Threat Research

An Attacker’s Blunder Gave Us a Look Into Their Operations

Huntress
An Attacker’s Blunder Gave Us a Look Into Their Operations

A threat actor inadvertently installed the Huntress EDR agent on their primary operating machine, allowing Huntress to observe detailed browser history, tooling, and workflows—revealing use of AI, searches for Evilginx instances, residential proxies, and recon across banking and other sectors. Huntress used these telemetry and retroactive hunts to tie the host to known malicious activity, identify compromised identities, and produce high-confidence detections against the attack infrastructure. #Evilginx #Make.com

Keypoints

  • An attacker discovered and installed Huntress via a Google ad while trialing other security products, enabling Huntress to collect EDR telemetry directly from the adversary’s host.
  • Huntress identified the host as malicious because the unique machine name matched machines seen in prior incidents and browser history showed targeting activity and tool research.
  • Telemetry revealed the attacker used AI and automation platforms (Make.com, Toolbaz AI, DocsBot AI, Explo AI) to streamline workflows, including Telegram Bot integrations and CSV/data generation.
  • The threat actor searched for and attempted to access running Evilginx instances via Censys, and showed interest in tools like GraphSpy, Bloodhound, TeamFiltration, and ROADtools Token eXchange.
  • Browser history showed use of residential proxy services (LunaProxy, Nstbrowser), scraping and recon platforms (BuiltWith, Apify, RapidAPI), and targeted reconnaissance across banks, real estate, and software vendors.
  • Huntress’ retroactive investigations linked the adversary to access across thousands of identities (over 2,471 unique identities observed on their AS) and disclosed ~20 compromised identities tied to session token theft and malicious mail rules.
  • The adversary’s activities spanned May 29–July 9, 2025, often working long hours and iterating attack tradecraft (phishing content, token theft scripts, and automation projects like Voltage_Office356bot).

MITRE Techniques

  • [T1556] Modify Authentication Process – The actor researched and used scripts and tools (e.g., ROADtools Token eXchange and a script from Dirk-Jan Mollema’s blog) to manipulate Entra/Microsoft primary refresh tokens: ‘…Phishing for Microsoft Entra primary refresh tokens…’
  • [T1113] Screen Capture – Huntress collected EDR telemetry and browser history from the adversary’s host, effectively capturing the attacker’s on-host activity and artifacts: ‘…we were first responding to numerous alerts that were related to malware executing on it…collecting artifacts related to EDR telemetry on the host…’
  • [T1071] Application Layer Protocol – The threat actor used Telegram Bot APIs and webhooks via Make.com to automate workflows and receive tips: ‘…researching the platform’s Telegram Bot integration feature as a way to launch automated processes…’
  • [T1204] User Execution – The attacker downloaded and ran scripts and tools (Python scripts, ROADtools, Voltage_Office356bot) to execute attacks and token exchange workflows: ‘…python.exe main.py –wfb -u [victim]…’
  • [T1087] Account Discovery – The actor accessed cookie files and session information for victims and searched for email OSINT to identify targeted accounts: ‘…open the first file: …Cookies_[victim1]…json… Google search for “email osint”’
  • [T1590] Gather Victim Host Information – Use of urlscan, Censys, and BuiltWith to discover running Evilginx instances and technology stacks of target organizations: ‘…using Censys to search for running instances of Evilginx…’ ‘
  • [T1090] Proxy – The adversary used residential proxy services and anti-detect browser tools (LunaProxy, Nstbrowser) to route traffic and obscure origin: ‘…visited the pricing plan page for LunaProxy… Nstbrowser (which bills itself as an anti-detect browser)…’
  • [T1598] Phishing for Information – The attacker researched and crafted phishing-related messages using Google Translate and translated credential messages in browser history: ‘…using Google Translate to translate messages from Portuguese to English…username and password…’

Indicators of Compromise

  • [Domain ] attacker recon and malicious pages – login.incipientcroop[.]com (inspected via urlscan/urlquery)
  • [Executable / File Name ] tools and agents observed on host – Nstbrowser.exe, LunaProxyDivert.exe, roadtx.exe, main.py (Voltage_Office356bot)
  • [User Artifacts ] cookie files showing victim sessions – Cookies_[victim1]@[redacted].com.json, Cookies_[victim2]@[redacted].com.json
  • [Autonomous System ] malicious infrastructure hosting – AS “12651980 CANADA INC.” (VIRTUO) associated with access to 2,471 unique identities
  • [Service / Platform ] automation and infrastructure targets – Make.com projects (Voltage_Office356bot), Censys (Evilginx discovery), BuiltWith lookups

Read more: https://www.huntress.com/blog/rare-look-inside-attacker-operation

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint