Executive Summary

The "Too Many Secrets: Attackers Pounce on Sensitive Data Sprawl" incident, as analyzed by Huntress, provides an unprecedented, evidence-based view into the operational methods of a sophisticated threat actor. The incident began when a threat actor inadvertently installed the Huntress agent on their own operational machine after discovering the product via a Google advertisement while researching other security solutions, including Bitdefender. This mistake allowed Huntress analysts to directly observe the attacker's day-to-day activities, including their use of AI-driven automation, reconnaissance techniques, and credential theft operations. Over a period of three months, the attacker compromised over 2471 unique identities, primarily through session token theft and malicious mail rule creation, targeting sectors such as banking, real estate, software, and supply chain. The incident highlights the increasing sophistication of threat actors, their adoption of automation and AI, and the risks posed by sensitive data sprawl across organizations. All findings in this report are based on direct EDR telemetry, browser history, and infrastructure analysis as documented by Huntress (source, published September 9, 2025, updated September 11, 2025).

Technical Information

The incident began when a threat actor, while researching security solutions, encountered a Huntress advertisement and subsequently installed the Huntress agent on their operational machine. This installation, intended for research or evasion testing, inadvertently exposed the attacker's activities to Huntress analysts. The Huntress Security Operations Center (SOC) identified the host as malicious based on several indicators, including a unique machine name previously associated with other incidents and corroborating browser history that revealed active targeting and reconnaissance behaviors.

The attacker's operational timeline, as reconstructed from EDR telemetry and browser history, spanned from May 29, 2025, through July 9, 2025. During this period, the attacker maintained a high operational tempo, working 12 to 14 hours per day, and demonstrated rapid evolution in their techniques, including the integration of AI and workflow automation tools.

Attack Vector and Initial Access

The attacker discovered Huntress via a Google ad while also evaluating Bitdefender and other security products. The installation of the Huntress agent on their own machine provided Huntress analysts with direct access to the attacker's activities. This access revealed that the attacker was not a legitimate user but rather an adversary engaged in active targeting and compromise of organizations.

Reconnaissance and Targeting

The attacker's browser history showed extensive reconnaissance activities, including researching specific banks, real estate companies, and supply chain organizations. The attacker used the BuiltWith platform to analyze technology stacks and leveraged database marketing tools such as ReadyContacts and InfoClutch for target enumeration. The use of Google Translate to craft phishing messages, particularly translating from Portuguese to English, indicated a focus on Brazilian banks and potentially other international targets.

Credential Access and Lateral Movement

The attacker actively sought out running instances of Evilginx, a man-in-the-middle (AiTM) phishing framework, using Censys for discovery. They attempted to access these instances and showed interest in tools such as GraphSpy, Bloodhound, and TeamFiltration, which are commonly used for credential harvesting and Active Directory reconnaissance. The attacker also compromised over 2471 unique identities in two weeks, primarily through session token theft and malicious mail rule creation.

Persistence and Evasion

The attacker researched Autoruns, indicating attempts to establish persistence or understand detection mechanisms. They also utilized residential proxy services, including LunaProxy and Nstbrowser (an anti-detect browser), to obfuscate their origin and evade detection. The use of these services allowed the attacker to route their traffic through residential IP addresses, making it more difficult for defenders to identify malicious activity.

Data Collection and Exfiltration

The attacker accessed the STYX Market, a dark web forum for stealer logs and stolen credentials, suggesting an intent to monetize or further exploit stolen data. The scale of the compromise, with over 2471 unique identities affected in two weeks, underscores the potential impact of such attacks, particularly in sectors with sensitive data and high-value targets.

Use of AI and Automation

The attacker's use of AI tools and workflow automation platforms was a notable aspect of this incident. On May 25, the attacker signed up for Make.com, a legitimate workflow automation service, and explored its Telegram Bot integration for launching automated processes. Over time, the attacker developed and relied more heavily on automated workflows, incorporating additional AI tools such as Toolbaz AI, DocsBot AI, and Explo AI for data generation and writing. This adoption of automation and AI reflects a growing trend in attacker sophistication and operational efficiency.

Sector-Specific Targeting

The attacker targeted a wide range of sectors, including banking, real estate, software, and supply chain companies. The use of database marketing tools and technology stack analysis indicates broad, opportunistic targeting across high-value sectors. The attacker's focus on banking, including Brazilian institutions, was evidenced by their use of Google Translate and targeted research.

Technical Mapping to MITRE ATT&CK

The attacker's methods align with several MITRE ATT&CK techniques, including:

• Evilginx (T1539: Steal Web Session Cookie): Used for session hijacking via man-in-the-middle phishing (MITRE ATT&CK T1539).

• Session token theft (T1528: Steal Application Access Token) (MITRE ATT&CK T1528).

• Phishing (T1566: Phishing, including multilingual lures) (MITRE ATT&CK T1566).

• Use of residential proxies (T1090.003: Proxy: Multi-hop Proxy) (MITRE ATT&CK T1090.003).

• Automated collection (T1119: Automated Collection, use of Make.com and AI tools) (MITRE ATT&CK T1119).

• Reconnaissance (T1592: Gather Victim Identity Information, technology stack analysis) (MITRE ATT&CK T1592).

• Malicious mail rule creation (T1114.003: Email Collection: Email Forwarding Rule) (MITRE ATT&CK T1114.003).

• Dark web market activity (T1583.006: Acquire Infrastructure: Web Services, STYX Market for stealer logs/credentials) (MITRE ATT&CK T1583.006).

Evidence Quality and Attribution

The technical evidence supporting these findings is of high quality, as it is based on direct EDR telemetry, browser history, and infrastructure analysis from the attacker's operational machine. The repeated use of the same machine name and infrastructure (AS 12651980 CANADA INC., now VIRTUO) across multiple incidents suggests a recurring operator or group. However, there is insufficient unique attribution data to link this activity to a specific named threat actor with high confidence.

Affected Versions & Timeline

The incident timeline, as reconstructed from Huntress EDR telemetry and browser history, is as follows:

The attacker's activities were observed from May 29, 2025, through July 9, 2025. The Huntress agent was installed on the attacker's operational machine after they discovered the product via a Google ad while researching Bitdefender. The Huntress SOC forcibly uninstalled the agent 84 minutes after installation, upon confirming malicious activity. During this period, the attacker compromised over 2471 unique identities, primarily through session token theft and malicious mail rule creation. The attacker's infrastructure, hosted on AS 12651980 CANADA INC. (now VIRTUO), was associated with access to these identities and exhibited a pattern of high operational tempo and rapid evolution of techniques.

No specific software versions were exploited in this incident; rather, the attacker's activities focused on credential theft, phishing, and automation using a variety of tools and platforms.

Threat Activity

The threat actor demonstrated a high level of operational sophistication, leveraging a combination of open-source intelligence, automation, and obfuscation techniques. Their activities included:

Researching and targeting organizations across banking, real estate, software, and supply chain sectors, using tools such as BuiltWith, ReadyContacts, and InfoClutch for reconnaissance and target enumeration. Crafting phishing messages using Google Translate, with a particular focus on Brazilian banks, as evidenced by translation activity from Portuguese to English. Actively seeking out and attempting to access running instances of Evilginx for session hijacking and credential theft, as well as showing interest in tools like GraphSpy, Bloodhound, and TeamFiltration for Active Directory reconnaissance. Utilizing residential proxy services, including LunaProxy and Nstbrowser, to obfuscate their origin and evade detection. Developing and automating attack workflows using Make.com and integrating AI tools such as Toolbaz AI, DocsBot AI, and Explo AI for data generation and writing. Accessing the STYX Market dark web forum for stealer logs and stolen credentials, indicating an intent to monetize or further exploit compromised data. The attacker's operational infrastructure was linked to over 2471 compromised identities in two weeks, with a focus on session token theft and malicious mail rule creation. The attacker's use of AI and automation reflects a broader trend in the threat landscape, with attackers increasingly leveraging these technologies to enhance operational efficiency and scale their attacks.

Mitigation & Workarounds

Mitigation strategies should be prioritized by severity, with a focus on critical controls to address the most significant risks identified in this incident.

Critical: Organizations should implement robust multi-factor authentication (MFA) for all user accounts, with a preference for phishing-resistant methods such as hardware security keys. This is essential to mitigate the risk of session token theft and credential compromise, as demonstrated by the attacker's use of Evilginx and session hijacking techniques (MITRE ATT&CK T1539, T1528).

Critical: Monitor for and respond to suspicious mail rule creation and session token refresh activity, as these are common indicators of compromise in attacks involving credential theft and persistence (MITRE ATT&CK T1114.003).

High: Deploy and maintain endpoint detection and response (EDR) solutions capable of detecting advanced attack techniques, including the use of automation, AI-driven workflows, and proxy-based obfuscation. Regularly review EDR telemetry for signs of unauthorized access, unusual browser activity, and the use of anti-detect browsers or residential proxies.

High: Conduct regular security awareness training for employees, with a focus on recognizing phishing attempts, the risks of credential reuse, and the importance of reporting suspicious activity. Emphasize the evolving tactics of attackers, including the use of multilingual phishing lures and AI-generated content.

Medium: Restrict access to sensitive data and administrative functions based on the principle of least privilege. Regularly audit access controls and monitor for anomalous access patterns, particularly in high-value sectors such as banking, real estate, and supply chain.

Medium: Monitor for the use of workflow automation platforms and AI tools within the organization, and assess their security implications. Establish policies and controls to govern the use of such tools, particularly those that can be leveraged for data exfiltration or automation of malicious activities.

Low: Stay informed about emerging threats and attacker tradecraft by following reputable threat intelligence sources and participating in information-sharing communities. Incorporate lessons learned from incidents such as this one into organizational security policies and incident response plans.

References

Huntress technical analysis and incident timeline: https://www.huntress.com/blog/rare-look-inside-attacker-operation MITRE ATT&CK T1539: https://attack.mitre.org/techniques/T1539/ MITRE ATT&CK T1528: https://attack.mitre.org/techniques/T1528/ MITRE ATT&CK T1566: https://attack.mitre.org/techniques/T1566/ MITRE ATT&CK T1090.003: https://attack.mitre.org/techniques/T1090/003/ MITRE ATT&CK T1119: https://attack.mitre.org/techniques/T1119/ MITRE ATT&CK T1592: https://attack.mitre.org/techniques/T1592/ MITRE ATT&CK T1114.003: https://attack.mitre.org/techniques/T1114/003/ MITRE ATT&CK T1583.006: https://attack.mitre.org/techniques/T1583/006/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and partners. Our platform enables continuous monitoring of supply chain exposures, supports evidence-based risk assessments, and facilitates rapid response to emerging threats. For questions about this report or to discuss how our capabilities can support your organization's risk management needs, please contact us at ops@rescana.com.