Mastodawn

⚠️ The Hacker News just spotlighted a growing threat: SEO poisoning campaigns delivering malware through fake tool websites.

Attackers are mimicking trusted apps like PuTTY, Zoom, and ChatGPT, pushing them high in search results. Over 8,500 SMB users were targeted in just four months.

The article breaks it down clearly. If you haven’t read it yet, it’s worth your time.

Read it here: https://thehackernews.com/2025/07/seo-poisoning-campaign-targets-8500.html

SEO Poisoning Campaign Targets 8,500+ SMB Users with Malware Disguised as AI Tools

SEO poisoning delivers trojanized tools, targeting SMBs and spreading malware via fake websites

The Hacker News

Hunt & Hackett Jul 9

👤Threat Actor Profile: Sandworm

Linked to Russia’s GRU and active in 60+ countries, Sandworm targets critical infrastructure with sabotage, espionage, and disruption. 🇷🇺

🔗 Curious to learn more about this APT? Explore their threat profile in our Members' Portal: https://www.huntandhackett.com/members/actors/sandworm

🔗 Not a Member yet? Sign-up today: https://www.huntandhackett.com/members/register

Hunt & Hackett Jul 4

🚨New #blogpost: This week we're unpacking our journey of using open-source software to build an innovative cloud-based IR lab from scratch, highlighting key obstacles we encountered along the road and explaining how we transformed these into opportunities.

We share:
🔶 Velociraptor + Dissect hiccups;
🔶 Misinterpretation of IPv6 addresses in Linux UTMP logs;
🔶 Enhancing Timesketch for large scale investigations.

🔗 https://www.huntandhackett.com/blog/turning-incident-response-challenges-into-scalable-solutions

Turning incident response challenges into scalable solutions

Find out how Hunt & Hackett transforms incident response challenges into scalable solutions using open-source software and a DevOps mindset.

Hunt & Hackett Jun 5

Launching #DetectionsFromTheSOC 🚀

We're excited to announce our new series, 𝘋𝘦𝘵𝘦𝘤𝘵𝘪𝘰𝘯𝘴 𝘧𝘳𝘰𝘮 𝘵𝘩𝘦 𝘚𝘖𝘊, in which we share a behind-the-scenes look of how our SOC detects, investigates, and responds to real-world threats.

Case #1: Infostealer via fake CAPTCHA

We intercepted an attack where the intruder didn’t break in, but logged in. The entry point? A fake “I’m not a robot” CAPTCHA prompt.

👉 Want to read the full story? Head on over to our LinkedIn to check it out: https://www.linkedin.com/feed/update/urn:li:activity:7336321179005165568

#detectionsfromthesoc #captcha #infostealer #cryptbot #soc #bec | Hunt & Hackett

Launching #DetectionsFromTheSOC 🚀 We're happy to announce our new series, 𝘋𝘦𝘵𝘦𝘤𝘵𝘪𝘰𝘯𝘴 𝘧𝘳𝘰𝘮 𝘵𝘩𝘦 𝘚𝘖𝘊, in which we share a behind-the-scenes look of how our SOC detects, investigates, and responds to real-world threats. 𝐅𝐨𝐫 𝐨𝐮𝐫 𝐟𝐢𝐫𝐬𝐭 𝐞𝐝𝐢𝐭𝐢𝐨𝐧: 𝐢𝐧𝐟𝐨𝐬𝐭𝐞𝐚𝐥𝐞𝐫 𝐝𝐞𝐩𝐥𝐨𝐲𝐞𝐝 𝐯𝐢𝐚 𝐟𝐚𝐤𝐞 𝐂𝐚𝐩𝐭𝐜𝐡𝐚 In the middle of the night, Hunt & Hackett’s 24/7 SOC intercepted the early stages of a broader cyberattack. The attacker didn’t break in, but logged in. An endpoint was compromised using a fake #CAPTCHA page – you know, one of those “I’m not a robot” checks. Only this one tricked the user into running a command via the keyboard shortcut Win + R. That command launched a hidden process and deployed a known #infostealer, likely #Cryptbot. 𝐖𝐡𝐚𝐭 𝐡𝐚𝐩𝐩𝐞𝐧𝐞𝐝? Our SOC flagged a suspicious mshta.exe process making an outbound connection to a previously unknown domain. This quickly escalated: 👉 User was tricked into copy-pasting a command that secretly launched mshta.exe 👉 mshta.exe triggered PowerShell, which contacted additional anomalous domains and executed fileless malware 👉 PowerShell launched Chrome/Edge with the --remote-debugging-port=9203 flag – a known abuse method to extract browser credentials 👉 The process accessed files in the Downloads folder All signs pointed to credential theft and system reconnaissance. 𝐇𝐨𝐰 𝐰𝐞 𝐝𝐞𝐭𝐞𝐜𝐭𝐞𝐝 𝐢𝐭: One of our behavioural detection rules flagged: 👉 Use of mshta.exe in user context reaching unknown domains 👉Obfuscated PowerShell activity 👉Abuse of --remote-debugging-port in Chrome – a known credential-stealing tactic This combination triggered a high-confidence detection, prompting an alert at our #SOC and enabling a fast response & remediation – even at 3AM. 𝐑𝐞𝐦𝐞𝐝𝐢𝐚𝐭𝐢𝐨𝐧: 👉 Clean install of the endpoint 👉 Blocked malicious domains 👉 Revoked all sessions and reset credentials This case shows how infostealers can be the first step in modern attacks, giving threat actors access to credentials, browser sessions, and local files. From there, they can move laterally, escalate privileges, and pave the way for bigger attacks like ransomware or business email compromise (#BEC) without you knowing it. In short: infostealers are a launchpad for full-scale breaches. 𝐈𝐎𝐂𝐬: 👾 hxxps[:]//afliam[.]shop 👾 b[.]watchcollision[.]xyz 👾 blisspicks[.]shop

Hunt & Hackett Jun 4

🎤 We’re proud to sponsor and speak at Hague TIX on June 10!

The event is a focused gathering of Europe’s top threat intelligence minds.

We'll explore Europe’s path to cyber resilience and strategic autonomy, and dive into Lazarus and SeaTurtle operations in the Netherlands.

#CyberSecurity #ThreatIntel #HagueTIX #APT

Hunt & Hackett May 16

Our next CyberConnect session is coming up: Security in Motion!

In this session, tailored for security, IT, and risk professionals, we explore how changing geopolitical dynamics, growing technological dependencies, and new attack techniques are raising the bar for digital resilience.

Visit our website for more information, and to sign-up: https://www.huntandhackett.com/security-in-beweging

Security in beweging | Hunt & Hackett

Ontdek hoe geopolitieke spanningen, technologische afhankelijkheden en veranderende aanvalstechnieken de eisen aan digitale weerbaarheid verhogen.

Hunt & Hackett May 15

🚨 New blog!

In it, we dive into reverse-engineering AFD.sys (a hidden part of Windows networking) to surface live socket data from other processes. This unlocks new capabilities for forensics, debugging, and reverse engineering.

📃 Read it here: https://www.huntandhackett.com/blog/improving_afd_socket_visibility

🔧 Explore our tool: https://github.com/huntandhackett/AfdSocketViewer

Improving AFD Socket Visibility for Windows Forensics & Troubleshooting

This blog post explains the basics of Ancillary Function Driver API and how it can help explore networking activity on Windows systems.

Hunt & Hackett May 14

We've updated our threat landscape on the logistics sector 🚛

On it, you'll find detailed actor overviews, analyses of recent cyberattacks in the logistics sector, and insights into emerging cybersecurity trends.

Curious? Take a look: https://www.huntandhackett.com/members/sectors/logistics

Hunt & Hackett Apr 23

Als advocaat ben je vaak het eerste aanspreekpunt bij een cyberincident. Maar hoe zorg je dat jouw cliënt meteen de juiste stappen zet? En hoe werk je optimaal samen met technische experts onder tijdsdruk?

Op 16 mei organiseren we een interactieve workshop voor advocaten die cliënten adviseren op het gebied van privacy, informatiebeveiliging en incident response waarin we praktische kennis over digitale hygiëne combineren met onze ervaringen uit het veld.

Sign-up: https://www.huntandhackett.com/crisisworkshop-advocaten

Crisisworkshop voor advocaten

Cyberincidenten zijn aan de orde van de dag – en als advocaat ben je vaak de eerste persoon die gebeld wordt. Maar wat zijn je eerder acties?

Hunt & Hackett Apr 22

𝐉𝐨𝐢𝐧 𝐮𝐬 𝐚𝐭 𝐆𝐨𝐨𝐠𝐥𝐞 𝐀𝐦𝐬𝐭𝐞𝐫𝐝𝐚𝐦 𝐟𝐨𝐫 𝐨𝐮𝐫 𝐮𝐩𝐜𝐨𝐦𝐢𝐧𝐠 𝐬𝐞𝐬𝐬𝐢𝐨𝐧:
Securing Operational Technology: Fast Response, Strong Recovery

𝘞𝘩𝘢𝘵 𝘩𝘢𝘱𝘱𝘦𝘯𝘴 𝘸𝘩𝘦𝘯 𝘵𝘩𝘦 𝘴𝘺𝘴𝘵𝘦𝘮𝘴 𝘺𝘰𝘶 𝘳𝘦𝘭𝘺 𝘰𝘯 𝘦𝘷𝘦𝘳𝘺 𝘥𝘢𝘺 𝘴𝘶𝘥𝘥𝘦𝘯𝘭𝘺 𝘴𝘵𝘰𝘱 𝘸𝘰𝘳𝘬𝘪𝘯𝘨?

Together with Xebia, we’re hosting a session on how to boost operational resilience, secure OT environments, and align with evolving regulations.

Sign-up here: https://www.huntandhackett.com/securing-ot

Securing Operational Technology: Fast Response, Strong Recovery

In this session, Hunt & Hackett and Xebia will collaborate to strengthen Operational Technology security, ensuring rapid response and resilient recovery. Register now.