What if a threat actor accidentally handed you 90 days of their own playbook?
That's exactly what happened. A cybercriminal clicked a Google ad, signed up for a free trial, and installed our endpoint agent on their own attack box — giving us a fly-on-the-wall seat to watch a live offensive operation unfold.
We're talking real browser history, real tooling, real AI-assisted phishing pipelines targeting banks, real estate firms, and crypto exchanges. Automated bots. Proxy evasion. Cookie harvesting. All of it, accidentally self-documented.
This is the rarest kind of threat intel — and we're walking through all of it.
Don't miss it.
August 5 | 4:25pm | Theater B
Jamie Levy
Senior Director, Adversary Tactics
Most security tools don't talk to each other. That’s why Huntress built a managed platform that weaves together your endpoints, identities, logs, and threat data into one view. And it’s all backed by a 24/7 AI-centric SOC actively working in your environment. Stop by the booth to see it in action. While you’re there, ask your hardest questions and grab a few giveaways.
3/23 | 2:20pm PDT - 3:10pm PDT | HTA-M07
Anna Pham | Senior Hunt & Response Analyst, Huntress
SocGholish is one of the most effective initial access operations feeding ransomware groups like RansomHub. This session will break down findings from 100+ real-world SocGholish cases, tracing its evolution and exposing payloads including the advanced GhostWeaver backdoor. Attendees will leave with detection and mitigation strategies to stop SocGholish before it opens the door to ransomware.
3/24 | 8:30am - 9:20am PDT | HT-T01
Jenko Hwong | Principal Threat Researcher, Huntress
With Storm-2372 (2025), Russian threat actors used OAuth Device Code Phishing to abuse the device registration process to hijack the Primary Refresh Token. This session will recreate the attack, compare valid activity, showing logging, access policies, and detection rules. Attendees will take away concrete implementation guidance and what can be changed to mitigate/detect/respond more effectively.
3/24 | 8:30am - 10:30am PDT | LAB2-T01
Edward Crowder | Principal Research, Crowder Enterprise Consulting
Anna Pham | Senior Hunt & Response Analyst, Huntress
Dive deep into a real two-month Latrodectus intrusion using Elastic Stack, CyberChef, Volatility, and Wireshark. Participants will hunt through network traffic, memory dumps, and SIEM data to uncover the complete attack chain from JavaScript loader to data exfiltration. Gain hands-on experience with industry-standard tools while building practical threat hunting skills.
3:00pm-3:15pm - Five Security Myths Attackers Love
3:30pm-3:45pm - BYOVD - Bring Your Own Vulnerable Driver
4:00pm-4:15pm - Advanced Simulated Phishing: A Case Study
4:30pm-4:45pm - From the Darknet to Your Network
5:30pm-5:45pm - Nasty OAuth Attacks: Session Hijacking, Phishing, SSO Abuse and more
11:00am-11:15am - Your Malware Infection is Just Three RMMs in a Trenchcoat
12:00pm-12:15pm - Advanced Simulated Phishing: A Case Study
12:30pm-12:45pm - Agentic Log Ingestion and Automated Malware Triage
1:00pm-1:15pm - Five Security Myths Attackers Love
1:30pm-1:45pm - BYOVD - Bring Your Own Vulnerable Driver
Our 24/7 AI-Centric SOC pairs elite threat analysts with AI to help you catch and contain LOTL attacks before they spread. We provide the agile detection and fast response you need to maintain business operations, protect your reputation, and keep your mind at ease.
Lock in 20 minutes with the Huntress team at Black Hat to get face-to-face time, knock out your biggest questions, and walk away with a clear, actionable plan for your security stack.
