TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

An Attacker’s Blunder Gave Us a Look Into Their Operations

2025-09-09 · Read original ↗

ATT&CK techniques detected

18 predictions
T1059.006Python
92%
"s blog, pointing to a nifty little script at this point they went back to their voltage _ office356bot project before running this new script they ’ ve downloaded. figure 28 : accessing the voltage _ office356bot project and running the attack script they started trying to run th…"
T1176.001Browser Extensions
91%
"ad. the attacker tripped across our ad while researching another security solution. we confirmed this is how they found us by examining their google chrome browser history. an example of how this may have appeared to them in the moment may be seen in figure 1. figure 1 : google s…"
T1591Gather Victim Org Information
73%
"the attacker ’ s reconnaissance methods. the threat actor spent a lot of time researching companies across different sectors, from specific banks to “ top real estate companies in the us ” ( also looking up “ real estate agents in california ” ). the threat actor didn ’ t just se…"
T1176.001Browser Extensions
69%
"malwarebytes browser extension threat actor red flags — and our response we knew this was an adversary, rather than a legitimate user, based on several telling clues. the standout red flag was that the unique machine name used by the individual was the same as one that we had tra…"
T1598.003Spearphishing Link
59%
", before navigating to the builtwith sign up page, presumably to access that list. the threat actor conducted a fair amount of research into tools used to scrape telegram group data, including looking at scraper tools like apify, the axiom chrome extension, and the rapidapi platf…"
T1588.006Vulnerabilities
42%
", as seen in figure 29, above : on several days, the threat actor worked as little as one to two hours. when we hone in on a few of the days when the most hours were put in, we can see some of the things that piqued the attacker ’ s interest in those days. we analyzed the urls to…"
T1539Steal Web Session Cookie
42%
"- wfb - u [ victim2 ] @ [ redacted2 ] [. ] com they returned to the first victim ’ s cookie file : c : \ program files \ notepad + + \ notepad + +. exe c : \ users \ administrator \ downloads \ telegram desktop \ cookies _ [ victim1 ] @ [ redacted1 ] [. ]. com. json this is where…"
T1588.006Vulnerabilities
39%
"like mega, amazon aws, and azure. figure 30 : activities on may 29, 2025 we can see that from may 29 to june 1, 2025, the attacker was mostly looking at various banking websites. digging further into their activities, you see them researching various banks, reading about telegram…"
T1588.007Artificial Intelligence
38%
"8 : threat actor starts to rely on automated workflows the threat actor also appeared to be interested in other ai tools to help with data generation and writing. we saw multiple google searches for “ free ai no signup ” and for “ csv generator ai. ” we also saw the threat actor …"
T1176Software Extensions
37%
"malwarebytes browser extension threat actor red flags — and our response we knew this was an adversary, rather than a legitimate user, based on several telling clues. the standout red flag was that the unique machine name used by the individual was the same as one that we had tra…"
T1217Browser Information Discovery
36%
"ad. the attacker tripped across our ad while researching another security solution. we confirmed this is how they found us by examining their google chrome browser history. an example of how this may have appeared to them in the moment may be seen in figure 1. figure 1 : google s…"
T1059.006Python
36%
"browsed to an article titled say hello to your new cache flow by synacktiv covering whfb and entra id, followed by a google search for “ whfb prt ”, which landed them on the website of a well - known researcher, dirk - jan mollema. they checked their ip address after this : c : \…"
T1588.006Vulnerabilities
35%
". - cybersecurity : various cybersecurity vendor websites. the attacker often signed up for trials at various vendors to test things. - government & military : various official government or military websites. - news, media & information : various news websites like cnn etc. the …"
T1078Valid Accounts
33%
"an attacker ’ s blunder gave us a look into their operations update sept. 11 @ 9am et we appreciate the comments, questions, and discussions from the community around this blog post. in light of those questions, we wanted to release more detailed information to offer further insi…"
T1195.002Compromise Software Supply Chain
33%
"an attacker ’ s blunder gave us a look into their operations update sept. 11 @ 9am et we appreciate the comments, questions, and discussions from the community around this blog post. in light of those questions, we wanted to release more detailed information to offer further insi…"
T1090.002External Proxy
33%
"in tools based on the threat actor browser history. these tools included recon and attack tool graphspy, open source tool bloodhound, the teamfiltration framework used for enumeration and exfiltration, and more. figure 11 : various tools that the attacker may have used interest i…"
T1588.007Artificial Intelligence
31%
"legitimate workflow automation software, before researching the platform ’ s telegram bot integration feature as a way to launch automated processes ( as seen in figure 6 below ). the threat actor then poked around several faq sites to better understand how telegram bot apis work…"
T1566.002Spearphishing Link
30%
"evilginx, and more. - - - - - - - - - - - - - - - - - - - - - - - - we all know that security products are often downloaded by attackers for “ evaluation, ” but often we can only guess as to how they decided to target a particular technology, or the actions taken while trying out…"

Summary

An attacker installed Huntress onto their operating machine, giving us a detailed look at how they’re using AI to build workflows, searching for tools like Evilginx, and researching targets like software development companies.