Threat View from the Lens of Huntress Adversary Tactics: June 2025

Our SOC recently uncovered a five-minute, 40-second LockBit attack.

In June, a dentist office’s ransomware canaries were triggered for LockBit. After we tasked and reviewed the logs, we found the threat actor accessed a TeamViewer remote monitoring and management (RMM) tool to deploy the ransomware. The aS7Egd7xh.README.txt ransom note was created at 7:08 UTC, only around five minutes after the first initial access occurred at 7:02 UTC.

While the average time-to-ransom is 16.88 hours, according to the Huntress 2025 Cyber Threat Report, a 10-minute attack path is alarming. This spells out why it is absolutely essential to catch attackers as early as possible in the ransomware attack path.

In June, Huntress encountered a threat actor attempting to disable an MFA security application, as seen in the following command:

cmd.exe /Q /c reg delete “HKLM\Software\Duo Security” 1> \Windows\Temp\gGutd1 2>&1  

The aim of deleting the Registry key through the command above is to disable Duo Security. Further analysis of the reported victim endpoints showed that Duo Security wasn’t installed on those endpoints, though it was installed on other endpoints across the victim’s infrastructure.

The threat actor likely encountered an endpoint with Duo Security or got information from an external source, like an Initial Access Broker, that Duo Security was already installed in this environment.  Either way, the threat actor decided to take a “shotgun approach” for speed over stealth, attempting to delete this Registry key without first checking if Duo was installed on the endpoint.

Multiple businesses in June were compromised after threat actors exploited a known Veeam vulnerability (CVE-2024-40711) to remotely execute malicious commands. The unauthenticated remote code execution vulnerability was first publicly disclosed and fixed in September 2024. In October 2024, the flaw was added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability (KEV) catalog, indicating that threat actors are exploiting it. Researchers previously said the Akira and Fog ransomware groups have targeted this flaw.

These incidents highlight how important it is for businesses to stay current with patches. This vulnerability already has a critical-severity ranking on the CVSS 3.0 scale (9.8 out of 10). The US government and security researchers are both warning that ransomware actors are targeting this flaw, signaling the heightened importance of patching this vulnerability.  Patches for the flaw have been available for nine months, but threat actors successfully exploit vulnerabilities that have been around for years, even when patches are readily available.

Tactical Response zeroes in on unknowns about initial access, root cause analysis, and timelines of adversary activity, including machines that don’t have the Huntress agent installed on them.

As seen below, the Tactical Response team uncovered various initial access vectors over the past year. In the cases investigated by the Tactical Response team (not comprehensive of all Huntress findings), the majority of initial access vectors (63.8%) were compromised VPN appliances, including malicious logins with stolen or brute-forced credentials. Exposed Remote Desktop Protocol (RDP) was another popular initial access vector, taking second place at 17.1%. Third place goes to exposed external perimeter, seen in 5.8% of all initial access vectors.

You can get a detailed breakdown on initial access vectors in this blog from Anton Ovrutsky and our Tactical Response team.

Qilin ransomware group has been one of the most active ransomware groups in the last few months, using new techniques to drive more successful initial access attempts. The most noteworthy change is their shift to using more recent Fortinet flaws for initial access. They’ve been seen actively exploiting both CVE-2024-21762 and CVE-2024-55591 across multiple victims’ environments.  These attacks affect both FortiOS and Fortinet’s VPN systems and were the primary suspects in a coordinated attack across dozens of victims last month. Qilin has also made their attack system completely automated, essentially making their own vulnerability scanning toolkit or utilizing existing toolkits and integrating them with their Ransomware as a Service (RaaS) provisions.  

Qilin was also seen directly targeting MSPs, with phishing attacks starting in April and continuing into June, with the sole purpose of gaining access to downstream customers en masse.  Unlike previous attacks using Attacker-in-the-Middle (AiTM) toolkits like Evilginx, these current attacks abuse spoofed domains of ScreenConnect providers, often using the .ms TLD.  Victims were redirected to a proxy page that sent the user’s credentials to legitimate ScreenConnect services to validate credentials.  

Qilin is one of the most dangerous and prolific ransomware operators we’ve seen in the last few months because of these recent TTPs.

A directory traversal vulnerability in SimpleHelp RMM, tracked as CVE-2024-57727, has been the initial access point for multiple ransomware groups in recent months.  Most notably, the DragonForce ransomware group used the flaw within MSPs to target clients and turn a single breach into multiple compromises. In addition, Play ransomware group used this flaw to target healthcare facilities worldwide. This vulnerability highlights the current trend of attackers prioritizing “hit once, affect many” attacks, targeting supply chains, food vendors, IT support, and security vendors, and ultimately, their downstream customers and clients.

The uptick in RMM exploitation, as well as other shared component attacks, is linked with ransomware groups looking to maximize profits, and their affiliates trying to quickly evade detection before exfiltrating data and ransoming victims.

In June, Alden Schmidt, Stuart Ashenbrenner, and Jonathan Semon published a threat analysis of their investigation into a sophisticated DPRK intrusion in a macOS customer environment at a cryptocurrency foundation. Because this intrusion was (luckily) isolated to one customer, it didn’t necessarily qualify as a typical Rapid Response. But due to the incident’s complexity and our hope to keep others safe from this threat, we spun out what we’re calling a Rapid Response Lite.

Alden, Stuart, and Jon shared several unique aspects of this macOS intrusion:

• The initial access phase involved an employee of a cryptocurrency firm tricked into joining a Zoom meeting with several deepfakes pretending to be senior leadership in their company
• We found eight new pieces of macOS malware, including a keylogger and an infostealer
• The malicious payload was deployed via process injection. This is a familiar technique for Windows, but hasn’t historically been common on macOS due to more inherent security restrictions
• The intrusion is attributed to a DPRK APT group (tracked as TA444 or BlueNoroff), a state-sponsored actor known for targeting cryptocurrency companies

We’ve seen macOS become a bigger target for threat actors over the past few years - especially sophisticated, state-sponsored attackers. Scrutinize meeting invites that encourage you to switch platforms or load extensions from non-official sources because this could be a potential cyberattack from a high-level attacker with advanced capabilities.

macOS: XProtect Detections

This month, we announced some exciting news for our macOS users: in Huntress Managed EDR, we’ve extended our threat detection and response coverage for macOS users using both Apple’s XProtect antivirus and integration with Microsoft Defender for Endpoints for macOS. Our SOC will now monitor alerts from these sources - and will take action to neutralize attackers.

At the same time, extending Microsoft Defender to macOS allows customers to get more value out of their Defender licenses with our EDR, bringing more protection to Macs.

Huntress Managed Security Platform with investigated XProtect alerts

Detections Engineering added 10 new detections and 22 existing detections over the last two weeks. Recent additions to Huntress EDR significantly advance our ability to stop sophisticated attacks, with a strong focus on disrupting ransomware kill chains and exposing stealthy post-exploitation activities. Our SOC is empowered by these new capabilities to deliver high-fidelity alerts.

This includes:

• Expedited Detections – Swiftly Neutralizing Active Threats: Confronting Ransomware & Vulnerability Exploitation: Huntress now more effectively identifies specific ransomware strains like Qilin and detects when ransomware overwrites files with a malicious extension. We have also added critical detection for the exploitation of a recently discovered vulnerability that allows for arbitrary code execution (CVE-2025-33053).
• Exposing Attacker Tools and Post-Exploitation: Our platform is now better at unmasking attacker tradecraft like the use of SharpSuccessor, a tool that exploits a known vulnerability for execution. We have also enhanced detections for malicious LOLBIN (Living off the Land Binary) abuse where legitimate system tools are used to execute malicious DLLs.

• Hunting Detections – Proactively Uncovering Stealthy & Novel Attacks: Detecting Abuse of Legitimate Tools: Huntress now proactively hunts for the abuse of legitimate tools like SimpleHelp for suspicious remote access activity and the use of WinRAR to archive potentially sensitive data from shares on a server.

There’s a new feature just released in ITDR: identity disablement and re-enablement for Active Directory (AD) synced identities, also known as hybrid identities.

This update closes a significant gap in our containment and remediation capabilities—and it brings protection parity to the 47%+ of identities using AD sync in their Microsoft 365 configurations. Previously, these environments couldn’t fully benefit from Huntress-initiated identity containment.  This is a huge deal for customers with on-prem AD using Microsoft Entra Connect, where disabling a cloud identity wasn’t enough, and was one of our most requested features.  Awesome work by the ITDR team for getting this built and shipped! 🎉

We also recently introduced Targeting Phishing-as-a-Service (PhaaS): A new high-priority detection for Managed ITDR identifies successful authentications originating from Flowerstorm, a newly observed Phishing-as-a-Service kit. Detecting account compromise from these advanced phishing platforms is crucial for protecting accounts from takeover.

We have added support for Cloudflare, and Wiz alerts as HEC log sources, as well as extended retention for SIEM data: 90 days hot, and 7 YEARS cold storage!  

More details about these updates can be seen on this month’s Product Lab, where you get to hear about upcoming features directly from Kyle Hanslovan, CEO and co-founder of Huntress, and Chris Bisnett, CTO and co-founder of Huntress!  If you’re not watching Product Lab, you should!

Additionally, in the last two weeks our Detections Engineering team recently added 7 new detections and tuned 1 existing detection. These include new high-priority detections for the Evil-WinRM tool and credential theft techniques like LSADump.

Threat Simulator from Huntress Managed SAT

Huntress Managed SAT this month introduced a new Threat Simulator, which allows users to interact with threats in an engaging way, almost like a game, while giving them hands-on experience with real threat actor tactics.

As covered in a recent blog post by James O’Leary on the announcement, after a month of early access, more than 24,000 learners completed the optional first Threat Simulation, which covered OSINT. It took users an average of 1.51 attempts to complete the simulation (since you can “lose”), which indicates that they were engaged enough to try again. To learn more and see a demo, check out our on-demand webinar: “Breaking Down Barriers in SAT: Introducing Huntress Threat Simulator.”

Behavior-Based Assignments

Huntress introduced Behavior-Based Assignments, which combines Huntress Managed EDR, Huntress Managed SAT, and Huntress Managed ITDR in order to help customers identify and mitigate human risks in an organization. This capability allows businesses to provide targeted, real-time and tailored training for individual users (or across the organization) after an incident occurred - all from the Huntress platform. This can help address the risky behaviors that occurred and lower the chances of them happening again.  Learn more about Behavior-Based Assignments here.

This month’s June Tradecraft Tuesday centered around AI. Chris Henderson and Truman Kain talked about the varying use cases for AI, and how both defenders and threat actors can use AI.

John Hammond joined the Research Saturday Cyberwire Daily podcast to talk about the critical Gladinet CentreStack and Triofox vulnerability (CVE-2025-30406), based on our Rapid Response from April. Here is an excerpt from the podcast:

“I think there’s been some interesting conversations that followed this, because this ViewState deserialization is… established in the information security and information technology ecosystem… so we’re kind of scratching our heads, [asking] ‘why are we still stuck with this, and are there other applications or software that have this same fault?’ So we saw some write-ups and articles from Microsoft, we saw other vendors, ConnectWise, making some changes to their ScreenConnect application, and other things to try to mitigate this, so this glaring, potentially open hole is not an attack surface for the future. And I’m glad to see and hear the industry… having the wherewithal to say ‘oh yeah, let’s get ahead of this so there’s not more damage done.’”