huntress logo

Real Tradecraft, Real Results

Behind every neutralized threat at Huntress is our Security Operations team, combining expertise with relentless dedication. Discover the real stories where their tradecraft protects what matters most—your business.

Tradecraft Categories
Women employee typing on the laptop - GDAP Webinar
Recent Response to Incidents

Oh No Cleo! Malichus Implant Malware Analysis

Huntress previously reported on malicious activity from the exploitation of a 0-day vulnerability in Cleo software. Read the story for a technical breakdown of a new family of malware we’ve named Malichus.
 Huntress SIEM gives the upper hand..... when it's installed
In a recent incident, SIEM was NOT installed  as a result, threat actors were able to run a muck in a partner's environment. With SIEM installed, the SOC would have had a 24 hour advantage.


In those 24 hours, the threat actor was able to:
  • Compromise an admin account and move laterally throughout the environment
  • Execute data exfiltration tools on multiple endpoints

In addition, ingesting their VPN logs into SIEM would have saved the partner a whole lot of headache and prevented their logs from being overwritten before we could get to the bottom of the intrusion 


Bottom line: SIEM can give the SOC a head start and improves the partner experience during a security intrusion.

In the span of 48 hours, a threat actor tried to compromise nearly 100 identities, succeeding in some instances 😰

Their targets included:

🧱 Construction companies

🌭 Food catering providers

⚙️ Mechanical engineers

📚 Elementary schools

Locking in on the adversarial public IPv6s (2a05:541:116:2d::1, 2a05:541:116:13::1), our SOC tracked this threat actor's activities, taking them down when they made progress against an identity.


Looking closer, we found they were using the Axios framework—a legitimate tool that can be abused for phishing and account compromise. Fortunately, the SOC was equipped with ITDR to fight the threat actor for every inch of identity territory they tried to steal.

To prevent these kinds of infections in your network, we recommend:

➡️ Complex conditional access policies and MFA: We watched in real-time as the threat actor failed to gain entry to an identity, despite having the right credentials, because of these security obstacles.

➡️ Security aware users: This threat actor likely got access via mass phishing. Equipping users with the knowledge to identify phishing attempts neutralizes attacks like this before they can even begin.

With identity threats like these becoming the new norm, the question isn't if attackers will come for your users—it’s when. Start a free trial of Huntress Managed ITDR today. 

Learn More

Ransomware is devastating, but mass isolating a network can also wreck productivity.

This type of nightmare fuel often starts with discovering offensive tradecraft originating from an endpoint missing our agent (never installed). In this case: 🔎 An unpatched Sonicwall device was exploited 🔎 Initial access to an unprotected device was gained 🔎 Local Administrator (500 account) was used to access the DC 🔎 Backdoor account “adm” was created and added to “Domain Admins” Incident response assistance from our SOC uncovered the same “adm” account was used with impacket to quickly access critical systems like the backup, virtual hosting, and file servers. Mass quarantine was effective at halting the incident, but could have been more surgical with complete coverage 😭


Here’s how text scams go down 👇

📬 You get a text claiming there’s an issue with your USPS shipment. 📱 But the number has an international country code, yet it’s referencing USPS. 🔗 The link’s not clickable, but the message says replying will fix that.

But here’s what happens if you reply:

  • The link’s suddenly clickable and leads to a fake USPS site.
  • Your number gets flagged as active, increasing scam texts.
  • The scammers improve their chances of tricking others. Delete the message. Don’t interact.
Learn More

A threat actor infiltrated a medical facility and threw everything they had at the network. Here’s a breakdown of what went down 👇


✅ Netscan used for enumeration
✅ Malicious drivers deployed to disable Windows Defender
✅ Lateral movement via PSExec
✅ Mimikatz to extract cleartext credentials
✅ User accounts created for persistence
✅ Registry modifications using NPPSPY (malicious DLL)

Our 24/7 Human SOC isolated the network for the partner, stopping further damage and lateral movement.

Tips to protect your network:
➡️ Block local admin rights for day-to-day accounts
➡️ Use the Windows Firewall to prevent lateral movement
➡️ Always keep Windows instances fully patched


Related Threat Analysis Resources

Blog Post
Blog Post
Blog Post

Ready to try Huntress for yourself?

See how the global Huntress SOC can augment your team with 24/7 coverage and unmatched human expertise.

Start a Free Trial Today