Threat View from the Lens of Huntress Adversary Tactics: June 2026

Threats Seen in the SOC

Adversary Tactics documents, makes sense of, and informs the broader community about interesting threats that surface from our SOC. Here are some examples of standout trends we’ve seen in the last few weeks.

FortiBleed: Mass Fortigate Credential Dump

In June, FortiBleed hit ~74,000 internet-facing FortiGate firewalls across 194 countries. It’s not a new vulnerability: Fortinet says it involves reused credentials and brute-forcing weak, MFA-less devices (meaning there’s no CVE or patch, just working admin/VPN passwords). Huntress cross-referenced the listed IP addresses against their own data corpus and identified 845 partner organizations specifically impacted by this credential dump.

What’s notable is the methodology, which Huntress has unique telemetry into. Attackers:

  • Brute-forced credentials and cracked hashes with Hashcat on GPU infrastructure via vast[.]ai

  • Used access to harvest NTLM and Kerberos hashes from internal network traffic (via packet sniffing on the Fortigate device itself)

  • Persisted via a Telegram-based C2 bot

  • Created backdoor accounts: admin fgt_admin and SSLVPN user sslvpn

The Takeaway

Check for fgt_admin and sslvpn as potential IOCs, rotate all VPN credentials, and make sure management interfaces aren't publicly exposed.


Webshell Intrusion with Advanced Defense Evasion

In early June, our SOC identified a webshell infection notable not for its initial access method, but for the lengths the threat actor took to blind defenders once inside. After gaining a foothold, they:

  • Uninstalled an IIS Web Application Firewall module to remove visibility from the web server
  • Used Image File Execution Options, a Windows debugging mechanism, to blind Sysmon and stop it from logging process creation
  • Created WMI event consumers to automatically clear Windows Event Logs, wiping out forensic evidence
  • Layered in additional evasion and anti-forensic techniques throughout the intrusion
The Takeaway

Together, this represents a thoughtful, multi-layered attempt to defeat both real-time detection and post-incident investigation. This is worth understanding and testing your defenses against. Nice work by Mark O'Halloran on the investigation and subsequent blog!


Cloudflare Tunnel Persistence Survives Safe Mode

In late June, our SOC detected a threat actor using a Cloudflare Tunnel as a covert, persistent C2 channel across multiple customer environments, a technique we're seeing with growing frequency. Attackers modified the SafeBoot registry key so the tunnel would keep running even if the endpoint booted into Safe Mode, a Windows diagnostic startup mode that loads only essential drivers and services, letting users troubleshoot problems that prevent the system from running normally.

In a representative incident, here’s what the attack chain looked like:

  • Initial access via RDP using compromised credentials

  • Cloudflare binary deployed, disguised as WindowsUpdate.exe under AppData\Local\Microsoft\WindowsUpdate\ – and configured with config.yml to establish persistent, encrypted remote access

  • Installed as a Windows service, and modified the SafeBoot registry key under HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Cloudflared to sidestep security detection

The Takeaway

The SafeBoot key modification is underused but effective. Most defenders watch standard autorun locations and don't account for Safe Mode as an attacker escape hatch.

Tactical Response

Our Tactical Response team was developed as a separate function within our SOC for deep dives into intrusions and to answer partners’ questions outside the scope of 24x7 SOC operations. It helps bridge the gap between the SOC and when formal incident response is required. Our Tactical Response findings also give us a lot of clues about how intrusions play out.

FortiClient EMS CVE-2026-35616 — MSP and Hospital Compromised

This month the Tactical Response team identified threat actors exploiting CVE-2026-35616, a vulnerability in Fortinet's FortiClient EMS, across at least two customer environments — including an MSP and a downstream hospital customer. CVE-2026-35616 is a critical improper access control flaw that could allow unauthenticated attackers to execute arbitrary code. The flaw was disclosed and patched in April, and since then other researchers have found exploitation activity. For this specific exploitation activity, which was found via a retrospective threat hunt, the tradecraft was clean: the actor deployed a malicious copy of SimpleHelp RMM for persistent remote access and to avoid noisy lateral movement.

The Takeaway

FortiClient EMS has now become a reliable initial access vector. Companies running FortiClient EMS should treat it as a priority patch target and verify it is not exposed directly to the internet.

Threats Around the World

Microsoft's Record-Breaking June Patch Tuesday

June's Patch Tuesday was the largest in Microsoft's history — 200 vulnerabilities, including 33 critical flaws and six zero days. The most urgent: CVE-2026-41091, an actively exploited Microsoft Defender privilege escalation flaw, and CVE-2026-45657, a wormable Windows Kernel RCE (CVSS 9.8) requiring no authentication or user interaction. A BitLocker bypass and an HTTP.sys denial-of-service bug rounded out the zero-day slate. Patch immediately, especially CVE-2026-45657.


ShinyHunters Exploits Oracle PeopleSoft to Hit 100+ Organizations

The ShinyHunters threat group exploited CVE-2026-35273, a critical unauthenticated RCE in Oracle PeopleSoft Enterprise PeopleTools, to compromise more than 100 organizations between May 27 and June 9. Nearly 70% of victims were higher education institutions. Stolen data included student names, addresses, Social Security numbers, GPAs, and enrollment records. Oracle published its advisory the same day exploitation went public, leaving a zero-day window with no advance warning.


Check Point VPN Authentication Bypass Exploited in the Wild (CVE-2026-50751)

Check Point disclosed CVE-2026-50751 on June 8. This is a critical (CVSS 9.3) authentication bypass in its Remote Access VPN affecting deployments using the deprecated IKEv1 protocol. Exploitation was observed as early as May 7, with dozens of organizations targeted. At least one incident was linked to a Qilin ransomware affiliate. CISA added it to the KEV catalog the following day. Organizations using legacy IKEv1 configurations should patch immediately.

Rapid Responses

At Huntress, we spin up “Rapid Responses” when there is a vulnerability or threat being used by attackers to escalate the deployment of malware at scale. When we hear about a potential vulnerability, the Adversary Tactics team works across Huntress to figure out the potential impact, update our customers, and provide documentation for the security community. Here is one incident we handled in the last month:

Password Spray Campaign

Huntress has been tracking an automated password spray campaign originating from infrastructure controlled by LSHIY LLC (AS32167). Attackers made 81 million login attempts against Microsoft 365 environments, compromising 78 accounts across 64 organizations over the course of two weeks in June.

The campaign abused the deprecated OAuth ROPC flow to bypass MFA entirely — 15 of 23 businesses hit on June 22 alone had MFA enabled but misconfigured. Attacks ceased after Huntress contacted LSHIY, which suspended the responsible user.

The Takeaway

Conditional Access Policies must cover All Users, All Cloud Apps, and All Client App types — not just select apps or groups. Read the full blog here.

Relevant Product Updates

While not a direct product of the Adversary Tactics team, we’d like to highlight some killer new capabilities that our partners in Product Research and Product have released to help mess up attackers. We can’t wait to start using this data to expand our understanding of the threat actors our customers face.

Check out this month's Product Lab, where Huntress co-founders Chris Bisnett and Kyle Hanslovan dug into Shadow AI discovery, Reflexive Threat Intelligence in ITDR, new SIEM brute force detections, and custom HTML phishing scenarios — plus a remastered OSINT simulation and a brand-new Info Sec 2 episode in SAT.

June 2026 Product Lab

Managed EDR

  • macOS auto-ejects deceptive installers: When Huntress detects that a mounted DMG is a deceptive installer, the Huntress Agent now automatically ejects the volume before the bundled payload can launch — stopping infostealers in their tracks.
  • macOS Gatekeeper override detection: The Huntress Agent for macOS now detects when a user bypasses Apple's Gatekeeper protections to open a quarantined or unsigned file — closing a critical visibility gap in how infostealers get executed. Available for macOS 14 and later.
  • Redesigned Managed Antivirus dashboard: The redesigned dashboard puts recent Defender activity, noisiest orgs, and busiest endpoints front and center — with a new AV Events view, top agent surfacing, and recently installed agent compliance tab.

Managed ITDR

  • Enhanced Detections in ITDR for Google Workspace (GWS): Identity attacks don't stop at Microsoft. For those running GWS, you likely face session hijacking and credential theft attempts daily. That’s why we’re excited to announce enhanced ITDR detections in GWS. Building out our GWS solution, we now detect credential theft, which flags account takeover patterns including phishing-harvested credentials, password spray attempts, and anomalous login behaviors, as well as session hijacking, which identifies stolen or forged session tokens used to bypass MFA and gain unauthorized access to GWS accounts without credentials. These detections are our latest step in bringing our GWS solution up to parity with our Microsoft 365 offering. Check out Understanding the Differences Between ITDR for Microsoft 365 and ITDR for Google Workspace to learn more.

Managed ISPM

  • Managed ISPM General Availability (GA): Managed ISPM, Huntress' fully managed solution for continuously hardening Microsoft 365 environments, reached GA on July 1. Read this blog post from Aimee Simpson and Scott Riley to learn more about ISPM and how it helps organizations define the gold standard for M365 identity security, deploy the right controls, and keep them enforced over time.

Managed SIEM

  • macOS log collection is now available in Managed SIEM: Teams can now collect and query logs across Windows, Linux, and macOS from a single platform, giving broader visibility across the operating systems attackers move through.
  • Okta is now a supported log source in Managed SIEM: This new functionality comes with built-in SOC detections covering credential attacks, MFA bypass and fatigue, privilege escalation, and account takeover for organizations using Okta as their IdP or SSO provider.
  • Azure Government (GCC High) is now a supported log source in Managed SIEM: Organizations operating in US Government cloud environments can now connect their Azure log sources to Managed SIEM, extending the same SOC-backed visibility and detection coverage to GCC High tenants.
  • AI-powered search is now available in Managed SIEM: Type your search in plain English and Managed SIEM will build the query for you — no ESQL knowledge required. Click the ESQL button to see exactly what the query looks like under the hood, and save or schedule it as a recurring alert anytime.

Managed SAT

  • Managed SAT admin activity is now visible in SIEM: Audit logs from the SAT interface can be reviewed and queried directly from the Huntress portal, giving partners a unified place to track administrative actions alongside security telemetry.

  • SCORM export support is now generally available: Partners who want to deliver SAT content through their own Learning Management System can download SCORM 1.2 compatible files directly from the portal.

  • A new PDF summary report is available for SAT Assignments: Designed for boards, auditors, and compliance teams, the exportable report includes episode details, learner completion status with scores, and a full list of non-completers. Works across both individual company and multi-tenant assignments.

  • OSINT 2 simulation is now Generally Available: A fresh take on the OSINT simulation experience, letting learners step through what it looks like to use open-source intelligence to compromise a target account. Available to opt into from the learner dashboard.

  • Localized Managed Phishing for Canada: Canadian learners enrolled in Managed Phishing will now receive English-language phishing simulations built around familiar brands and scenarios, like Tim Hortons and Interac.

  • New Deepfake Phishing Scenarios: Our new Deepfake Phishing scenario compromised over 1,000 learners in just the first week of being available on Managed Phishing. That means that one third of learners who clicked the link to join a fake meeting took it a step further and clicked "download driver" to compromise themselves. This is a new tactic we’re observing in the wild where attackers send users a fake meeting invite, which brings them to a legitimate-looking video conference (complete with deepfake attendees), and deploys malware under the guise of a mandatory app or driver update. You can try it out for yourself here.

Highlights

Tradecraft Tuesday

During this month’s Tradecraft Tuesday, Huntress Principal Product Researchers Jenko Hwong and Dave Kleinatland broke down the rise of device code phishing, which is an attack that abuses Microsoft’s OAuth 2.0 device authorization flow to steal valid authentication tokens and skirt around multi-factor authentication (MFA) protections. In particular, modern phishing-as-a-service (PhaaS) platforms like EvilTokens and Kali365 have been leading to more device code phishing, and Hwong and Kleinatland talked about the steps organizations can take to defend against this type of attack. Check out our recap blog to learn more.

The June Tradecraft Tuesday episode was focused on device code phishing and other identity woes


Notable External Media

Congrats to Andrew Schwartz for his CVE recognition by Microsoft! Andrew was credited for two Windows Kerberos denial-of-service flaws (CVE-2026-42914 and CVE-2026-42903).