In a highly unusual incident, a threat actor inadvertently exposed their own operational methods and daily routines after installing Huntress security software on their personal machine. This unexpected mistake offered analysts a rare glimpse into how attackers leverage artificial intelligence (AI), automation, and research tools to optimize their workflows.

Inside the Attacker’s Workflow

Huntress reported that the actor discovered the company via a Google advertisement while searching for cybersecurity solutions. After starting a free trial and downloading the agent, the attacker’s activities were recorded in detail. Analysts were able to confirm the adversary’s identity through a previously known device name and browser history, which showed evidence of active targeting behavior.

Over a period of three months, the data revealed the actor:

• Testing multiple security tools
• Using workflow automation platforms like Make.com
• Researching Telegram Bot APIs to streamline operations
• Exploring AI-driven text and spreadsheet generators for crafting phishing emails and managing stolen data

Key Observations

Huntress intelligence highlighted several critical behaviors of the threat actor:

• Using Censys to locate active Evilginx servers
• Researching residential proxy services such as LunaProxy and Nstbrowser to mask traffic
• Conducting reconnaissance on financial institutions, software companies, and real estate firms
• Relying heavily on Google Translate to prepare phishing messages
• Accessing dark web forums like STYX Market and malware repositories
• Attempting identity-based attacks through ROADtools Token eXchange

Lessons for Cyber Defenders

Huntress linked the attacker’s infrastructure, hosted by the Canadian provider VIRTUO, to at least 2,471 compromised identities over a two-week period. Many of these attempts were blocked by existing security measures, including defenses against malicious mail rules and token theft.

“This incident provided in-depth insight into the daily activities of a threat actor,” Huntress researchers explained. “We were able to observe the tools they favored, the research methods they employed, and how they approached different stages of attacks.”

The case underscores how simple mistakes by attackers can deliver valuable intelligence for defenders, improving both detection capabilities and incident response strategies.

Source: https://www.infosecurity-magazine.com/news/threat-actor-exposes-operations