Partner Login
Search
searchclose icon
HomeWhy Huntress
Tradecraft Stories

Real Tradecraft, Real Results

Behind every neutralized threat at Huntress is our Security Operations team, combining expertise with relentless dedication. Discover the real stories where their tradecraft protects what matters most—your business.

Tradecraft Categories
Women employee typing on the laptop - GDAP Webinar
Recent Response to Incidents

Oh No Cleo! Malichus Implant Malware Analysis

Huntress previously reported on malicious activity from the exploitation of a 0-day vulnerability in Cleo software. The malware being delivered through this exploitation has now been analyzed and a technical breakdown of a new family of malware we've named Malichus is included in this post. The name is a play on the word Cleopatra and comes from Malichus I, who is noted to have burned Cleopatra's navy fleet in revenge for his losses throughout a war that Cleopatra had initiated.
Read Story

In the span of 48 hours, a threat actor tried to compromise nearly 100 identities, succeeding in some instances 😰

Their targets included:

🧱 Construction companies

🌭 Food catering providers

⚙️ Mechanical engineers

📚 Elementary schools

Locking in on the adversarial public IPv6s (2a05:541:116:2d::1, 2a05:541:116:13::1), our SOC tracked this threat actor's activities, taking them down when they made progress against an identity.


Looking closer, we found they were using the Axios framework—a legitimate tool that can be abused for phishing and account compromise. Fortunately, the SOC was equipped with ITDR to fight the threat actor for every inch of identity territory they tried to steal.

To prevent these kinds of infections in your network, we recommend:

➡️ Complex conditional access policies and MFA: We watched in real-time as the threat actor failed to gain entry to an identity, despite having the right credentials, because of these security obstacles.

➡️ Security aware users: This threat actor likely got access via mass phishing. Equipping users with the knowledge to identify phishing attempts neutralizes attacks like this before they can even begin.

With identity threats like these becoming the new norm, the question isn't if attackers will come for your users—it’s when. Start a free trial of Huntress Managed ITDR today. 

Learn More
Ransomware

Ransomware is devastating, but mass isolating a network can also wreck productivity. This type of nightmare fuel often starts with discovering offensive tradecraft originating from an endpoint missing our agent (never installed). In this case: 🔎 An unpatched Sonicwall device was exploited 🔎 Initial access to an unprotected device was gained 🔎 Local Administrator (500 account) was used to access the DC 🔎 Backdoor account “adm” was created and added to “Domain Admins” Incident response assistance from our SOC uncovered the same “adm” account was used with impacket to quickly access critical systems like the backup, virtual hosting, and file servers. Mass quarantine was effective at halting the incident, but could have been more surgical with complete coverage 😭

Unauthorized Remote Access

A commercial real estate company was compromised via an RMM tool 🏢

The threat actor used their initial access to drop ANOTHER remote access tool 🤯

They were in the process of modifying system firewall rules to gain further access and maybe even persistence via this secondary RMM tool when our SOC shut them down 🛡️

Remember to:

  • Double check your RMM tools’ permissions
  • Make sure auditing is enabled—this telemetry is critical during compromise
  • Educate your users on safe RMM use
Phishing Scams

Here’s how text scams go down 👇

📬 You get a text claiming there’s an issue with your USPS shipment. 📱 But the number has an international country code, yet it’s referencing USPS. 🔗 The link’s not clickable, but the message says replying will fix that.

But here’s what happens if you reply:

  • The link’s suddenly clickable and leads to a fake USPS site.
  • Your number gets flagged as active, increasing scam texts.
  • The scammers improve their chances of tricking others. Delete the message. Don’t interact.
Learn More
ITDR - VPN Exploit

NordVPN and Mullvad are great for privacy—but cybercriminals love ‘em for a reason. They get: ✅ Anonymous payments ✅ No-logging policies ✅ And easy ways to hide malicious activity There’s a thin line between legit use and abuse—and Matt Kiely’s here to show you: https://lnkd.in/g-fFZ5yk

Learn More
Resources Glitch Bottom

Blue BG Mobile
Glitch Resources LeftResources BG EclipseBlue BG MobileTestimonial BG Eclipse

Related Threat Analysis Resources

Blog Post
The Hunt for RedCurl
Blog Post
Know Thy Enemy: A Novel November Case on Persistent Remote Access
Blog Post
You Can Run, but You Can’t Hide: Defender Exclusions

Ready to try Huntress for yourself?

See how the global Huntress SOC can augment your team with 24/7 coverage and unmatched human expertise.

Start a Free Trial Today