Let’s talk about the identity gaps every team has to close. Join the convo.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Close search
Huntress Logo in Teal
  • Platform Overview
    Managed EDR

    Get full endpoint visibility, detection, and response.

    Managed EDR

    Get full endpoint visibility, detection, and response.

    Managed ITDR: Identity Threat Detection and Response

    Protect your Microsoft 365 and Google Workspace identities and email environments.

    Managed ITDR: Identity Threat Detection and Response

    Protect your Microsoft 365 and Google Workspace identities and email environments.

    Managed SIEM

    Managed threat response and robust compliance support at a predictable price.

    Managed SIEM

    Managed threat response and robust compliance support at a predictable price.

    Managed Security Awareness Training Software

    Empower your teams with science-backed security awareness training.

    Managed Security Awareness Training Software

    Empower your teams with science-backed security awareness training.

    Managed ISPM

    Continuous Microsoft 365 and identity hardening, managed and enforced by Huntress experts.

    Managed ISPM

    Continuous Microsoft 365 and identity hardening, managed and enforced by Huntress experts.

    Managed ESPM

    Proactively secure endpoints against attacks.

    Managed ESPM

    Proactively secure endpoints against attacks.

    Integrations
    Integrations
    Support Documentation
    Support Documentation
    See Huntress in Action

    Quickly deploy and manage real-time protection for endpoints, email, and employees - all from a single dashboard.

    Huntress Cybersecurity
    See Huntress in Action

    Quickly deploy and manage real-time protection for endpoints, email, and employees - all from a single dashboard.

    Huntress Cybersecurity
  • Threats We Stop
    Phishing
    Phishing
    Business Email Compromise
    Business Email Compromise
    Ransomware
    Ransomware
    Infostealers
    Infostealers
    Living off the Land
    Living off the Land
    Initial Access & RaaS
    Initial Access & RaaS
    View Allright arrowView Allright arrow
    Industries We Serve
    Education
    Education
    Financial Services
    Financial Services
    State and Local Government
    State and Local Government
    Healthcare
    Healthcare
    Law Firms
    Law Firms
    Manufacturing
    Manufacturing
    Utilities
    Utilities
    View Allright arrowView Allright arrow
    Tailored Solutions
    MSPs
    MSPs
    Resellers
    Resellers
    SMBs
    SMBs
    Compliance
    Compliance
    Disrupting your business is Big Cybercrime’s business model

    Stop unwanted interruptions before they stop your workflow.



    Huntress Cybersecurity
    Cybercriminals Have Evolved

    Get the intel on today’s cybercriminal groups and learn how to protect yourself.

    Huntress Cybersecurity
  • Pricing
  • Community Series
    The Product Lab

    Shape the next big thing in cybersecurity together.

    The Product Lab

    Shape the next big thing in cybersecurity together.

    Fireside Chat

    Real people. Real perspectives. Better conversations.

    Fireside Chat

    Real people. Real perspectives. Better conversations.

    Tradecraft Tuesday

    No products, no pitches – just tradecraft.

    Tradecraft Tuesday

    No products, no pitches – just tradecraft.

    _declassified

    Exposing hidden truths in the world of cybersecurity.

    _declassified

    Exposing hidden truths in the world of cybersecurity.

    Resources
    Upcoming Events
    Upcoming Events
    Ebooks
    Ebooks
    On-Demand Webinars
    On-Demand Webinars
    Videos
    Videos
    Whitepapers
    Whitepapers
    Datasheets
    Datasheets
    Cybersecurity Education
    Cybersecurity 101
    Cybersecurity 101
    Cybersecurity Guides
    Cybersecurity Guides
    Threat Library
    Threat Library
    Real Tradecraft, Real Results
    Real Tradecraft, Real Results
    2026 Cyber Threat Report
    2026 Cyber Threat Report
    The Huntress Blog
    Akira, LimeWire, and the Sour Taste of Data Exfiltration
    Huntress Cybersecurity
    Akira, LimeWire, and the Sour Taste of Data Exfiltration
    Huntress Cybersecurity
    Hook, Line, and Token: Anatomy of the Kali365 / Octopi365 Phishing-as-a-Service Kit
    Huntress Cybersecurity
    Hook, Line, and Token: Anatomy of the Kali365 / Octopi365 Phishing-as-a-Service Kit
    Huntress Cybersecurity
    The Fake Download That Steals Everything: How Deceptive Installers Are Targeting macOS Users
    Huntress Cybersecurity
    The Fake Download That Steals Everything: How Deceptive Installers Are Targeting macOS Users
    Huntress Cybersecurity
  • Why Huntress

    Go beyond AI in the fight against today’s hackers with Huntress Managed EDR purpose-built for your needs

    Huntress Cybersecurity
    Why Huntress

    Go beyond AI in the fight against today’s hackers with Huntress Managed EDR purpose-built for your needs

    Huntress Cybersecurity
    The Huntress SOC

    24/7 Security Operations Center

    The Huntress SOC

    24/7 Security Operations Center

    Reviews

    Why businesses of all sizes trust Huntress to defend their assets

    Reviews

    Why businesses of all sizes trust Huntress to defend their assets

    Case Studies

    Learn directly from our partners how Huntress has helped them

    Case Studies

    Learn directly from our partners how Huntress has helped them

    Community

    Get in touch with the Huntress Community team

    Community

    Get in touch with the Huntress Community team

    Compare Huntress
    Bitdefender
    Bitdefender
    Blackpoint
    Blackpoint
    Breach Secure Now!
    Breach Secure Now!
    Crowdstrike
    Crowdstrike
    Kaseya
    Kaseya
    SentinelOne
    SentinelOne
    Sophos
    Sophos
    Compare Allright arrowCompare Allright arrow
  • HUNTRESS HUB

    Login to access top-notch marketing resources, tools, and training.

    Huntress Cybersecurity
    HUNTRESS HUB

    Login to access top-notch marketing resources, tools, and training.

    Huntress Cybersecurity
    Partners
    MSPs

    Join our partner community to deliver expert-led managed security.

    MSPs

    Join our partner community to deliver expert-led managed security.

    Resellers

    Partner program designed to grow your cybersecurity business.

    Resellers

    Partner program designed to grow your cybersecurity business.

    Tech Alliances

    Driving innovation through global technology Partnerships

    Tech Alliances

    Driving innovation through global technology Partnerships

    Microsoft Partnership

    A Level-Up for Your Business Security

    Microsoft Partnership

    A Level-Up for Your Business Security

  • Press Release
    Huntress Announces Collaboration with Microsoft to Strengthen Cybersecurity for Businesses of All Sizes
    Huntress Cybersecurity
    Press Release
    Huntress Announces Collaboration with Microsoft to Strengthen Cybersecurity for Businesses of All Sizes
    Huntress Cybersecurity
    Our Story

    We're on a mission to shatter the barriers to enterprise-level security.

    Our Story

    We're on a mission to shatter the barriers to enterprise-level security.

    Newsroom

    Explore press releases, news articles, media interviews and more.

    Newsroom

    Explore press releases, news articles, media interviews and more.

    Meet the Team

    Founded by former NSA Cyber Operators. Backed by security researchers.

    Meet the Team

    Founded by former NSA Cyber Operators. Backed by security researchers.

    Careers

    Ready to shake up the cybersecurity world? Join the hunt.

    Careers

    Ready to shake up the cybersecurity world? Join the hunt.

    Awards
    Awards
    Contact Us
    Contact Us
  • Portal Login
  • Support
  • Blog
  • Contact
  • Search
  • Get a Demo
  • Start for Free
Portal LoginSupportBlogContact
Search
Close search
Get a Demo
Start for Free
HomeBlog
Akira, LimeWire, and the Sour Taste of Data Exfiltration
Published:
June 12, 2026

Akira, LimeWire, and the Sour Taste of Data Exfiltration

By:
Lindsey O'Donnell-Welch
Harlan Carvey
Share icon
Glitch effectGlitch effectGlitch effect

Key Takeaways


  • In a recent ransomware attack, a threat actor accessed the victim’s hypervisor and created a new virtual machine (VM) as a staging location from which they launched the Akira ransomware 

  • A forensic investigation into the VM contents revealed several tactics that the threat actor had taken, including using Easyupload.io, a file transfer website owned by the longtime file sharing application LimeWire, as a likely way to exfiltrate staged archives

  • Our investigation showed that the attacker quickly progressed through their attack, disabling Microsoft Defender and installing WinRAR, an archival tool typically used by threat actors for staging data

  • The use of EasyUpload/LimeWire adds to a long list of data exfiltration methods that we see threat actors using, including legitimate tools like backup utilities and cloud storage services


Acknowledgments: Special thanks to the efforts of Michael Tigges, Anna Pham, Adam Mooney, and Samantha Shaw for their contributions to this investigation.


On May 29, the Huntress SOC detected unauthorized remote access to a domain controller on an organization. 

A closer inspection into the incident showed that the threat actor accessed a hypervisor within the victim’s environment and created a new server instance, using this new virtual machine to stage and launch the Akira ransomware. As this was a newly-instantiated virtual machine, it did not have the security tooling employed by the partner, including the Huntress agent, installed.

The VM operated by the threat actor gave us valuable information about the incident and the techniques used by this Akira affiliate. We also used telemetry from Windows Event Logs, Microsoft Edge browser history artifacts, and more to piece together what had happened. One of the more interesting parts of the incident that we found was the threat actor using a file transfer function owned by LimeWire – a file sharing client that you may have accidentally infected your family computer with in the early 2000s – as a likely data exfiltration mechanism. 


The incident

During the initial reporting of this incident, the impacted endpoint was taken offline, limiting our insight into some parts of the incident like initial access. However, we were able to see some of the threat actor’s activity based on the available EDR telemetry. 

We detected enumeration activity, revealing that the threat actor had used Notepad to open files (AdUsers.txt and AdComp.txt) and was reviewing output files associated with enumerating Active Directory users and computers.

Figure 1: Huntress detection of enumeration activity


The threat actor then pivoted to the organization’s file server, where we saw them using several freely available tools. They used WinRAR, an archival tool we’ve seen in previous attacks, to archive the contents of a share folder. Shortly after, they ran WinSCP, a free, open-source file manager and secure file transfer application, presumably to exfiltrate the staged data. 


A hypervisor twist

Another part of the incident soon emerged: the threat actor had accessed a hypervisor and created a new server instance, using this new virtual machine as a staging location from which they launched the Akira ransomware. 

As this was a newly instantiated virtual machine, it did not have the Huntress agent installed.

This tactic is not unheard of, but it is not one that has been frequently observed by the Huntress SOC, and also not one frequently seen being employed by ransomware affiliates (in particular, an Akira affiliate). The virtual machine file was provided to Huntress analysts in the form of a Windows virtual hard disk image (VHDX) file.

Figure 2: Virtual Machine File (via Explorer.exe)


To access the contents of the virtual machine, Huntress analysts mounted the VHDX file via the Disk Management utility, as shown in Figure 3, before accessing the NTFS volume via forensic tooling.

Figure 3: Virtual machine mounted via Disk Management utility


Another clue: The VHDX file

This virtual machine was not a pre-existing endpoint that was already running within the environment; this VM was reportedly instantiated by the threat actor. The virtual machine’s contents provided an interesting and insightful view into threat actor activity, even without the visibility provided by the Huntress EDR agent. For example, the analysis showed that the threat actor accessed the new endpoint, and within minutes of logging in, disabled Microsoft Defender, the only default security tooling in place. 

The threat actor then accessed shares and folders on other endpoints within the environment, and installed WinRAR, similar to what had been observed in the initial stages of the incident investigation. 

The threat actor accessed an archive that contained the various cross-platform versions of the Akira file encryptor executable before changing the name of one of those files to akira.exe. 

Next, the threat actor used the Microsoft Edge browser to access Bing, and search for the term “eayupload” before settling on Easyupload.io, a website that provides access to file uploads via drag-and-drop (as illustrated in Figure 4). This site is supported by LimeWire, which was once a popular free peer-to-peer music downloading software in the early 2000s, but since 2022 has rebranded into an NFT service and, more recently, a file-sharing platform. 

Figure 4: Easyupload.io by LimeWire Website


Shortly after accessing the LimeWire website, presumably to exfiltrate staged archives, the threat actor launched the akira.exe file encryptor against several mounted shares.


Data exfiltration and more 

The use of Easyupload.io/LimeWire (and WinSCP in the initial stages of the incident) during this attack is only one of many data exfiltration methods we’ve seen threat actors use. Huntress has provided extensive insight regarding data exfiltration from previously observed incidents, including the use of finger.exe, the use of backup utilities such as Restic, as well as the use of other utilities including s5cmd. Threat actors have also used MegaSYNC and cloud storage services.

Another piece of the analysis of the VM that stuck out to us is how quickly the threat actor progressed through their attack. Aside from immediately disabling Microsoft Defender so that they could launch the file encryptor uninhibited, there were no other defense evasion or anti-forensics techniques employed. 

The VM itself was not modified in any way to hide, obfuscate, or simply not record any of the artifacts or toolmarks included in the analysis, and as a result, log entries and other associated toolmarks of activity provided a pretty clear roadmap of the threat actor’s activities, including both the sequence and timing of their progression to ransomware deployment. The creation of the VM was clearly intentional, as it allowed the threat actor to completely avoid having to deal with obstacles presented by the customer’s security stack.  


Mitigations

Due in no small part to the breadth of our customer base, the Huntress SOC analyzes a wide range of threat actor activity, including ransomware deployment as we saw this incident. As Huntress has noted, while a specific variant or family of ransomware may be deployed, the attack itself may unfold in a much different manner than has been previously observed, due to the ransomware-as-a-service, or RaaS, affiliate model. Huntress has shared information about Akira affiliates before, and this opportunity presented itself in a very unusual way. 

For organizations, this incident underscores the need to monitor environments for unusual or malicious access; and to watch for the addition or creation of new endpoints within the environment.


Indicators of Compromise (IoCs)


Item

Description

AdUsers.txt

Opened in Notepad during Active Directory user enumeration

AdComp.txt

Opened in Notepad during Active Directory computer enumeration

Akira.exe


SHA256: 131877a052f62750d815cf55d4c14f606a26025e3094e1b8bb18bd1668e3beaa

Akira encryptor file















Categories
Cybersecurity Education
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
How do cybercriminals end up in handcuffs?
On July 28, join John Hammond for a special episode of _declassified and get a rare glimpse into a state-backed hacking campaign that turned into a rare win for defenders.
Grab your spot
Share
Facebook iconTwitter X iconLinkedin iconDownload icon
Glitch effect

You Might Also Like

  • Protect Yourself from Political Donation Scams

    Don’t let fraud disrupt your civic duty. Learn how to spot and avoid political donation scams that target voters through robocalls, fake websites, and deepfakes.

  • An Expert’s Review of Huntress Managed SAT

    A new independent report explores how Huntress’ approach to SAT supports real behavior change. Learn what works best in building security culture.

  • Disrupting Endpoint Attacks with Huntress Managed EDR

    Standard EDR creates a gap between detection and action. Huntress closes it. Learn how our Attack Disruption Engine automatically disrupts threat actors and reduces the impact of endpoint attacks.

  • Deceitful Tactics and Honest Mistakes: Remedying Human Error Amid the Rise of Social Engineering Across Healthcare

    Understand the impact of human error across healthcare, and discover how Huntress’ managed solutions can better defend your organization from social engineering scams.

  • RMMs: A Gateway for Bulk Attacks on MSP Customers, Pt. II

    When a threat actor exploited an MSP's RMM tool to target businesses, Huntress investigated and uncovered another eerily similar incident with key differences that reveal evolving tactics

  • From Code to Coverage (Part 5B): Event 5156 Correlation: Proving Source IP Attribution Is Possible

    Event 1644 shows localhost, hiding the attacker's real IP. By correlating Event 5156 with a ~60-80ms timing window, you can attribute ADWS queries to their actual source—and the data was already in your SIEM.

  • 13 Cybersecurity Frameworks for 2026 and How to Choose

    Discover some of the most common cybersecurity frameworks by what they’re best for, plus tips for choosing the right one for your organization.

  • Exploitation of Windows Server Update Services Remote Code Execution Vulnerability (CVE-2025-59287)

    Huntress has observed threat actors exploiting a Microsoft Windows Server Update Services (WSUS) vulnerability (CVE-2025-59287).

Sign Up for Huntress Updates

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.
Privacy • Terms
By submitting this form, you accept our Terms of Service & Privacy Policy
Huntress Managed Security PlatformManaged EDRManaged EDR for macOSManaged EDR for LinuxManaged ITDRManaged SIEMManaged Security Awareness TrainingManaged ISPMManaged ESPMBook a Demo
PhishingComplianceBusiness Email CompromiseEducationFinanceHealthcareManufacturingState & Local Government
Managed Service ProvidersResellersIT & Security Teams24/7 SOCCase Studies
BlogResource CenterCybersecurity 101Upcoming EventsSupport Documentation
Our CompanyLeadershipNews & PressCareersContact Us
Huntress white logo

Protecting 250k+ customers like you with enterprise-grade protection.

Privacy PolicyCookie PolicyTerms of UseCookie Consent
Linkedin iconTwitter X iconYouTube iconInstagram icon
© 2025 Huntress All Rights Reserved.

Join the Hunt

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.

By submitting this form, you accept our Terms of Service & Privacy Policy