Threat View from the Lens of Huntress Adversary Tactics: August 2025

On August 13, our SOC responded to a ransomware attack involving dynamic link library (DLL) sideloading via a legitimate SentinelOne binary. DLL sideloading is a detection evasion technique that involves executing malicious code through signed executables. Because this involves trusted executables, it helps threat actors sidestep security solutions. In the incident, we saw that the threat actor loaded SentinelAgentCore.dll from SentinelBrowserNativeHost.exe. The DLL then loaded data.bin, which contained the actual ransomware code. The attacker used Remote Desktop Protocol (RDP) as an initial access vector. They also ran a series of commands to create Microsoft Defender exclusions for various file paths (C:\Windows\System32\svchost.exe and C:\Windows\Temp) and file extensions (.dat, .sss, .cache, and .tmp), in an attempt to avoid detection. The ransom note linked the attack back to a ransomware variant called Cephalus, which we recently detailed in a blog post.

Cephalus ransom note seen in attacks

We recently started seeing a newer ransomware variant called KawaLocker (also known as KAWA4096). According to analysis from TrustWave’s SpiderLabs team, which initially uncovered the threat, KawaLocker first made its debut in June 2025.

We first saw Kawalocker ransomware on August 8. During the incident, the threat actor:

• Accessed the victim’s endpoint via Remote Desktop Protocol (RDP) using a compromised account
• Deployed HRSword and installed kernel drivers sysdiag.sys and hrwfpdr.sys, which aimed to disable security tools
• Deployed the KawaLocker ransomware via the following command: e.exe  -d="E:\\"

KawaLocker ransom note seen in incidents

In a wave of separate attacks over the past month, we’ve seen threat actors affiliated with Akira ransomware take steps to clear the Windows Event Logs, significantly limiting the available data for detections, audits, investigations, and more. This includes incidents where we saw Akira linked to the recent SonicWall VPN attacks.

The incidents used a command with the -dellog argument, which triggers the following PowerShell command to clear the event logs:

powershell.exe -ep bypass -Command "Get-WinEvent -ListLog * | where { $_.RecordCount } | ForEach-Object -Process{ [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName) }"

Anton Ovrutsky posted an incident walkthrough video that breaks down how a threat actor used an exposed RDP instance to deploy ransomware. Check out the video here!  

The latest SOC incident walkthrough video from Tactical Response

Interpol ran a massive takedown operation in Africa spanning 15+ countries and leading to the arrest of more than 1,200 criminals. Operation Serengeti 2.0, a continuation of an operation that initially started in September of 2024, highlights the trend of authorities taking down infrastructure and financial components used to fuel cybercrime. The operation was jointly executed with authorities in the UK to arrest ransomware operators who were working with these criminals in Africa, as well as Chinese nationals.

It’s noted that this attack directly impacts the Bl00dy and RansomHub groups that appear to launder portions of their cryptocurrency through elements and personnel located in Ghana and Seychelles, respectively.

A distribution flow chart for Bl00dy ransomware groups' laundering services in Ghana

The impressive takedown list from this campaign includes 25 cryptocurrency mining centers, which were used to fraudulently validate transactions on the blockchain. Authorities removed 45 illegal power stations, which powered these mining centers.

An illegal power station in Angola that powered fraudulent cryptocurrency mining centers

Additionally,  Serengeti 2.0 disrupted multiple email scams. Over $97 million was successfully recovered for 11,432 victims of email inheritance fraud.

Recent reports point to  increased use of “EDR killer” tools by ransomware groups. Tools, like RansomHub’s “EDRKillShifter” aren’t new - they’ve been used for the past few years to disable EDR, typically through Bring Your Own Vulnerable Driver (BYOVD) attacks. Several ransomware groups have recently been using a new EDR killer tool to target vendors like Sophos, Microsoft Defender, Kaspersky, Symantec, Trend Micro, and SentinelOne.

This latest tool uses an obfuscated binary that’s self-decoded at runtime. It searches for a digitally signed driver (complete with a stolen or expired certificate) before loading the malicious driver into the kernel. This allows threat actors to bypass EDR as they gain the kernel privileges needed to disable security products.

At Huntress, we’ve been tracking these attacker strategies for some time. We have built-in features like tamper protection to help mitigate previous EDR killer tools used by threat actors. Additionally, by catching the attacker in the early stages of attacks—before they can use one of these EDR killer tools—Huntress  shuts down this problem at the source.

In an incident from late July to mid-August, we found multiple active Akira ransomware intrusions exploiting SonicWall appliances. SonicWall said with high confidence the threat activity is not connected to a zero-day flaw. They believe it is related to CVE-2024-40766, an improper access control flaw, first published in August 2024, which can lead to “unauthorized resource access.”

Our Rapid Response blog post on this threat activity shared the IoCs, types of TTPs we saw, and evidence of the threat actors targeting SonicWall firewalls with SSL VPN enabled before deploying the Akira ransomware. In some incidents, the threat actors immediately gained administrative access by leveraging an over-privileged LDAP or service account used by the SonicWall device itself (e.g., sonicwall, LDAPAdmin).

Meanwhile, in a series of updates, SonicWall said that many of the incidents appear to be related to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migrations and were not reset afterward. SonicWall advised users to reset all local user account passwords for any accounts with SSL VPN access (especially if they were carried over during migration from Gen 6 to Gen 7). In the latest update regarding LDAP accounts being used in the incidents, SonicWall said:

“The local user account password recommendation does not apply to auto-generated or locally duplicated LDAP/RADIUS users. SonicOS does not store the passwords of these users. Only if a password has been set for a user on the firewall management interface is it a local user.”

We continued to post updates throughout August, including the use by Akira actors of two legitimate Windows drivers—rwdrv.sys and hlpdrv.sys—in BYOVD attacks, with the end goal of evading or disabling security tools.

 The EDR for Linux Open Beta started on August 19, marking a significant expansion of Huntress's endpoint protection capabilities to a critical operating system! 🎉 This new functionality is supported by the same SOC workflows as Windows and macOS and offers crucial visibility and control over Linux environments, a common target for threat actors. Try it for free today and find what shady footholds and GTFOBins hackers are using in your environment.

The GA release of Tamper Protection for macOS enhances the overall resilience and manageability of EDR deployments, directly addressing the challenge of threat actors attempting to uninstall agents and create blind spots. Tamper Protection for macOS protects the Huntress app, Huntress system extension, and other important Huntress files against being deleted, moved, or renamed (any of which could interrupt service).

We also made it easy to see conflicting Windows Firewall configurations that could lead to the firewall being inadvertently enabled or disabled as well as made it easier to manage Antivirus Exclusions by introducing a bulk delete capability.

The product team continues to focus on long-term architectural investments to address data flow, underscoring a commitment to robust and scalable identity protection, which is crucial for preventing lateral movement and privilege escalation by attackers.

Huntress SIEM continues to demonstrate its effectiveness in early threat detection, allowing customers to identify and mitigate ransomware criminals and other threats significantly faster.

Recent enhancements to our log processing pipeline have improved stability, performance, and observability, ensuring reliable data collection and bolstering our ability to protect customers from evolving threats by providing timely and accurate insights into their security posture.

To further strengthen these protections, we’re expanding the number of supported log sources within our SIEM. By broadening our integrations, we’re enabling security teams to centralize even more data across their environments - giving them richer visibility, faster correlation of events, and greater flexibility to meet both security and compliance needs.

Huntress Security Awareness Training (SAT) continues to evolve to better equip users against sophisticated social engineering attacks.

We introduced a new FileFix phishing scenario to expose learners to cutting-edge tradecraft, complete with corresponding Phishing Defense Coaching. We also launched a new Smishing episode to address emerging mobile-based threats.

Managed SAT has enabled Learner Aliases to use learners’ immutable IDs rather than their email address as primary ID. This allows better support for email address changes, and ensures SAT learners can appropriately report phishing from an alias associated with their account.  

Improvements to the Huntress Platform enhance the overall experience for partners and strengthen the product's foundation.

We’ve updated incident reports to provide partners and customers with visibility into the full incident report history. Should reports be updated by the Huntress SOC, the latest report can always be found at the top, with historical reports listed afterward. More robust customer-facing error logging and retry options for PSA integrations reduce support load and make debugging easier, leading to quicker resolution of issues.

Our August Tradecraft Tuesday episode focused on the dark web where Huntress’ John Hammond and Dave Kleinatland explored popular underground forums, marketplaces, and ransomware data leak sites.

At Black Hat USA 2025, several members of Huntress’ security team took the stage to share their knowledge and expertise.

That included a sponsored session by John Hammond (“Lesser-Known Linux Persistence Mechanisms”). Black Hat attendees also heard from Ben Folland, Robert Knapp, Jonathan Johnson, and more in several different booth theatre sessions and demos!

Greg Linares and Yarden Shafir gave a talk at Sikkerhetsfestivalen on The Patch That Wasn't: A Decade of Failure. The talk highlighted how a flaw in Microsoft’s codesigning checks still allowed malicious code to run at the kernel level.  

Since we have seen some attackers bring their own vulnerable drivers, this is a timely talk that will hopefully bring some actionable changes by Microsoft.