Threat View from the Lens of Huntress Adversary Tactics: October 2025

Threat actors have consistently used remote monitoring and management tools (RMMs) in their attack chains this year. But an interesting twist has recently emerged: threat actors use PDQ or GoTo Resolve initially and then deploy secondary RMM tools, like ScreenConnect or SimpleHelp. Deploying multiple RMM tools helps threat actors maintain longer term access, especially if the first tool is blocked. Below are a few examples we’ve seen recently:

• On October 7, an employee at a real estate company received a phishing email through Outlook, which led to them install Open Revised Contract (2).exe. This executable file was actually a renamed GoTo Resolve instance signed by GoTo Technologies USA, LLC – which was then used to install the ScreenConnect RMM
• In October, an employee at a car dealership executed the OPENINVITATION.exe file, a rogue GoTo Resolve RMM installer. The threat actor then used their access via GoTo Resolve to install a rogue SimpleHelp RMM (SimpleService.exe) on the host. But it didn’t stop there: they then installed a malicious ScreenConnect instance, configured with the domain support[.]innerschapel[.]com

Incident involving GoTo Resolve, SimpleHelp, and ScreenConnect RMMs

On October 11, an organization installed the Huntress agent on one endpoint initially, after it was hit by the Qilin ransomware, giving us very limited visibility into what happened. While we lacked EDR and SIEM telemetry to investigate the attack, we used other data sources, including:

• Microsoft Defender Antivirus (MAV) alerts 
• Program Compatibility Assistant (PCA) logs
• Windows Event Logs

In looking at these various data sources, Ben Folland and Harlan Carvey found that the threat actor had installed Total Software Deployment Service, as well as a rogue ScreenConnect instance, in the victim’s environment. The actor then tried to deploy several malicious files.

Qilin ransomware note

We’ve seen threat actors using Chrome Remote Desktop in multiple attacks recently. This is a legitimate remote desktop software tool developed by Google that is being installed as a means of persistence, like other RMMs. Here are some incidents our SOC has seen involving Chrome Remote Desktop:

• In an October 13 incident, a threat actor authenticated via Remote Desktop Protocol (RDP) and then deployed Chrome Remote Desktop, before attempting to uninstall the CrowdStrike Falcon agent from the endpoint and deploying Akira ransomware 
• On October 17, a threat actor authenticated via RDP before downloading and installing Chrome Remote Desktop for persistence. Additionally, the threat actor scanned the network (using netscan) and took steps to perform enumeration

We saw a spike in threat actors authenticating into SonicWall SSLVPN devices across multiple customer environments in October, which appeared to stem from credential compromise (rather than brute-forcing). The bulk of the activity started October 4, with authentications continuing over the next week. Overall, over 100 SonicWall SSLVPN accounts across 16 customer accounts were impacted, with all authentications originating from 202.155.8[.]73.

The spike in authentications came after SonicWall issued a security advisory update warning that an attack on its MySonicWall platform gave an unauthorized party access to firewall configuration backup files for all customers who have used SonicWall’s cloud backup service. We have no evidence to link this advisory to the recent spike in compromises we’ve seen (though it may be difficult to discern that activity from our vantage point); however, any compromise data and indicators of compromise is always of interest for both our customer base and the broader community.

Special kudos to Michael Tigges for all his work that went into these findings.

USB worms are still a thing in 2025 (!), with several retrospective threat hunts in October revealing multiple incidents with worms that originated from USB devices.

In one of the incidents, a USB worm led to the deployment of coinminer malware on the infected host. Our retrospective threat hunt found that on October 22 at 6:02:40 UTC, a user account executed a malicious VBS script on the D:\ drive. This activity stemmed from an infected SanDisk Cruzer Blade USB flash drive that was connected to the host approximately 20 seconds prior to the execution of the VBS script. The script then led to additional payloads being staged and executed from the directory C:\Windows \System32.

While it may seem surprising that USB worms are still around, these incidents follow malware in recent years like Raspberry Robin and SnakeDisk. To reduce the risk of these infections, organizations can put restrictions on access to external devices like USB drives–or at least scan these devices before they’re connected to internal networks.

We discovered in-the-wild exploitation of an unauthenticated local file inclusion flaw in Gladinet CentreStack and Triofox products. The flaw impacted all versions of CentreStack prior to and including 16.7.10368.56560.  At the time of discovery, there wasn’t a patch for the vulnerability. The flaw enables unintended disclosure of system files, letting threat actors retrieve the machine key from the Web.config file to perform remote code execution.

Detection timeline for observed exploitation activity

We first saw the flaw being exploited in late September in three customer environments. We reached out to Gladinet and worked with them to develop a plan for disclosure. Gladinet released a fix for the flaw on October 12 as part of version 16.10.10408.56683. You can learn more information about CVE-2025-11371 in our blog post.

Special kudos to Bryan Masters, James Maclachlan, Jai Minton, and John Hammond for their efforts in discovering, validating, and disclosing this vulnerability.

On October 23, Microsoft released an out-of-band update for a remote code execution bug in Windows Server Update Services (WSUS). WSUS is a centralized Microsoft update distribution service for IT administrators.

Soon after, we saw threat actors targeting publicly exposed WSUS instances on default ports (8530/TCP and 8531/TCP) to exploit the deserialization vulnerability via the AuthorizationCookie (CVE-2025-59287).

Process tree for the exploitation activity for CVE-2025-59287

We saw exploitation activity across four customers, but we expect exploitation of CVE-2025-59287 to be limited, because WSUS doesn’t often expose ports 8530 and 8531. Across our partner base, we have observed ~25 hosts susceptible to this flaw. Organizations should apply the available patches for WSUS and isolate network access to WSUS.

We sent out notifications to our customer base about our discoveries and wrote up a blog post to inform the broader community about what we were seeing.

Windows Firewall Tampering Detection and Rollback: we now automatically detect, rollback, and alert on Windows Firewall rules that are written against our EDR Agent or Windows Defender. This helps prevent malicious actors from blinding Huntress from their shady activities.

Over the past few months, Managed ITDR has made several discrete detection changes to improve detection accuracy across Unwanted Access. Specific changes:

• Added several datacenters to our “High Abuse” list for malicious datacenter infrastructure utilization
• Added discrete detections for sign-ins from two suspicious AS
• Fixed an issue with token theft detector false positives resulting from Cloud PC logins

We also rolled out a partner co-branded Identity Security Assessment Report to our customer base. The Huntress Identity Security Assessment Report gives a clear snapshot of the identity landscape within a Microsoft 365 tenant. The reports automatically generate once a tenant has been integrated and highlight where attackers could be hiding, showing users the risks that we’re monitoring, and any incidents that the SOC has investigated. Partners can now customize the report with their colors/logo and use the feature for ITDR cross-sale opportunities across their customer base.

Huntress Managed SIEM now supports new sources:

• The collection of NinjaOne NinjaRMM logs via HTTP Event Collector: Partners can now use Huntress to ingest NinjaOne logs via webhooks directly from NinjaOne RMM, providing compliance and operational value. NinjaOne RMM is not inherently a threat detection or prevention source, but we are still evaluating its logs for detection opportunities.
• Microsoft's Azure Event Hub, which is a gateway service for sending logs from Azure applications and services to third parties. The integration is an API-based connection from Huntress to Azure, which enables the collection of Azure application and service logs.

We’re also releasing a new UI for the Windows Event Log Configurations, which aims to make configurations more intuitive for businesses.  

There’s a new Managed SAT episode: Economics of Cybercrime, which explores how cybercrime operates as a sophisticated, organized and profitable business.

A behind-the-scenes look at the design of the Economics of Cybercrime, from October’s Product Lab

We also introduced Threat Simulators from Managed SAT earlier this year, and as of this month, our third simulation, Passwords, is now in General Availability. Managed SAT users will now see this simulation in the "Simulations" area of the learner portal.

In addition to new content, we’ve also rolled out the new “Report Phishing” button for outlook, allowing learners using Outlook to now use the taskpane and ribbon buttons to report phishing emails to Huntrees Managed SAT.

John Hammond was joined by Chris Myers with CourseStack in this month’s Tradecraft Tuesday episode, where they talked about everything Huntress CTF - from how the event got started, to highlights from this year’s CTF event so far. Halfway through (as of October 13), the event had 10,821 registered participants and 8,681 active participants - the best turnout the event has had so far!  You can catch up on the episode here.

This month, Alden Schmidt and Stuart Ashenbrenner presented at Objective by the Sea, which is the premier macOS conference. They talked about their findings on BlueNoroff after a DPRK intrusion, based on an investigation and subsequent blog published earlier this year. You can watch the talk during this live streamed video of the event, starting at around 4:21.

BSidesNYC was also this month. A number of people showed up from Huntress including Christina Parry, Adam Rice, and John Hammond  - who delivered the keynote!