How An Attacker's Blunder Gave Us a Rare Look Inside Their Day-to-Day Operations

Figure 8: Threat actor starts to rely on automated workflows The threat actor also appeared to be interested in other AI tools to help with data generation and writing. We saw multiple Google searches for “free ai no signup” and for “csv generator ai.” We also saw the threat actor using Toolbaz AI, which is a writing assistant; the CSV spreadsheet generator feature of DocsBot AI, which is an AI chatbot tool; and the AI data generator feature of Explo AI, which is an embedded analytics tool. Finding running instances of Evilginx We saw evidence of the threat actor searching for running instances of the Evilginx man-in-the-middle attack framework using Censys, and then attempting to access those instances. Figure 9: Using Censys to search for running instances of Evilginx Figure 9: Using Censys to search for running instances of Evilginx Figure 10: One example of the Evilginx instance that the attacker tried to access Figure 10: One example of the Evilginx instance that the attacker tried to access In addition to Evilginx, we also found evidence of multiple installed tools on the threat actor’s system—or, in some cases, an interest in tools based on the threat actor browser history. These tools included recon and attack tool GraphSpy, open source tool Bloodhound, the TeamFiltration framework used for enumeration and exfiltration, and more. Figure 11: Various tools that the attacker may have used Figure 11: Various tools that the attacker may have used Interest in residential proxy services The Chrome browser history also revealed visits by the threat actor to multiple residential proxy webpages, including LunaProxy and Nstbrowser (which bills itself as an anti-detect browser and supports the use of residential proxies). The threat actor visited the pricing plan page for LunaProxy, researched specific products, and looked up quick start guides throughout May, June, and July. Residential proxy services have become increasingly popular with threat actors as a way to route their traffic through residential IP addresses, allowing them to obscure malicious activity, like avoiding suspicious login alerts while using compromised credentials. Figure 12: A VirusTotal lookup of LunaProxy.exe, which was in the Chrome history Figure 12: A VirusTotal lookup of LunaProxy.exe, which was in the Chrome history Research and recon methods The Chrome browser history entries also gave us a close view of the attacker’s reconnaissance methods. The threat actor spent a lot of time researching companies across different sectors, from specific banks to “top real estate companies in the US” (also looking up “real estate agents in California”). The threat actor didn’t just search for individual companies—they also looked at all parts of the ecosystem surrounding organizations of interest, from their customer bases to associated third-party companies across the supply chain. For example, the threat actor appeared to start targeting software companies in early July, searching for these types of companies via Google Search and using database marketing tools like ReadyContacts and InfoClutch to scope out how many customers they had and their market share. The threat actor also used the BuiltWith platform, which lets users identify and analyze the technology stacks used by websites. On July 8, browser entries show the attacker conducting an extensive level of research on a prominent ecommerce vendor for managing payments and subscriptions, including a list of its customers, contacts, and market share. The threat actor then used BuiltWith to search for the websites relying on that vendor, before navigating to the BuiltWith sign up page, presumably to access that list. The threat actor conducted a fair amount of research into tools used to scrape Telegram group data, including looking at scraper tools like Apify, the Axiom Chrome extension, and the RapidAPI platform (Figure 13). Figure 13: While researching data scraping tools the threat actor came across RapidAPI Figure 13: While researching data scraping tools the threat actor came across RapidAPI Use of Google Translate The threat actor used Google Translate extensively, and Chrome browser shows them first visiting bank websites, and then using the translation platform, likely to assist in crafting phishing-related messages, as seen in Figure 14. Figure 14: The threat actor used Google Translate services extensively Figure 14: The threat actor used Google Translate services extensively The attacker often used urlscan to get information about various websites. Tips appear to have come in via Telegram using the getUpdates method. Figure 15: Part of the Chrome history around a particular tip Figure 15: Part of the Chrome history around a particular tip Figure 16: Google Translate message Figure 16: Google Translate message Figure 17: Google Translate message: username and password Figure 17: Google Translate message: username and password Figure 18: Google Translate message: username and password Figure 18: Google Translate message: username and password There were several entries in the browser history that showed use of Google Translate to translate messages from Portuguese to English alongside browsing banks in Brazil, then evidence of crafting messages later on in their history. Dark web: STYX market We also saw the threat actor express interest in STYX Market, a dark web forum that’s been around since 2023, and was recently called a “rising star for stealer logs, stolen creds, and laundering services” by researchers. After doing some initial research on STYX—as well as other Telegram chat groups and channels—they decided to check out the site for themselves, registering for an account before perusing the catalog of VoIP accounts, stealer logs, SIM cards, and more. Figure 19: The threat actor showed an interest in STYX Market Figure 19: The threat actor showed an interest in STYX Market Figure 20: A post from SOCRadar on STYX Market caught the threat actor’s attention Figure 20: A post from SOCRadar on STYX Market caught the threat actor’s attention EDR activities Rarely do you ever get the chance to actually shoulder surf a real threat actor. We had such an opportunity when they installed our agent. It starts out mundane enough. We don’t know what they must have dreamed about after ending their shift at 2am UTC the previous night, but as mentioned earlier, you can see them start a trial, download the agent, and install it. Figure 21: At 2am UTC, after about 10 hours of inactivity, the threat actor suddenly showed an interest in Bitdefender, which led them to Huntress Figure 21: At 2am UTC, after about 10 hours of inactivity, the threat actor suddenly showed an interest in Bitdefender, which led them to Huntress The most interesting activity for the start of their day on July 9, 2025 was browsing to urlscan.io to inspect login.incipientcroop[.]com. Shortly after, they logged into Make.com and began working on a project called Voltage_Office356bot (notice the typo). Figure 22: Timeline of EDR and browser histories Figure 22: Timeline of EDR and browser histories Figure 23: urlquery info for login.incipientcroop[.]com Figure 23: urlquery info for Figure 24: Further down on the urlquery page for login.incipientcroop[.]com , there is evidence of Voltage_Office356bot Figure 24: Further down on the urlquery page for, there is evidence of There is evidence that the threat actor had access to cookie data for two different individuals, and accessed them via Notepad++. They proceeded to open the first file: C:\Program Files\Notepad++ otepad++.exe C:\Users\Administrator\Downloads\Telegram Desktop\Cookies_[victim1]@[redacted1][.].com.json Then they started looking around to see what they can find, with a Google search for “email osint”. Figure 25: Looking for “email osint” Figure 25: Looking for “email osint” Next, they opened the second cookie file: C:\Program Files\Notepad++ otepad++.exe C:\Users\Administrator\Downloads\Telegram Desktop\Cookies_[victim2]@[redacted2][.].com.json They then started up Nstbrowser.exe and LunaProxy: C:\Program Files\Nstbrowser\Nstbrowser.exe C:\Program Files (x86)\LunaProxy_cata\socks5\LunaProxyDivert.exe SOCK5 [snip] They browsed to an article titled Say Hello to your new cache flow by Synacktiv covering WHFB and Entra ID, followed by a Google search for “whfb prt”, which landed them on the website of a well-known researcher, Dirk-Jan Mollema. They checked their IP address after this: C:\Windows\system32\curl.exe ipinfo[.]io And then checked their IP address again: C:\Windows\system32\curl.exe ipinfo[.]io They then tried to use a tool called ROADtools Token eXchange (roadtx): C:\Users\Administrator\AppData\Local\Programs\Python\Python313\Scripts\roadtx.exe prtauth -r msgraph -c msteams And then erroneously tried to run the same tool (as an executable) via Python: C:\Users\Administrator\AppData\Local\Programs\Python\Python313\python.exe C:\Users\Administrator\AppData\Local\Programs\Python\Python313\Scripts\roadtx.exe prtauth -r msgraph -c msteams Then ran it again: C:\Users\Administrator\AppData\Local\Programs\Python\Python313\Scripts\roadtx.exe describe And then tried to run it again, erroneously, using Python: C:\Users\Administrator\AppData\Local\Programs\Python\Python313\python.exe C:\Users\Administrator\AppData\Local\Programs\Python\Python313\Scripts\roadtx.exe describe They seemed to be having trouble. At this point they browsed to Dirk-jan Mollema’s post on Phishing for Microsoft Entra primary refresh tokens. Figure 26: Searching for an answer with keyword whfb prt Figure 26: Searching for an answer with keyword While there, they gained some new inspiration, and discovered a handy little script that could make their life easier: Figure 27: Excerpt from Dirk-jan’s blog, pointing to a nifty little script Figure 27: Excerpt from Dirk-jan’s blog, pointing to a nifty little script At this point they went back to their Voltage_Office356bot project before running this new script they’ve downloaded. Figure 28: Accessing the Voltage_Office356bot project and running the attack script Figure 28: Accessing theproject and running the attack script They started trying to run the Python script: C:\Users\Administrator\AppData\Local\Programs\Python\Python313\python.exe main.py -f roadtx.prt --wfb They checked the usage again: C:\Users\Administrator\AppData\Local\Programs\Python\Python313\python.exe main.py --wfb C:\Users\Administrator\AppData\Local\Programs\Python\Python313\python.exe main.py -h Then, they started to run it against the original victim whose cookie file we saw earlier: C:\Users\Administrator\AppData\Local\Programs\Python\Python313\python.exe main.py --wfb -u [victim2]@[redacted2][.]com They returned to the first victim’s cookie file: C:\Program Files\Notepad++ otepad++.exe C:\Users\Administrator\Downloads\Telegram Desktop\Cookies_[victim1]@[redacted1][.].com.json This is where our EDR data drops off, as they may have become aware of us and uninstalled the agent. Hours worked in a day The attacker’s browser history gives us an unprecedented level of insight into their everyday activity, searches, workflows, research, and more. The browser history shows the threat actor working intensively almost every day between the period of May 29, 2025 through July 9, 2025. Figure 29: Chart of the number of hours per day (label alternates dates) worked based on browser activities Figure 29: Chart of the number of hours per day (label alternates dates) worked based on browser activities On many of these days, the browser entries were seen across most hours of the day, logging 12 to 14 hours. But there was some variation, as seen in Figure 29, above: on several days, the threat actor worked as little as one to two hours. When we hone in on a few of the days when the most hours were put in, we can see some of the things that piqued the attacker’s interest in those days. We analyzed the urls to see what businesses, or categories they might have fallen into, and then looked to see how many times the attacker visited these sites. We can see a few trends. During these days, the attacker spent a lot of time researching various banking entities and bank personnel. To further expand on some of the graph labels: Attack infra: Malicious websites or servers set up by an attacker (maybe not this one) hosting frameworks like Evilginx and other known tools. Banking: Various banking websites Browser extension: Various browser extensions like ad blockers, etc. installed by the attacker to protect themselves. Corporate & Business: Various business websites not housed under a different category. Crypto: Various cryptocurrency and blockchain websites. Cybersecurity: Various cybersecurity vendor websites. The attacker often signed up for trials at various vendors to test things. Government & military: Various official government or military websites. News, media & information: Various news websites like CNN etc. The attacker often read articles related to various breaches. OSS: Open source projects, often housed at github or gitlab. Recon: Activities where the attacker was using Censys, Urlscan, Google, etc., to do reconnaissance for a particular target. Research: When the attacker was researching a particular vulnerability, tool, or attack. Sandbox: The attacker often seemed interested in various types of malware that were on VirusTotal, Joe’s Sandbox, and other online sandboxes. Social media: Various telegram, X, and other social media posts read by the attacker. Software: Various legitimate software, like 7zip. Telecommunications: A telecommunication website, like Verizon. Web & IT infrastructure: Various online hosting services, like Mega, Amazon AWS, and Azure. Figure 30: Activities on May 29, 2025 Figure 30: Activities on May 29, 2025 We can see that from May 29 to June 1, 2025, the attacker was mostly looking at various banking websites. Digging further into their activities, you see them researching various banks, reading about Telegram Bots, then downloading a blueprint from Make. Figure 31: A deeper look at some of the activities on May 29, 2025 Figure 31: A deeper look at some of the activities on May 29, 2025 The next day, it seems that the attacker spent a little more time researching various attack infrastructure, in addition to focusing on banks, and similar activities seen previously. Figure 32: Activities on May 30, 2025 Figure 32: Activities on May 30, 2025 On May 31, 2025 and June 1, 2025, the attacker switched their focus back to mostly researching banking websites. Figure 33: Activities on May 31, 2025 Figure 33: Activities on May 31, 2025 Figure 34: Activities on June 1, 2025 Figure 34: Activities on June 1, 2025 Figure 35: Regions Focused on by the Attacker from May 29 - June 1, 2025 Figure 35: Regions Focused on by the Attacker from May 29 - June 1, 2025 The other interesting thing was that the attacker was mostly focused on banks and sites that were in Nigeria during this time period, even looking for things like: “No. 1 regulated crypto exchange in Nigeria.” “top crypto companies nigeria” “Best Crypto Exchanges in Nigeria” “Top Cryptocurrency Companies in Nigeria” While we don’t know where the attacker is based, the machine they had installed our agent upon appeared to be based in the United States, on the West Coast, based on the machine’s internal time zone and IP address. Figure 36: Activities on July 9, 2025 Figure 36: Activities on July 9, 2025 It seems that the attacker had spent quite some time looking at our various capabilities after they had started a trial with us. Figure 36 above shows just how much more time they spent interacting with the Huntress website, and particularly the account dashboard once they had started the trial. Lessons learned This incident gave us in-depth information about the day-to-day activities of a threat actor, from the tools they were interested in to the ways they conducted research and approached different aspects of attacks. Upon confirming that the machine name was one used by an adversary, we decided to release these details because they give an invaluable understanding into the mindset and behaviors of threat actors behind attacks. For other defenders, we hope that this information can help add context around the ways that threat actors conduct research and launch attacks at the backend—and the different types of organizations, tools, and platforms that interest them.