answer’s both. Here’s an example 👇
✅ A proactive, human-led investigation led to our SOC identifying a potentially compromised Microsoft 365 identity
✅ A proactive, human-led investigation led to our SOC identifying a potentially compromised Microsoft 365 identity
March 24, 2025 at 2:39 PM
Do you detect phishing from the endpoint or the cloud? 🎣 If you’re part of our Security Operations Center, the answer’s both. Here’s an example 👇
✅ A proactive, human-led investigation led to our SOC identifying a potentially compromised Microsoft 365 identity
✅ A proactive, human-led investigation led to our SOC identifying a potentially compromised Microsoft 365 identity
✅ Splashtop beaconed to the malicious public IP
✅ Transferred and ran credential dumping tools with Splashtop
Our SOC reacted fast—analyzed the attack, isolated the network, and shut down the persistence path.
✅ Transferred and ran credential dumping tools with Splashtop
Our SOC reacted fast—analyzed the attack, isolated the network, and shut down the persistence path.
March 12, 2025 at 6:41 PM
✅ Splashtop beaconed to the malicious public IP
✅ Transferred and ran credential dumping tools with Splashtop
Our SOC reacted fast—analyzed the attack, isolated the network, and shut down the persistence path.
✅ Transferred and ran credential dumping tools with Splashtop
Our SOC reacted fast—analyzed the attack, isolated the network, and shut down the persistence path.
Here’s an example of VPN compromise 👇
✅ It’s a super common technique we see all the time
✅ Effects businesses of every size
✅ Usually caused by a simple configuration mistake, like an account without MFA enabled
Yet it can often lead to network-wide compromise 😟
✅ It’s a super common technique we see all the time
✅ Effects businesses of every size
✅ Usually caused by a simple configuration mistake, like an account without MFA enabled
Yet it can often lead to network-wide compromise 😟
March 10, 2025 at 5:32 PM
Here’s an example of VPN compromise 👇
✅ It’s a super common technique we see all the time
✅ Effects businesses of every size
✅ Usually caused by a simple configuration mistake, like an account without MFA enabled
Yet it can often lead to network-wide compromise 😟
✅ It’s a super common technique we see all the time
✅ Effects businesses of every size
✅ Usually caused by a simple configuration mistake, like an account without MFA enabled
Yet it can often lead to network-wide compromise 😟
🍞 They scanned the network using netscan.exe
🍩 Prepped for lateral movement with PsExec.exe
🥩 Opened the door for further RDP ingress by modifying firewall rules and registry settings
Good news: our SOC stepped in and shut down the threat.
🍩 Prepped for lateral movement with PsExec.exe
🥩 Opened the door for further RDP ingress by modifying firewall rules and registry settings
Good news: our SOC stepped in and shut down the threat.
March 4, 2025 at 7:51 PM
🍞 They scanned the network using netscan.exe
🍩 Prepped for lateral movement with PsExec.exe
🥩 Opened the door for further RDP ingress by modifying firewall rules and registry settings
Good news: our SOC stepped in and shut down the threat.
🍩 Prepped for lateral movement with PsExec.exe
🥩 Opened the door for further RDP ingress by modifying firewall rules and registry settings
Good news: our SOC stepped in and shut down the threat.
A ransomware actor compromised a sport club’s network 🏌️
Here’s what went down 👇
✅ They prepared to launch ransomware by deleting volume shadow copies
✅ Attempted to frustrate defenders by clearing the logs and neutralizing defenses
Here’s what went down 👇
✅ They prepared to launch ransomware by deleting volume shadow copies
✅ Attempted to frustrate defenders by clearing the logs and neutralizing defenses
February 20, 2025 at 5:05 PM
A ransomware actor compromised a sport club’s network 🏌️
Here’s what went down 👇
✅ They prepared to launch ransomware by deleting volume shadow copies
✅ Attempted to frustrate defenders by clearing the logs and neutralizing defenses
Here’s what went down 👇
✅ They prepared to launch ransomware by deleting volume shadow copies
✅ Attempted to frustrate defenders by clearing the logs and neutralizing defenses
➡️ Deployed a malicious Cobalt Strike beacon named x64.exe
➡️ Tried to install an attacker-controlled ScreenConnect instance
Our Managed Defender configuration stopped the threat early. Then our SOC isolated the machine, found the root cause, and shut the intrusion down.
➡️ Tried to install an attacker-controlled ScreenConnect instance
Our Managed Defender configuration stopped the threat early. Then our SOC isolated the machine, found the root cause, and shut the intrusion down.
February 17, 2025 at 3:29 PM
➡️ Deployed a malicious Cobalt Strike beacon named x64.exe
➡️ Tried to install an attacker-controlled ScreenConnect instance
Our Managed Defender configuration stopped the threat early. Then our SOC isolated the machine, found the root cause, and shut the intrusion down.
➡️ Tried to install an attacker-controlled ScreenConnect instance
Our Managed Defender configuration stopped the threat early. Then our SOC isolated the machine, found the root cause, and shut the intrusion down.
If you administer at least one Microsoft 365 tenant, you might find some surprising results if you audit your #OAuth applications 👀
Statistically speaking, there’s a good chance your tenant is infected with a rogue app that could be malicious 😱
Statistically speaking, there’s a good chance your tenant is infected with a rogue app that could be malicious 😱
February 13, 2025 at 5:24 PM
If you administer at least one Microsoft 365 tenant, you might find some surprising results if you audit your #OAuth applications 👀
Statistically speaking, there’s a good chance your tenant is infected with a rogue app that could be malicious 😱
Statistically speaking, there’s a good chance your tenant is infected with a rogue app that could be malicious 😱
In this example, a malicious PDF promises a user details on a “salary bonus scheme”—but only if they scanned the QR code.
Except on the other end of that QR code, they wouldn’t find any bonus, just an attempt to phish their credentials. But our SOC shut it down before that could happen 💪
Except on the other end of that QR code, they wouldn’t find any bonus, just an attempt to phish their credentials. But our SOC shut it down before that could happen 💪
February 12, 2025 at 10:02 PM
In this example, a malicious PDF promises a user details on a “salary bonus scheme”—but only if they scanned the QR code.
Except on the other end of that QR code, they wouldn’t find any bonus, just an attempt to phish their credentials. But our SOC shut it down before that could happen 💪
Except on the other end of that QR code, they wouldn’t find any bonus, just an attempt to phish their credentials. But our SOC shut it down before that could happen 💪