Threat View from the Lens of Huntress Adversary Tactics: November 2025

In November, we saw threat actors exploiting a recently patched remote code execution vulnerability in Windows Server Update Services (WSUS). After exploiting CVE-2025-59287, threat actors then installed Velociraptor, a legitimate, open-source tool, used for command and control (C2) of the compromised endpoint. Props to Ben Folland with the SOC team for his investigation into the incident!

Velociraptor is a digital forensics and incident response (DFIR) tool that enables teams to quickly collect and analyze artifacts from across a network, giving them a better understanding of security incidents. Threat actors have been abusing Velociraptor to set up communications with C2 servers.

After the threat actor installed Velociraptor, we saw a number of Base64-encoded PowerShell commands, which were child processes of Velociraptor.exe. These commands launched a series of discovery queries, helping the threat actor gather information about users, running services, configurations, and more.

EDR signals showing the threat actor installing an MSI package, running Velociraptor, and performing discovery commands

‘Tis the season for holiday phishing: threat actors are using Thanksgiving, Black Friday, and Christmas in their phishing attack lures this year.

On November 2, a user was tricked into executing a malicious process (Thanksgiving-iv.exe) from the directory C:\Users\REDACTED\Downloads\ on the impacted host. Further inspection revealed that this file is a rogue installer for GoTo Resolve RMM. The victim’s Firefox browser artifacts revealed that this installer was downloaded from the URL https[:]//pub-0e9274b4f4a74997bcafd5c5c778bf91[.]r2[.]dev/Thanksgiving-iv.exe. The malicious RMM then deployed a rogue ScreenConnect installer into the directory C:\Program Files (x86)\ScreenConnect Client (3bf4055180e70e5b), which was configured for the domain wilkensealsivc[.]shop.

During a retrospective threat hunt, our tactical response team found an incident on November 5 in which a user executed a malicious MSI file ([REDACTED]_Christmas_Punchbowl_invite.msi) from the directory C:\Users\REDACTED\Downloads\ on the impacted host. This resulted in the deployment of a ScreenConnect RMM, which was configured to the domain vhagov[.]org for command and control.

Special thanks to Austin Worline and Jai Minton for flagging the incidents using the Thanksgiving and Christmas lures!

Anna Pham, with our Hunting and Response team, documented and wrote an analysis about Gootloader, a popular malware loader that threat actors use to gain initial access. After a period of reduced activity, Gootloader operations briefly resurged in March 2025 before going quiet again, only to return recently with renewed activity. Since October 27, Huntress has seen three Gootloader infections, including two that led to hands-on-keyboard intrusions with domain controller compromise within 17 hours of initial infection. Here are a few unique tradecraft insights we’ve seen with Gootloader’s return:

• Gootloader is now leveraging custom WOFF2 fonts with glyph substitution to obfuscate filenames. This transforms gibberish characters in source code into legitimate-looking filenames when rendered in browsers.
• Users were infected while searching for “missouri cover utility easement roadway” via Bing and visiting the first page that showed up in the results. Threat actors exploited WordPress comment endpoints to deliver XOR-encrypted ZIP payloads with unique keys per file.
• The infection operates through a well-established criminal partnership: Storm-0494 handles Gootloader operations and initial access, then hands off compromised environments to Vanilla Tempest for post-exploitation and ransomware deployment.

The SOC team’s Ben Folland and Anna Pham recently came out with an in-depth blog post on a ClickFix campaign with several unique TTPs, including:

• Both a standard ClickFix “Robot Verification” lure and a newer (more convincing) “Windows Update” page, which continue to rely on the traditional ClickFix technique of convincing the victim to manually open the Windows Run box to paste a malicious command.
• The attack then uses steganography to conceal the final malware stages within an image. This involves deployment of the .NET steganographic loader, which extracts Donut-packed shellcode hidden inside the pixel data of PNG images.
• The attack then delivers infostealer malware, including LummaC2 and Rhadamanthys.

The “human verification” ClickFix lure

We’ve seen several ClickFix variants over the past year. Organizations should train end-users to spot these ClickFix-lure tactics. In Ben and Anna’s blog, they also offered various mitigation strategies for businesses, like disabling the Run prompt via Registry changes or Group Policy.

Retrospective threat hunts by the Tactical Response team uncovered several interesting incidents involving malware loaders. Here are a few examples:

• A threat actor tried to execute the OysterLoader malware by disguising it as a Microsoft Teams installer, but failed miserably. On November 11, an employee came across a malicious ad, which led them to download the binary (MSTeamsSetup.exe) from the URL hxxps://teams-support-software[.]icu/. OysterLoader, a malware loader first seen in 2023, has commonly been used in malvertising campaigns. Ultimately, the execution was unsuccessful.
• In another incident on November 4, an end-user executed a malicious process (ProCircuit.exe) that used DLL (Dynamic Link Library) sideloading to load and inject infostealer malware into NexusH128.exe. DLL sideloading is a detection evasion technique where threat actors take advantage of the way that Windows searches for and loads DLL files in order to dupe a program into loading a malicious DLL file.

SLSH, previously known as Shiny Hunters, Scattered Spider, and Lapsus$, continues to evolve its tactics into a more structured threat with the development of "ShinySp1d3r" ransomware, supporting Windows, Linux, and ESXi environments for kernel-level attacks, incorporating automated bots, crypto laundering via Telegram gifts, and psyops against researchers and victims.

Key differences include a shift from opportunistic leaks to double extortion (theft plus encryption) and broader scale via supply-chain breaches. Adaptations in SLSH operations reflect increasing sophistication, monetization via RaaS beta testing, and targeting expansions via third-party supply chain access. They’ve also started conducting insider threat poaching or grooming, offering money laundering through Telegram’s star service, and offering direct rewards starting at $30,000 USD for access to tokens and sessions from employees of targeted corporations. This activity directly led to a Crowdstrike employee being fired in mid-November after getting caught sharing corporate screenshots with the group. The group continues to show chaotic behavior, with threats against researchers, including offering bounties for false FBI reports targeting security researchers who investigate them. $1,000 bounties were amplified recently by also sharing recordings of voicemails of these reports to their followers in their Telegram channel, promoting crowd-based tactics to target investigators.

In November, the rest of the ransomware scene was extremely active, with groups like Qilin and Akira still dominating  headlines by racking up the most victims. Attacks spiked 41% in October alone, reaching 594 public incidents. Supply-chain hacks continue to be a concern. This was highlighted by Qilin's "Korean Leaks" operation, where they breached a South Korean-managed service provider. In this incident, they encrypted files and stole data from 28 downstream companies. Akira continues to also be a threat, as noted in the updated FBI and CISA advisory detailing their TTPs.The advisory highlights tactics like VPN credential abuse in over half of their breaches. Akira to date is accredited with nearly $250 million in ransom payments. They’ve continued targeting the healthcare company Zoetis (exposing over 500,000 individuals’ personal info) and construction firm Fineline Architectural Millwork. In addition, the ransomware group Everest demanded $6 million from Spanish airline Iberia following a disruptive attack that leaked internal files. The infamous LockBit group appeared to continue development with the latest 5.0 revision targeting Windows, Linux, and virtual environments and hosts. New players like Tengu, Genesis, Radiant, Kryptos, and Sinobi are steadily gaining popularity with Sinobi alone, claiming 69 victims since July.

Defender Exclusion Settings can now be tweaked to add additional endpoints and organizations: When creating exclusion settings for Microsoft Defender Antivirus in the Huntress Portal, you can now add individual endpoints and organizations to existing exclusion settings, instead of needing to create a brand new exclusion setting. This saves time and increases efficiency when a new endpoint or organization is onboarded.

We've enhanced Huntress Managed ITDR by introducing a free agent for ITDR customers. Previously, the Identity Disablement functionality for Active Directory synced identities was unavailable without also having a Managed EDR license. Now, this lightweight, no-cost agent unlocks account disablement for AD-synced identities so you can quickly contain identity threats. Managed ITDR customers can download this free agent right from the Huntress Portal.

This month we announced the acquisition of Inside Agent, a London-based company committed to hardening Microsoft 365 environments against external and insider threats. This acquisition is core to the development of our new Identity Security Posture Management (ISPM) product, planned to launch in 2026. For current Huntress Managed ITDR users, ISPM will serve as a proactive layer to add to their detection and response. Put simply, ensuring fewer gaps means fewer opportunities for attackers. Learn more here!

Our Threat intelligence team and Detection Engineering team is always focused on closing the gaps attackers exploit. We've recently deployed two major new capabilities built from real-world threat hunting that deliver clarity and immediate value:

Attackers often hide successful credential theft by distributing failed login attempts across multiple users, hosts, or services. Traditional SIEMs are easily overwhelmed by this "noisy" data, generating thousands of alerts while missing the one successful intrusion. To combat this, we engineered new Brute Force Correlation Detections that track and connect activity across users, hosts, and various log sources. This powerful engine identifies the true intrusion path attackers use, allowing us to expose successful credential attacks the moment they occur. By eliminating the raw login noise and focusing on the attack chain, our SOC can ensure a swift response before damage is done.

Ingesting raw network flow data creates a massive data lake, often leading to slow searches and prohibitively high storage costs—a common SIEM pain point. Our engineers developed a proprietary method for Network Traffic Aggregation & Detection Rules that intelligently filters and condenses this telemetry right at the point of ingestion. We only store the handful of signals proven to be security-relevant, turning a "firehose" of thousands of raw logs into clear, real-time detections. This enables us to spot attacker movement, reconnaissance, and unusual traffic patterns faster, while simultaneously cutting down massive storage and ingestion costs for our partners.

Huntress SAT now has two new options in the Standard Reports tab. One allows you to track the progress of learning by episode rather than assignment. The other gives insight into simulated phishing across all learners and campaigns. We are releasing these to all but are still looking for additional feedback.

We also have a new capability, General Manager View, that grants someone access to a real time report showing assignment and phishing data on all learners in an organization–without giving them access to any administrative tools. This is just like the real-time manager report, but it’s expanded to include all employees.

Finally, we have released  the "Huntress SAT Report a Phish" button for Gmail! It is now live in the marketplace and available to anyone, we welcome your feedback!

Huntress products are now available on the Microsoft Marketplace. Whether users are looking to level up endpoint security, increase identity resilience, or just simplify how they manage security tools, adding Huntress to their Microsoft environment just got way easier. Learn more here!

APIs for Escalations and Incident Report responses are now available. Huntress has released several new APIs including the first set of write APIs!  The first is an Escalation API that allows for listing Escalations and getting the details of a specific escalation, and an API endpoint to enable resolution of the most common escalations. There is also a new API endpoint for Incident Reports that allows for the approval or rejection of remediations, and resolving Incident Reports.

New languages are available for Threat Summary Reports. Huntress Platform Administrators can now set the default language for Threat Summary Reports. Reports can be configured to be in English (the default language), Dutch, French, and Spanish.

Portal-Wide Dark Mode is Here! All pages in the Portal now support the dark mode theme. Use the gear icon in the upper right corner of the Portal to switch to your preferred theme.

In our recent Tradecraft Tuesday episode, Truman Kain, principal product researcher, and Lindsey O’Donnell-Welch, technical community engagement writer at Huntress, talked about the top shadiest phishing tradecraft techniques we’ve seen this year at Huntress.

You can find the full episode here.

Greg Linares talked about his background and gave advice for the next generation of hackers (including a shout-out to the Huntress CTF!) during a recent interview with TechInformed.