Got a new Huntress blog out today looking at a case that Dray Agha Josh Allman and I worked on recently - VPN compromise, lateral movement, Veeam exploitation & some methodology notes throughout that newer folks might find particularly interesting! huntress.com/blog/untold-ta…

We wrote up what Huntress has been seeing for the CrushFTP authentication bypass: CVE-2025-31161 (or CVE-2025-2825, whichever side of the bed you woke up on) leading to MeshCentral agents, AnyDesk, and neato "TelegramBot" malware. Patch plz! ✌️ huntress.com/blog/crushftp-…

Quality breakdown here from Josh Allman Anton Dray Agha

huntress.com/blog/cve-2025-… Check out what Huntress has been busy with this weekend! If you're an IR/SOC analyst responding to this, we've included a query using WithSecure™'s Chainsaw to help ease the lift. #cve202530406 #CentreStack

Sample deployed via low detection Octowave Loader caught: virustotal.com/gui/file/141a6… - econusi[.digital/nwmb Interestingly low detection C2 amongst the noise is the newly registered domain posing as Warhammer Official - wawrhamer[.live

HijackLibs.net details hundreds of publicly disclosed DLL Hijacking opportunities. With over 700 stars on GitHub and a growing list, Wietze does an amazing job maintaining it. Despite this contributing can be time consuming. That's why I've created HijackLibs Helper!👇

Proud to work alongside these two 🔥 Congrats to you both!

Anton bringing the heat as always!

🚨 Search for software, end up getting ransomware! SEO-driven #Bumblebee malware campaigns observed throughout July led to domain compromise, data theft & #Akira ransomware. Tools included #AdaptixC2 & #Netscan. thedfirreport.com/2025/08/05/fro…

🚨 Case from Huntress 🔎 Cephalus seen side loading DLL 'SentinelAgentCore.dll' into legitimate 'SentinelBrowserNativeHost.exe' for ransomware execution ✏️ File extension for encrypted files - '.sss'

If you’re running an SSLVPN (SonicWall, Fortigate, etc.) and not retaining those logs, you’re setting yourself up for disaster. It's not uncommon to see sub-10 minute slices of activity in the totality of exported logs; which is next to useless.

There's pretty much never been a better time to start learning or get hands on blue team experience through labs. The availability and quality of labs being released today compared to 4 years ago is night and day. Training providers like Xintra are paving the way for the future!

ClickFix just got clever-ditched Win+R for Win+X (Power User Menu) ⚠️ New variant drops Lumma after Defender exclusion: - Prompts for elevation till user accept - Add defender exclusion on %temp% - Drops & runs Lumma Multiple Sigma rules fired 💥 Process Tree👇

Cheers to The DFIR Report team for all the guidance and mentorship. This was a really interesting case to work!