Threat View from the Lens of Huntress Adversary Tactics: April 2026

The Huntress SOC responded to a Linux compromise where the victim had introduced a third party to the chaos: OpenAI's Codex, tasked with responding to symptoms of malicious behavior (in this case, loud fans caused by cryptomining malware).

Codex silenced the fans. The cryptominer kept mining.

Meanwhile, the AI-generated commands looked like threat actor tradecraft, leaving analysts to pick through the wreckage one signal at a time and separate the AI's "help" from the actual threat. What they found underneath: CVE-2025-55182 (React2Shell) exploitation, eight persistence mechanisms, and 15 categories of exfiltrated data, including SSH keys, cloud creds, and API tokens. AI got a C+. The SOC cleaned up the mess.

What Codex found and missed

What started as an adware alert turned into something far nastier. Researchers found that Dragon Boss Solutions LLC was silently deploying ClockRemoval.ps1, a SYSTEM-level AV killer targeting Malwarebytes, Kaspersky, ESET, and others. It could kill processes, poison the host file to block AV updates, strip registry entries, and carve out Defender exclusions for future payloads. And here’s the kicker: The primary C2 domain was unregistered. 😳 Huntress grabbed it first, sinkholed it, and watched 23,565 infected endpoints check in, including universities, OT networks, and government entities across 124 countries.

The attack chain

Time-of-Check to Time-of-Use (TOCTOU) race condition bugs were all over the place this month (see: our BlueHammer findings below). Ryan Dowd found a TOCTOU bug in macOS while reviewing Apple EDR integrations.

TOCTUO bugs are caused by the tiny window of time between when a program checks a condition and when it actually performs an action based on that check. Attackers can sneak in during that split second and change the state of the system. This makes the program's "check" invalid–opening the door for malicious activities.

In this case, exploitation of the bug can enable attackers without admin privileges to delete content protected by the Transparency Consent and Control (TCC) framework, one of Apple’s key components of their privacy controls. To exploit the flaw, an attacker would need to hit that timing window at just the right time.

An Apple bug was found during an EDR integration review

The flaw has been reported to Apple and is currently being triaged by their security team.

While investigating an intrusion, the Huntress SOC caught live use of proof-of-concept (PoC) tooling released by a researcher under the alias “Nightmare-Eclipse.”

BlueHammer (CVE-2026-33825), RedSun, and UnDefend, three publicly available Windows Defender privilege escalation and disruption tools, were staged in a victim's Pictures folder and executed against a real target. The actor achieved initial access with compromised FortiGate SSL VPN credentials. A previously undocumented Go-based tunneling tool, BeigeBurrow, was also spotted beaconing to attacker C2.

Nightmare-Eclipse released BlueHammer, RedSun, and UnDefend

The Huntress SOC has been tracking Bomgar RMM exploitation via CVE-2026-1731 since February. We recently saw an uptick in attacks in April, with two incidents sticking out in particular:

• On April 15, one compromised MSP account triggered the mass isolation of 78 downstream businesses
• On April 14, ransomware tore through three organizations via a dental software company's Bomgar instance

The attacker playbook included rogue Domain Admin accounts, AnyDesk and ScreenConnect instances layered in for persistence, EDR tooling killed via BYOVD drivers, and LockBit 3.0 deployment.

Bomgar RMM incidents

On April 19, Vercel confirmed unauthorized access to internal systems tracing back to Context.ai, a third-party AI productivity tool used by a Vercel employee. The attacker used that access to take over the employee's Vercel Google Workspace account, which enabled them to gain access to that employee's Vercel account. From there, they pivoted into internal environments to enumerate and decrypt non-sensitive environment variables. A Lumma Stealer infection of a Context.ai employee in February 2026 appears to have started the chain. A threat actor claiming to be ShinyHunters posted the stolen data on BreachForums with a $2 million asking price. If you store unencrypted secrets in Vercel environment variables, rotate them now.

Another day, another supply chain attack. A malicious version of the Bitwarden CLI package (@bitwarden/[email protected]) was published in April via a compromised GitHub Action in Bitwarden's CI/CD pipeline. The rogue package executed a preinstall hook that stole GitHub and npm tokens, SSH keys, .env files, shell history, GitHub Actions secrets, and cloud credentials, exfiltrating everything to attacker-controlled domains. The attack appears to have leveraged a compromised GitHub Action in Bitwarden's CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign.

On April 7, Anthropic released Claude Mythos Preview under Project Glasswing, a deliberately restricted rollout to a small group of vetted partners. The reason for the tight leash is straightforward: Anthropic claims that Mythos has found unpatched zero-days across major operating systems, including a flaw that sat undetected in OpenBSD for 27 years. Anthropic stated it has no plans to make Mythos generally available. Governments are watching closely, and the UK AI Security Institute has already begun an independent evaluation. The offense-defense balance question this raises is one that the security community will be debating for a while.

On March 30, an attacker compromised the npm credentials of axios's lead maintainer and published two backdoored versions of the library, one of the most widely used JavaScript packages in the world, with over 100 million weekly downloads. The malicious versions silently injected a phantom dependency that executed a post-install hook, dropping a cross-platform RAT on macOS, Windows, and Linux with no user interaction required. The first Huntress-monitored infection landed 89 seconds after the malicious package was published. Within the three-hour exposure window, 135 Huntress-monitored endpoints contacted the C2.

Huntress EDR detecting the execution of this attack chain

The malicious packages are now removed and the C2 is offline, but any system that ran npm install during the window should be treated as fully compromised. Rotate all credentials accessible from affected systems. Huntress researchers wrote a Rapid Response blog post.

In March, a Huntress investigation revealed that threat actors were abusing Railway.com’s PaaS to run a large-scale Microsoft 365 device code phishing and token replay campaign, targeting 344 organizations across five countries. In the Rapid Response, authors Dave Kleinatland, Jamie Levy, Rich Mozeleski, and Erin Meyers analyzed the Railway/EvilTokens infrastructure, documented how the phishing and token theft work, and described how Huntress blocked Railway IP ranges for eligible tenants.

Code phishing in action

Check out the full Rapid Response blog here, which includes detection queries, IoCs, and hardening guidance so teams can hunt for activity and tighten M365 controls.

• Vulnerable Driver Detections: Managed EDR now leverages Microsoft’s Vulnerable Driver Block List (and custom audit-only lists) to alert when Windows blocks a known vulnerable driver. This gives us earlier visibility into a common precursor to foothold expansion, lateral movement, ransomware, and data theft.
• Attack Disruption Wins vs. Akira: Attack Disruption stopped live Akira ransomware incidents before any files were encrypted. Learn more about how Huntress Managed EDR disrupts Akira and other endpoint attacks in this blog post.

• EDR /ITDR Identity Correlations: We’re excited to share that we now provide EDR/ITDR Correlations for Huntress Managed EDR and Managed ITDR customers. EDR/ITDR Correlations is a capability that only Huntress can deliver because it requires both an endpoint agent and an identity detection platform operating on the same customer base. So, how does it work? When Huntress Managed EDR detects an attack on a Windows endpoint, EDR/ITDR Correlations will automatically resolve the compromised endpoint to the Microsoft 365 identities that were logged in on that machine - enabling Managed ITDR to immediately surface in the EDR Incident Report, and remediate the affected identities. This is groundbreaking because it enables near-instantaneous identity remediation based on endpoint detection! Learn more here!
• Google Workspace ITDR Student License Exclusions: For partners in the education sector, ITDR can now exclude student GWS accounts from billing while still protecting staff, and aligning the licensing costs with users that actually need coverage.
• Google Workspace Logs now available in Huntress SIEM: Google Workspace ITDR events now flow into Huntress SIEM with field mapping, ingest wiring, exempt key prefixes, backfills, and starter queries. This tightens the integration between identity and log telemetry across Microsoft 365 and Google Workspace.

• Okta Integrations and Detections: Managed SIEM is expanding Okta support with a new wave of detections designed to surface suspicious identity activity faster and with better context. These detections help teams identify risky authentication patterns, potential account compromise, and activity that may indicate attackers are trying to gain or maintain access through identity systems.

• First LDAP / Directory Services Detection: New directory-services telemetry and detections produced their first real-world Lightweight Directory Access Protocol (LDAP)-based detection. This can help catch suspicious account enumeration on a domain controller and expose new previously undetectable attacker recon.

• New Phishing Summary Report (GA): A new Phishing Summary Report is now generally available with a visual and data overhaul that better matches other Huntress reports giving clearer insight into phishing simulations and outcomes.

• SCORM Self-Service (Early Access): A new, tightly integrated SCORM self-service flow lets customers more easily generate SCORM content themselves to use in a third-party LMS.

• New Training Content: Insider Threat & AI Poisoning: SAT released, “Insider Threat,” and an “AI Poisoning” episode focused on AI risks and safe usage, addressing strong demand from customers who want to train users on AI-related threats and expanding our existing library of AI-themed training content.

At Huntress' April 14 Tradecraft Tuesday, John Hammond and Logan MacLaren from Huntress were joined by Ben Read from Wiz and Charlie Eriksen from Aikido Security to break down the axios supply chain compromise. They covered the attack's tradecraft, the broader npm threat landscape, and the growing risk of LLM-assisted supply chain attacks.

April Tradecraft Tuesday