In a twist of fate that underscores both the power and inherent transparency of endpoint detection and response (EDR) solutions.
By investigating alerts generated through this deployment, the Huntress Security Operations Center (SOC) gained unprecedented insight into the adversary’s day-to-day workflows, tool usage, and evolving tradecraft.
Huntress’s commitment to transparency and community education led to the publication of detailed findings after confirming that the target host was malicious.
By carefully balancing privacy obligations and threat dissemination, the team shared EDR data illustrating how the actor researched and adopted security software, leveraged AI for automation, hunted running instances of Evilginx, and staged complex reconnaissance campaigns over several months.
The saga began when the adversary clicked a Huntress advertisement while exploring Bitdefender on Google.
Browser history analysis revealed they first evaluated Bitdefender before following a comparison link that led to a Huntress trial.
The actor downloaded and installed the Huntress agent—unaware it would chronicle every subsequent action. Additional artifacts showed interest in Malwarebytes, including its browser-guard extension.
However, a key red flag emerged: the machine name matched one tracked in prior intrusion incidents.
Huntress researchers discovered that a sophisticated threat actor had unwittingly installed the company’s agent on their own attack machine.
When subsequent alerts signaled malware execution, SOC analysts confirmed the host’s malicious nature and pivoted to dissecting the full scope of the actor’s activities.
AI, Phishing, and Proxy Services
EDR telemetry captured a rich timeline of the actor’s operations. Early on, they researched automation software such as Make.com, integrating Telegram Bot APIs into workflows to launch processes automatically.
Over weeks, the adversary refined these workflows—identifying target organizations via “tips” from Telegram, translating messages through Google Translate, and leveraging AI-powered CSV and writing assistants like Toolbaz AI and Explo AI.
Reconnaissance tactics included using Censys to search for active Evilginx instances and recording attempts to access those servers.
The SOC also observed traces of reconnaissance and enumeration tools like Bloodhound, GraphSpy, and TeamFiltration.
Visits to LunaProxy and Nstbrowser pricing pages indicated an investment in residential proxies and anti-detect browsers to obscure malicious traffic.
Further, browser entries revealed extensive research into corporate supply chains via ReadyContacts and InfoClutch, and technology stacks through BuiltWith—illustrating how attackers probe both direct targets and their broader ecosystems.
Frequent use of urlscan and VirusTotal provided real-time insight into malware samples and phishing domains.
Daily Rhythms and Regional Focus
By mapping browser activity timestamps, Huntress constructed a chart of hours worked per day from May 29 through July 9, 2025. The actor’s schedule fluctuated between intense 12–14-hour days and brief two-hour sessions.
Detailed breakdowns on peak days showed heavy banking research, reconnaissance site visits, and AI tool experimentation.
Overall, over the course of three months we saw an evolution in terms of how the threat actor refined their processes, incorporated AI into their workflows.
Notably, the adversary spent several days focusing on Nigerian banking and cryptocurrency exchanges—hinting at targeting preferences.
Though the attack machine operated on a U.S. West Coast clock, its victim research spanned global verticals, including finance, government, and technology.
After confirming the host’s malicious status, Huntress analysts performed retroactive hunts, uncovering over 2,400 compromised identities and thwarting new malicious mail rules and session-token theft attempts.
This exercise produced high-confidence detections against adversarial infrastructure and enabled rapid, precise responses to future incidents.
Huntress’s decision to publish the investigation balances strict privacy commitments with a mission to empower defenders.
By sharing raw EDR telemetry reflecting real attacker behavior—alongside contextual analysis—security teams worldwide can better anticipate tradecraft, refine detection rules, and educate stakeholders about the evolving threat landscape.
In essence, this case study exemplifies the dual promise of EDR: to unearth attacker techniques while enabling defenders to stay one step ahead.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
