Threat View from the Lens of Huntress Adversary Tactics: September 2025

Earlier this month, we released a threat advisory on Obscura, a new ransomware variant first seen by our SOC on August 29. We didn’t have visibility into the initial access vector, but the ransomware executable was launched from the NETLOGON share, enabling it to replicate across domain controllers. This gave threat actors a stealthy foothold within the impacted org. Once launched, Obscura also:

• Deleted shadow copies to throw a wrench into remediation
• Sniffed out and terminated 120 different processes to target security and database applications that could potentially hinder the encryption process
• Encrypted files with the “.obscura” extension and dropped the ransom note (README_Obscura.txt)

Base64’d ransom note being decoded

An incident at a construction company on August 31 revealed how threat actors are continuously trying to widen the impact of their ransomware attacks. The incident, linked back to a Play ransomware affiliate, used a custom tool called GoGo.exe (renamed from ps_bulk.exe). In this incident, we saw threat actors using the tool in a PSExec-like approach to spread multiple, randomly named executables to other hosts on the network. When executed, the tool is used to query Active Directory to find all computers in the corporate domain before using administrator credentials to deploy malicious payloads.

Here’s what else happened during this attack:

• The threat actor accessed the endpoint via Remote Desktop Protocol (RDP)
• The attacker used several native tools, like mmc.exe, and cleared Windows Event Logs
• Files were encrypted using the extension .play 
• The threat actor attempted to uninstall the Huntress agent via C:\Program Files\Huntress\Uninstall.exe

Threat actors attempting to uninstall the Huntress agent

Earlier this month, our SOC came across a social engineering technique with a twist: a malicious GitHub repository commit pretending to offer the GitHub Desktop client, but that instead dropped a trojan. This trojan then executed the Lumma Stealer infostealer malware.

In the attack, the threat actor used a Microsoft Bing ad to direct users to a malicious commit. A commit records all changes made to a project; in this case, attackers created a commit in a legitimate GitHub repository. This commit link was then embedded into the ad, making it appear non-malicious. While GitHub warns that the commit doesn’t belong to any brand in the repository, unsuspecting users might not notice or understand what it means. They would visit the link to the malicious commit and download it from github-desktop[.]com, like the victim did in this incident.

GitHub’s warning that the commit does not belong to the repo’s branch

The Hunting & Tactical Response team has been working tirelessly behind the scenes this year on comprehensive threat hunts across process-related telemetry and working closely with Triage and Analysis analysts. Here are a few examples of some major wins from the first half of the year:

• Exposing threat actors who were exploiting flaws in CrushFTP, Gladinet, and Ajax Pro products, and abusing fake CAPTCHAs
• Protecting partners against tech support scammers 
• Identifying and naming multiple malware families, including Octowave loader

SANS released nominees for their Difference Makers Awards, and our SOC dominated the list! Dray Agha, Jai Minton, and Anton Ovrutsky are nominated for the Practitioner of the Year - DFIR/Threat Intelligence Forensicators category, while Anna Pham is nominated for the Practitioner of the Year - Cyber Defender category. Huntress is a Cybersecurity Company of the Year nominee. Congrats to all our nominees! Make sure to cast your vote through October 8!

Huntress dominated this year’s SANS Difference Makers Awards

On September 15, the US Justice Department announced the capture of Thalha Jubair, a UK national associated with the Scattered Spider hacking group. Jubair was caught due to his poor operational security decisions in handling bitcoin ransom payments from victims.  

He reportedly accessed a cryptocurrency wallet that received ransomware funds to purchase Steam Games and order food from delivery services.

In addition, recent video footage showed Jubair being reportedly robbed by individuals dressed up as police officers, who raided his residence a few months prior to his arrest. During that video, Jubair mentioned another associate who is currently being investigated as well.  He’s charged with one count of computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If convicted, he faces a maximum penalty of 95 years in prison, one of the highest penalties in cybercrime history.  

Since his arrest, Scattered Spider has remained relatively quiet, suggesting that the group is performing damage control and anticipating more arrests.

DragonForce, a recent but virulent ransomware group formed from ex-members of RansomHub, suggested forming a “Ransomware Cartel” with LockBit and Qilin on the dark web. Shortly after, LockBit seemed to accept the offer, which allowed the groups to coordinate and share resources.

During 2025, ransomware-as-a-service (RaaS) competition has been extremely volatile. The rise and fall of groups has been dramatic. Groups’ payouts have gone up even higher to reflect this, with LockBit offering the highest at 90%, their top tier.  

With the recent unification of DragonForce, LockBit, and Qilin, we believe this could lead to more coordinated efforts and unified attack strategies. For instance, LockBit, which is believed to have a very reliable pipeline of Initial Access Brokers, could share that privileged access to help Qilin and DragonForce gain access to a broader set of targets. More importantly, LockBit has proven that its infrastructure is extremely robust and operates even after takedowns. With the latest release, this will be LockBit’s fifth major restructure. By offering the other groups access to their infrastructure, money laundering, and financial systems, it could help make them more resistant to takedowns from law enforcement.

Similar to illicit cartels in Mexico, the current ransomware landscape has been fighting with each other at an escalating pace this year. Groups like BlackLock have been targeted by other groups, including DragonForce. Chatter amongst the dark web has indicated smaller groups might be looking to join forces as well, making the landscape extremely dynamic and unpredictable.

SonicWall revealed an attack on its MySonicWall.com platform, which exposed customer firewall configuration files. In a security advisory, SonicWall said that threat actors accessed backup firewall preference files stored in the cloud for fewer than 5% of its firewall install base. Credentials in the files were encrypted, but the files also included information that could make it easier for attackers to exploit the firewall. The activity stemmed from a series of brute force attacks aimed at accessing the files stored in backup.

SonicWall recommended that customers log into their MySonicWall.com accounts and verify if cloud backups exist for their registered firewalls. If fields contain backup details, customers should verify if impacted serial numbers are listed in their account. If they are, they should follow the specific containment and remediation guidelines outlined in the threat advisory.

SonicWall guidance on checking for Firewalls with preference files backed up in MySonicWall.com

Huntress has been in contact with SonicWall since our last Rapid Response, which involved a wave of SonicWall devices being actively exploited. We’re closely following this latest security incident and what it means for our own customers who use SonicWall products.

A new proof-of-concept (PoC) for a defense evasion technique called EDR-Freeze was recently publicized. Based on our testing, the Huntress Agent is not affected by EDR-Freeze.

The technique involves a component within the Windows Error Reporting (WER) framework called WerFaultSecure, which runs with protected process light (PPL) privileges and collects crash dumps of system processes for diagnostic measures. The PoC uses WerFaultSecure to trigger an API called MiniDumpWriteDump, which creates a snapshot of the memory and state of a process. When MiniDumpWriteDump takes that snapshot, it suspends the target processes temporarily before resuming them afterward. However, this PoC suspends MiniDumpWriteDump itself, which can keep the processes linked to EDR or AV in that “frozen” state indefinitely.

It’s important to note here that this tactic enables defense evasion, but it’s not an initial access technique. Attackers must first have access to a target host, gain the execution capabilities to run code locally, and obtain sufficient elevated privileges to manipulate protected processes. If that target has EDR installed, detections are in place and constantly tuned to spot these different points across the attack chain.

For businesses, EDR-Freeze underscores the significance of layered defenses, prioritized patching measures, and restricting or blocking tools that aren’t operationally required in the environment.

Over the summer, we initiated a Rapid Response after a threat actor installed a Huntress agent on their operating machine, giving us visibility into their operations.  In September, we published a blog post on our findings from the incident.

While many people saw the value in releasing information that gave in-depth visibility into how an attacker operates on a daily basis, interestingly, the blog post also triggered some controversy, including questions about the telemetry that EDR products collect and how we use data in investigations. This gave us an opportunity to engage with the community to separate fact from misunderstanding, through:

• A video interview between John Hammond and Tib3rius 
• An aftermath blog post that explained what managed EDR is, how Huntress conducts investigations, and the value of these types of investigations for businesses

Our Windows agent has scored several wins against Akira this month. Our on-agent ransomware detection capability showcased the ability to detect Akira ransomware 8 minutes and 33 seconds earlier than previously possible. Additionally, we successfully stopped Akira during multiple incidents, including one attack where we blocked them during the enumeration phase, and another where we identified them at their earliest attack path.

macOS Tamper Protection is now live on 90% of eligible endpoints! Additionally, this month we saw the rollout of macOS Agent 0.14.84, which introduces file-based telemetry on macOS. That means that our Product Research and Detection Engineering teams can make detection rules based on files being created on macOS endpoints. This will help us detect malicious activity earlier and better clue into other types of tradecraft.

Finally, the EDR team found our first Linux incident a few weeks ago during the Open Beta stage 🎊 The team detected reconnaissance on a Linux endpoint (specifically when a user executed a recursive getcap against the Root directory). Turns out the behavior came from a tester at a partner. This is a major win for our Linux agent!

Incident report for an EDR detection on Linux

Managed ITDR now detects logins from known malicious datacenters under its Unwanted Access capability. Though we’re familiar with detecting anomalous locations and VPNs with Unwanted Access, we noticed that threat actors are increasingly using datacenter infrastructure to skip both - now we have our eyes on this evolving tradecraft! Previously, datacenter logins were considered locations. This new feature allows us to categorize these logins more specifically as datacenters - and not as locations. So far, 70% of the signals that we have gotten from our malicious datacenter login detectors do not have a corresponding Unwanted Access signal (e.g., session hijacking, credential theft). This goes to show how much more we’re catching with malicious datacenter logins!

This month, Erin Meyers and Dave Kleinatland also took a look at the most common Microsoft 365 and identity security myths, in a blog post that you can read here.

Huntress SIEM continues to prove its value in early threat detection, helping customers spot and stop ransomware operators and other adversaries significantly faster.

This month, the team added and expanded capabilities with TCP support for syslog collection, enabling a broader range of sources to send data directly into the SIEM. Even better, our 10 new brute force detections are already live—feeding our SOC fresh insights and strengthening our ability to respond quickly.

And for those running SentinelOne, we’re excited to share that our SentinelOne integration is now live and GA, making it easier than ever to extend protection and visibility across your environment.

Huntress Security Awareness Training (SAT) continues to evolve to better equip users against sophisticated social engineering attacks.

Huntress released a new research report: Mind the (Security) Gap: SAT in 2025. The report surveyed 500 admins and learners of SAT solutions across the market to look at whether organizations are actually getting the results they need from their increasing SAT spend. The result: perceptions do not equal reality.

Improvements to the Huntress Platform enhance the overall experience for partners and customers, and strengthen the product's foundation.  The month saw a number of new Portal releases, including new and improved API documentation being shipped.

In this month’s Tradecraft Tuesday episode–The Craftiest Trends, Scams, and Tradecraft of 2025 (So Far)– John Hammond and Greg Linares dove into the top types of tricky tradecraft that threat actors are using to target businesses, from ClickFix to deepfakes.

Be sure to tune into our Tradecraft Tuesday next month. Our upcoming episode, "The Dangers You Don’t See: Threats Hiding in Your Network,” will tackle the top threats that our SOC is seeing so far in the trenches this year. Snag your spot now

John Hammond appeared in an ABC News Nightline segment this month (starting around 2:52 in the linked video) to discuss the social engineering aspects behind “grandparent scams.” The segment covered how these scams work and their impact on victims.