Exposed RDP can lead to anything—even attempted ransomware attacks. Here’s what went down at this manufacturing business👇

A threat actor brute forced a manufacturer's VPN appliance 🏭 Here’s what happened👇

🐶 A vulnerability left an animal care facility wide open, and an attacker didn’t hesitate to pounce. Here’s how it unfolded 👇

We’ve shared many stories about exposed RDP without MFA because it’s a common AF; threat actors waste no time exploiting it. What makes this SOC Story from a dental facility stand out: in under 30 minutes, the attack went from initial access to attempted ransomware deployment.

🚨 IOC DROP – Suspected Ransomware Infrastructure: IPs: • 64.190.113[.]159 • 147.135.36[.]162 Domains: • specialsseason[.]com • 1vpns[.]com Cert fingerprint: 6bc8b8f260f9f9bfea69863ef8d3c525568676ddadc09c14655191cad1acdb5b Full context: huntress.com/blog/brute-for…

A construction company recently suffered a VPN brute-force attack, but didn't have SIEM monitoring! The absence of a SIEM led to a 18-minute gap, giving the attacker enough time to attempt to steal credentials - but fortunately the Huntress EDR shut it down.

v-v.space/2025/05/15/CVE… RDG RCE sharing

Post MSSQL Compromise Huntress ✏️ w.bat - new user 'testing' password 'UPD@GhAdmin'. ✏️ Win8.exe, Win10.exe, TQ_CLR.exe - downloaded from hxxp[://]down[.]ftp21[.]cc. ✏️ Strings downloaded from hxxps[://]directxapps[.]shop via PS. ✏️ GotoHTTP dropped for persistence.

✅ PSExec tweaked registry & firewall settings for RDP access ✅ Mimikatz.exe hid in C:\PerfLogs dumping credentials ✅ Legit tools (TNIWINAGEN) were abused to scan the network, then a malicious Atera agent was deployed ✅ A scheduled task ("MSTR tsk") beaconed to a malicious IP

They racked up nearly 11,000 failed login attempts before landing a single hit. As seen below, this brute-force attack was captured through SIEM logs, quickly triggering an investigation and a business-saving response from our 24/7 security team.

A threat actor infiltrated a medical facility and threw everything they had at the network. Here’s a breakdown of what went down 👇

Late Friday blog drop! Huntress had some fun with #DefendNot by es3n1n 😈 This tool shows that defense evasion isn’t just about avoiding tools—it’s about bending them. Here’s how attackers turn your security products into blind spots. 🛡️ huntress.com/blog/defendnot…

Mac's don't get viruses, right? 🍏 Deepfake Zoom calls. AppleScript lures. Rosetta 2 abuse. Plenty of custom malware: Nim backdoor, Go infostealer, Obj-C keylogger, and more! Amazing write-up by alden, Stuart Ashenbrenner 🇺🇸 🇨🇦, and Jonathan Semon 🔥 🔗 huntress.com/blog/inside-bl…

Coming up on my 1 year anniversary with Huntress ! Taking this opportunity to go over some things myself and the team have seen in intrusions and drop some tips on basic things you can do to make your network more immune to compromise. Let's start with initial access -

Interesting hands-on-keyboard case today Huntress -> Suspected VPN initial access -> TA used this to RDP to DC & RDS -> TA created a hidden accounts for persistence -> TA attempted to clear logs for defence evasion -> Huntress evicted TA 😎

Congratulations to RussianPanda 🐼 🇺🇦 & Ben for having talks accepted at #defcon33! Follow these folks and if you're headed to DEF CON put it on you to-do list to be in attendance!

Some interesting findings at Huntress today after a skid exploited a web server. We initially detected based httpd.exe spawning sus processes The TA created a user account 'DataAdmin' with the password 'AlexGangteng' for persistence and added this user to Administrators group

As of Thurs Aug 14th we're seeing clear indications that a threat actor has now weaponised and is exploiting vulnerabilities in Axis camera software (CVE-2025-30023/4/5/6) which was presented at DEFCON. Props to Jordan Sexton for find. axis.com/dam/public/9b/… CC: Huntress 👇

It's recommended you review AXIS logs e.g. C:\ProgramData\Axis Communications\AXIS Camera Station\Core\Client 5.57.33556\Logs\AcsClient.exe.warnings.log for entries containing messages such as: 👇

Vipyr Security's scanning service alerted us to a malicious Python package under the name "pytensorlite". This package, uploaded less than 60 seconds before our scanning alerted us, downloads a malicious payload from github.com/93dk99-ui/pyte…; resulting in the execution of a Base64