All news with #huntress labs tag

Qilin Ransomware Investigation: Huntress Forensics Analysis

🔍 Huntress Labs detailed a Qilin ransomware investigation in which visibility was constrained because their agent was installed after the compromise and only on a single endpoint. Analysts correlated managed antivirus alerts, Windows Event Logs, AmCache, PCA logs, and VirusTotal to reconstruct a timeline showing a rogue ScreenConnect RMM deployment, attempts to run infostealer binaries, tampering with Windows Defender, and likely ransomware execution from another host. The report stresses validating artifacts across multiple sources to avoid false assumptions and inform accurate remediation.

From Infostealer to PureRAT: Dissecting an Escalating Attack

🔍 Huntress Labs analyzed a multi-stage intrusion that began with a phishing ZIP and DLL sideloading and escalated to deployment of the commercial PureRAT backdoor. The operator combined bespoke Python loaders and a Python-based infostealer with compiled .NET loaders, process hollowing, AMSI/ETW tampering, and reflective DLL injection to evade detection. Final-stage configuration revealed a Vietnam-hosted C2 (157.66.26.209) and Telegram infrastructure linked to PXA Stealer, underscoring a shift from custom theft to a professional RAT.

Obscura: New Ransomware Variant Targeting Domains Globally

🔒 On 29 August 2025 Huntress analysts identified a previously unseen ransomware variant they named Obscura after its embedded ransom note. The binary was placed in the domain NETLOGON scripts folder, enabling propagation via AD replication, and the actor created scheduled tasks to run it across hosts. Obscura requires administrative privileges, attempts to delete volume shadow copies and terminates roughly 120 security and backup processes. It uses Curve25519/X25519 key exchange and XChaCha20 for file encryption and writes a decoded ransom note to C:\README-OBSCURA.txt.