This case is also a milestone for us at Huntress: it’s our first time reserving and publishing a CVE since being approved as a CVE Naming Authority (CNA).
Proud to have gone from spotting real-world exploitation → engaging the vendor → to publishing a CVE for the community.
Until a patch is released, administrators should immediately apply the workaround detailed in our post:
In observed attacks, threat actors leveraged the flaw to read sensitive files—including Web.config—and extract the application’s machine key. That access enabled further exploitation, including potential remote code execution.
🚨 @HuntressLabs identified active exploitation of a Local File Inclusion vulnerability affecting Gladinet CentreStack and Triofox systems.
A temporary workaround is available while a patch is in development:
www.huntress.com/blog/gladine...
Great job @jaiminton.com, @re.wtf, and James Northey
4⃣ By repurposing a legitimate monitoring tool, the actor gained persistent access and a stable C2 channel. The Nezha agent was then used to deploy the final payload: a variant of Ghost RAT, a backdoor long associated with China-nexus threat groups.
3⃣ From there, the actor used the AntSword management tool to interact with their web shell. This is a common TTP, but what came next was new to us. They used AntSword to download and install the Nezha agent, an open-source server monitoring tool, onto the victim.
2⃣ The initial access was creative. The actor exploited a misconfigured, public-facing phpMyAdmin panel. They then used a log poisoning technique to write a one-liner PHP web shell (China Chopper) to disk, bypassing authentication and gaining initial command execution.
1⃣ The Huntress team uncovered a campaign by a likely China-nexus threat actor. The most novel finding is use of a publicly available tool called Nezha as a post-exploitation C2 agent. This is the first public reporting of the tool I've seen.
www.huntress.com/blog/nezha-c...
Realizing the software getting exploited is owned by the same parent company who had a different app getting mass exploited in recent years.
We have to detect the latest malware! Anomaly Detection! AI? We could look for single character EXEs?
The gift that keeps on giving.
Mac's don't get viruses, right? 🍏
Deepfake Zoom calls. AppleScript lures. Rosetta 2 abuse.
Plenty of custom malware: Nim backdoor, Go infostealer, Obj-C keylogger, and more!
Amazing write-up by @re.wtf , @stuartjash.bsky.social and Jonathan Semon 🔥
🔗 www.huntress.com/blog/inside-...
Huntress SIEM Door Rattling Door Rattlers Detection Initial Access Brute Force
As more companies deploy the Huntress SIEM, we've enjoyed finding the "Door Rattlers"🚪
We see an attacker failing to log in across a number of environments and then eventually succeeding in 1 organization.
Stopping attacks at initial access ❤️
I hate comcast.
Huntress has observed in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in the Gladinet CentreStack enterprise file-sharing platform.
All of these advances in AI and yet I still can't pass over a 1 page document and get a companion slide deck that doesn't look insane 🤦
I’m right there with you! Simplicity is a cheat code.
🌟New report out today!🌟
Fake Zoom Ends in BlackSuit Ransomware
Analysis and reporting completed by @pigerlin, UC1 and @Miixxedup
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/03/31/f...
Why are most "work management" tools still worse than a Google Sheet?
Want some entertainment? Our Tradecraft Tuesday show is LIVE right now: www.youtube.com/watch?v=5_H3...
Come listen to @antonlovesdnb.bsky.social and Dray Agha discuss tradecraft we're seeing in the wild.
"Outsized value" would have been a better choice of words.
It pains me when organizations take their limited security budgets and get tricked into buying products that don't lead to exponential value.
Heck these days, lots of VPN and Firewall products are the direct source of business ending intrusions.
netscan.exe, psexec.exe, mstsc.exe, netsh.exe, reg.exe
ICYMI: In July 2023, Curated Intel members shared a brand new resource for the community called 'The Threat Actor Profile Guide for CTI Analysts'.
The Threat Actor Profile Guide for CTI Analysts (curatedintel.org)
Attackers love taking over M365 identities 😬 In the past ~60 days, Huntress has tracked phishing pages used to steal M365 sessions. Seeing `.com` isn't surprising but having `.online` in second place caught my eye 👀
Interested in Adversary in the Middle attacks? www.huntress.com/blog/unmaski...
When the SOC sees an RDP login and the source IP is a datacenter.
8/ Want more? Check out HuskyHacks (Matt Kiely) and Christina Parry's talk from @bsidesnyc.org www.youtube.com/watch?v=XSzf...
9/ Want more? Check out HuskyHacks (Matt Kiely) and Christina Parry's talk from @bsidesnyc.org
www.youtube.com/watch?v=XSzf...
7/ Big picture: OAuth abuse is growing, and security teams need to adapt. Attackers aren't breaking in anymore—they’re logging in and staying in via OAuth apps.
6/ What can defenders do?
✔️ Review existing OAuth applications in your org
✔️ Limit app permissions to least privilege
✔️ Monitor for unusual OAuth grants in logs
✔️ Disable unused or risky third-party integrations
HuskyHacks released an open source tool to help with this:
github.com/HuskyHacks/c...
