Real Tradecraft, Real Results

Behind every neutralized threat at Huntress is our Security Operations team, combining expertise with relentless dedication. Discover the real stories where their tradecraft protects what matters most—your business.

Women employee typing on the laptop - GDAP Webinar

Recent Response to Incidents

Oh No Cleo! Malichus Implant Malware Analysis

Huntress previously reported on malicious activity from the exploitation of a 0-day vulnerability in Cleo software. Read the story for a technical breakdown of a new family of malware we’ve named Malichus.

Read Story

In the span of 48 hours, a threat actor tried to compromise nearly 100 identities, succeeding in some instances 😰

Their targets included:

🧱 Construction companies

🌭 Food catering providers

⚙️ Mechanical engineers

📚 Elementary schools

Locking in on the adversarial public IPv6s (2a05:541:116:2d::1, 2a05:541:116:13::1), our SOC tracked this threat actor's activities, taking them down when they made progress against an identity.

Looking closer, we found they were using the Axios framework—a legitimate tool that can be abused for phishing and account compromise. Fortunately, the SOC was equipped with ITDR to fight the threat actor for every inch of identity territory they tried to steal.

To prevent these kinds of infections in your network, we recommend:

➡️ Complex conditional access policies and MFA: We watched in real-time as the threat actor failed to gain entry to an identity, despite having the right credentials, because of these security obstacles.

➡️ Security aware users: This threat actor likely got access via mass phishing. Equipping users with the knowledge to identify phishing attempts neutralizes attacks like this before they can even begin.

With identity threats like these becoming the new norm, the question isn't if attackers will come for your users—it’s when. Start a free trial of Huntress Managed ITDR today.

Learn More

Ransomware

Ransomware is devastating, but mass isolating a network can also wreck productivity.

This type of nightmare fuel often starts with discovering offensive tradecraft originating from an endpoint missing our agent (never installed). In this case: 🔎 An unpatched Sonicwall device was exploited 🔎 Initial access to an unprotected device was gained 🔎 Local Administrator (500 account) was used to access the DC 🔎 Backdoor account “adm” was created and added to “Domain Admins” Incident response assistance from our SOC uncovered the same “adm” account was used with impacket to quickly access critical systems like the backup, virtual hosting, and file servers. Mass quarantine was effective at halting the incident, but could have been more surgical with complete coverage 😭

Unauthorized Remote Access

A commercial real estate company was compromised via an RMM tool 🏢

The threat actor used their initial access to drop ANOTHER remote access tool 🤯

They were in the process of modifying system firewall rules to gain further access and maybe even persistence via this secondary RMM tool when our SOC shut them down 🛡️

Remember to:

Double check your RMM tools’ permissions
Make sure auditing is enabled—this telemetry is critical during compromise
Educate your users on safe RMM use

Phishing Scams

Here’s how text scams go down 👇

📬 You get a text claiming there’s an issue with your USPS shipment. 📱 But the number has an international country code, yet it’s referencing USPS. 🔗 The link’s not clickable, but the message says replying will fix that.

But here’s what happens if you reply:

The link’s suddenly clickable and leads to a fake USPS site.
Your number gets flagged as active, increasing scam texts.
The scammers improve their chances of tricking others. Delete the message. Don’t interact.

Learn More

ITDR - VPN Exploit

NordVPN and Mullvad are great for privacy—but cybercriminals love ‘em for a reason. They get: ✅ Anonymous payments ✅ No-logging policies ✅ And easy ways to hide malicious activity There’s a thin line between legit use and abuse—and Matt Kiely’s here to show you: https://lnkd.in/g-fFZ5yk

Learn More