Threat View from the Lens of Huntress Adversary Tactics: March 2026

In March, Huntress peeled back an Iranian-linked intrusion (tracked as MuddyWater) within an Israeli network. The attackers gained entry via RDP and used DLL side-loading, where they tricked a legitimate file (FMAPP.exe) into loading up a DLL with malicious code. In a twist, analysts saw the hackers fumbling commands in real-time and struggling with their command-and-control  (C2) server. It’s a detailed look at high-level tactics paired with rocky execution errors. Read the full analysis here.

The timeline of activities developed from detection data

Huntress analysts traced a recent INC ransomware incident back to something many orgs overlook: incomplete visibility. After targeting a customer with no SIEM and limited agent deployment, the threat actor mapped a network share, used PsExec for privilege escalation, then scheduled a PowerShell script that quietly configured Restic—renamed as winupdate.exe—to exfiltrate data. They disabled existing security tools, turned off Defender, and finally pulled the trigger on encryption. Correlated activity from a nearly identical February case helped expose the attacker’s shared backup infrastructure and tradecraft. Read more in this blog post.

Tax season is here, and the tax-themed lures are already pouring in. A massive malvertising campaign was found hijacking W-2/W-9 searches, dropping rogue ScreenConnect instances, stacking multiple RMMs, and then abusing a previously undocumented Huawei audio driver to kill Defender, Kaspersky, and SentinelOne processes from kernel mode. Anna Pham, senior hunt and response analyst, detailed the attack in a blog post.

Rogue ScreenConnect delivery page

Attackers aren’t just “hacking in” – they’re installing your tools. A recent blog post by Chad Hudson, senior hunt and response analyst, looked at a campaign where low-skill crews daisy-chained legit RMM and deployment platforms (SimpleHelp, HeartbeatRM, ScreenConnect, etc.) behind Social Security and invite-themed lures, brute-forced MSI downloads from GitHub, and even tested Huntress itself to tune their playbooks.

From Jai Minton (manager, hunt and response) and Ryan Dowd (principal security operations center analyst): A new blog post broke down an incident where fake OpenClaw installers on GitHub rode AI-powered Bing search straight onto victims’ machines, dropping Vidar / PureLogs infostealers, a new Stealth Packer, and GhostSocks to turn endpoints into residential proxies for MFA-busting fraud and follow-on attacks across Windows and macOS.

Fake “IT support” calls aren’t just after your gift cards anymore: they’re using fake Outlook Antispam Control Panels, DLL sideloading, and more to deploy Havoc, an open-source post-exploitation command-and-control (C2) framework. It’s social engineering up front, network compromise out back, with RMM abuse as the safety net. This blog post by Anna Pham, Michael Tigges (senior hunt and response analyst) and Bryan Masters (senior hunt and response analyst) dissected the campaign.

Intrusion chain

TeamPCP is running a developer-side crime spree. After slipping into security tools like Trivy via tampered GitHub Actions tags and booby-trapping NPM and Docker Hub, they crashed PyPI with backdoored Telnyx releases. Those two “updates” (4.87.1, 4.87.2) quietly pulled a credential-stealing payload hidden in a WAV file, then ran it in memory on Windows, macOS, and Linux as soon as you imported the package.

The result: instant, high-trust access to CI/CD and dev laptops, perfect for ripping out secrets and pivoting into dozens of orgs at once—no zero-day required.

Russian APT TA446/Star Blizzard is now using the leaked DarkSword iOS exploit kit in targeted spear-phishing campaigns, sending Atlantic Council–themed emails that drive iPhone users through DarkSword to deploy GHOSTBLADE and related tooling for data theft and intelligence collection. In parallel, the Coruna exploit kit—an evolution of the 2023 Operation Triangulation framework—is being used in web-based attacks against iOS 13–17.2.1, triggered simply by visiting compromised sites. Apple has responded with Lock Screen “Critical Software” alerts urging users on older iOS/iPadOS versions to update immediately to reduce exposure.

Attack Disruption: The Managed EDR agent can now interfere with attackers as they move in real time. By automatically terminating malicious processes, we disrupt the attacker’s playbook forcing them to adapt on the fly giving our SOC analysts precious minutes to respond and contain the threat. See how Attack Disruption prevented ransomware in this blog.

Defender & Process Insight exclusions tightened: You can now bulk-approve and set Microsoft Defender exclusions to last indefinitely, while new Process Insight exclusions can no longer be created self-service—partners will work directly with Huntress if performance issues arise, preserving critical EDR visibility.

Vulnerable Driver Detection: Vulnerable Drivers (aka: Bring Your Own Vulnerable Driver, BYOVD) are the foundations of most EDR Killers. Attackers use vulnerable drivers to escalate their privileges on a system with the ultimate goal of disabling security products to carry out their attacks unimpeded. Managed EDR detects when vulnerable drivers are loaded on a system so we can take action before the attackers do.

Managed ITDR for Google Workspace Now Live: We’re excited to announce that we’ve released Managed ITDR for Google Workspace (GWS)! This is a huge moment for Huntress. Identity attacks aren’t just a Microsoft problem - attackers go wherever identities live. And now, we meet them there. With Managed ITDR for GWS, we’re bringing the same outcomes our partners and customers already trust us for - real detection, real response, human-led - into Google Workspace environments. Read more about Managed ITDR for GWS in our new blog, Huntress Managed ITDR for Google Workspace: Defending the New Identity Attack Surface.

BEC is now an identity problem in Google Workspace: In a new blog, Erin Meyers and Jenko Hwong break down how business email compromise in Google Workspace has evolved from simple invoice scams into multi-stage identity abuse, where attackers steal credentials or tokens, abuse OAuth, hide alerts with mailbox rules, and pivot into other SaaS apps via password resets and MFA emails—proving that BEC is now an ITDR challenge that demands identity-centric detection of auth behavior, OAuth consent, mailbox changes, and cross-SaaS activity, not just traditional email content filtering.

This month in Managed SIEM, AWS CloudTrail log source was released with an improved onboarding workflow. The Source Management -> Categories page now contains icon information with links for each log source type, which link to the appropriate support configuration guide. Finally, the Huntress Linux agent now supports Syslog collection for Managed SIEM.

Report Phishing plug-ins now upload complete messages via API, sending reported phishing emails as full message attachments with all headers preserved and including the learner as a recipient to give admins richer context for investigation.

A new Smishing Threat Simulation puts learners in the driver’s seat with Joey Broke, using AI to craft realistic SMS phishing attacks and spotlight just how cheap and easy it is for attackers to launch convincing smishing campaigns at scale.

Smishing threat simulation episode artwork

A sophisticated supply chain attack hit the axios npm package, which has over 100 million weekly downloads. Attackers hijacked a maintainer’s account to publish malicious versions (1.14.1 and 0.30.4) containing a hidden dependency, plain-crypto-js. This dependency executed a silent script during installation, deploying a cross-platform Remote Access Trojan (RAT) to steal credentials from Windows, macOS, and Linux systems.

Huntress EDR detecting the execution of this attack chain

Huntress detected the first infections 89 seconds after the malicious package went live. Our team provided critical remediation steps—including rotating all environment creds and auditing lockfiles—to help teams recover from the compromise. Check out the full blog post about the attack here.

In March, a Huntress investigation revealed that threat actors were abusing Railway.com’s PaaS to run a large-scale Microsoft 365 device code phishing and token replay campaign, targeting 344 organizations across five countries. In the Rapid Response, authors Dave Kleinatland, Jamie Levy, Rich Mozeleski, and Erin Meyers analyzed the Railway/EvilTokens infrastructure, documented how the phishing and token theft work, and described how Huntress blocked Railway IP ranges for eligible tenants.

Code phishing in action

Check out the full Rapid Response blog here, which includes detection queries, IoCs, and hardening guidance so teams can hunt for activity and tighten M365 controls.

During the March 2026 Tradecraft Tuesday, Huntress researchers Greg Linares, Casey Smith, and Truman Kain presented “2026 Cyber Threat Report: Year in Review,” unpacking the latest findings from the Huntress 2026 Cyber Threat Report. The webinar covered evolving ransomware tradecraft, ClickFix-style social engineering, and rising identity-based threats like AiTM phishing, BEC and device code abuse, before closing with practical detection and defense takeaways tailored to the environments Huntress protects.

March Tradecraft Tuesday

You can check out the full webinar here - and here is the link to the Huntress 2026 Cyber Threat Report so you can follow along.

In the premiere episode of _declassified, we ripped the hoodie off the lone-wolf hacker myth and showed cybercrime for what it is: a global business. John Hammond and Jim Browning took viewers inside real scam call centers—with HR, training, IT, and QA—masquerading as tech support, banks, carriers, and utilities while raking in millions. Using live CCTV and call audio, they showed scammers working scripted funnels and KPIs, then dug into how generative AI was already supercharging scams. Read the recap here! 

John Hammond and Jim Browning talk about scam call centers

Looking ahead: On May 20, Huntress Principal Product Researcher Truman Kain and a special guest will break down how overlooked security obligations fuel cybercriminals and cost you later. Sign up here!