A threat actor has unintentionally revealed their methods and day-to-day activities after installing Huntress security software on their own operating machine.
The unusual incident gave analysts a remarkable inside look into how attackers use artificial intelligence (AI), research tools and automation to refine their workflows.
Inside The Attacker’s Workflows
According to Huntress, the actor discovered the company through a Google advertisement while searching for security solutions.
After starting a free trial and downloading the agent, their activities were logged in detail. Investigators were able to confirm the adversary’s identity through a previously known machine name and browser history, which showed active targeting behavior.
Over the course of three months, Huntress observed the actor testing multiple security tools, adopting workflow automation platforms such as Make.com, and researching Telegram Bot APIs to streamline operations.
The data also revealed an interest in AI-driven text and spreadsheet generators for crafting phishing messages and managing stolen information.
Read more on AI in cybercrime: UK NCSC Supports Public Disclosure for AI Safeguard Bypass Threats
The collected intelligence revealed several key behaviors:
-
Use of Censys to search for active Evilginx servers
-
Research into residential proxy services like LunaProxy and Nstbrowser to disguise traffic
-
Reconnaissance on financial institutions, software providers and real estate firms
-
Extensive reliance on Google Translate for phishing message preparation
The actor also accessed dark web forums, such as STYX Market, browsed malware repositories and attempted to leverage the ROADtools Token eXchange for identity-related attacks.
Lessons for Cyber Defenders
Huntress analysts linked the adversary’s infrastructure, hosted on the Canadian provider VIRTUO, to at least 2471 compromised identities over two weeks. Many attempts were stopped by existing detections, including malicious mail rule creation and token theft defenses.
“This incident gave us in-depth information about the day-to-day activities of a threat actor,” Huntress researchers explained.
“From the tools they were interested in, to the ways they conducted research and approached different aspects of attacks.”
The case highlights how mistakes by attackers can provide defenders with rare insight into adversarial tradecraft, offering valuable lessons for improving response strategies and detection accuracy.
