Huntress observed in-the-wild use of Nightmare-Eclipse tooling, including BlueHammer, RedSun, and UnDefend, in a live intrusion involving FortiGate VPN compromise as the initial access, reconnaissance commands, and likely tunneling activity.
A Linux user recently tried to respond to potentially malicious behavior on their machine using OpenAIβs Codex coding agent, before installing the Huntress agent. What ensued shows the unexpected impacts of this AI use case on DFIR investigations.
Standard EDR creates a gap between detection and action. Huntress closes it. Learn how our Attack Disruption Engine automatically disrupts threat actors and reduces the impact of endpoint attacks.
VPN misconfiguration is behind 70% of intrusions. See real Huntress SOC incidents and learn the simple steps to close your biggest open door before attackers walk through it.
Huntress uncovered a malware operation using signed PUP to deploy AV killers with SYSTEM privileges. Learn how this adware crosses the line into malware territory and how anyone could have hijacked their update mechanism.
Donβt forget to secure your side doors. Attackers look for the systems you treat as secondary. Don't neglect staging environments, as theyβre a critical part of your attack surface.
Attackers are already targeting the AI tools your team just started using. Here's what that looks like when it lands in your own environment. And what actually stops it.
Event 1644 shows localhost, hiding the attacker's real IP. By correlating Event 5156 with a ~60-80ms timing window, you can attribute ADWS queries to their actual sourceβand the data was already in your SIEM.
A threat actor enumerated our entire AD with Get-ADComputer, and none of our detections fired. The problem wasn't their evasion - it was an architectural blind spot in how PowerShell talks to Active Directory.
The Stryker incident revealed that a "Weaponized Remote Wipe" via compromised MDM is a more permanent and difficult threat than ransomware. Learn concrete steps to secure management platforms and prevent your security shield from becoming a weapon.
A recent incident linked to the NightSpire ransomware workflow gives insight into why the RaaS structure and model, or lack thereof, are important β especially when it comes to scoping and recovering from the incident.
OpenClaw AI agents pose identity and data risks if deployed with broad cloud permissions. Learn how to find and secure these apps before an attacker does.
See why the viral "three-finger test" is almost outdated, and how to build resilient security processes that protect your organization from identity-based attacks and social engineering, no matter how advanced the AI gets.
That "friendly" prompt is a ClickFix scam. Learn about this advanced social engineering tactic that tricks users into running malicious code on their own systems, and why security resilience is your winning bet.
Huntress now delivers ITDR for Google Workspace to protect identities against BEC, inbox rule manipulation, and account takeover, all with a 24/7 SOC-led response.
Railway PaaS is being weaponized as a clean token replay engine in an active AiTM and device code phishing campaign impacting 268+ M365 organizations and 100+ MSPs.