You can find me here:

🚨 Widespread SonicWall SSLVPN Compromises Detected Starting 10/4, and as recently as 10/10, Huntress observed a surge in SonicWall SSLVPN compromises. Threat actors are rapidly authenticating across devices—suggesting valid cred. use, not brute force.

Detailing a 0-day on a Friday, I hope you're not impacted (I'm sorry!) 🤞 Whilst investigating an incident our Hunt and Response function identified a 0-day being exploited in the wild on Gladinet products. We've withheld full details until a patch is made available. Details 👇

🚨 @HuntressLabs identified active exploitation of a Local File Inclusion vulnerability affecting Gladinet CentreStack and Triofox systems. A temporary workaround is available while a patch is in development: https://t.co/u0wgp91H0o

Our new research is now live, and it's full of juicy insights. From a log poisoning vulnerability, to an RMM you've likely never heard of, and a list of victim locations that span the globe! 👀 👇

Great job @CyberRaiju, @darkrym11, and @birchb0y on the analysis and write up 🔥

4⃣ By repurposing a legitimate monitoring tool, the actor gained persistent access and a stable C2 channel. The Nezha agent was then used to deploy the final payload: a variant of Ghost RAT, a backdoor long associated with China-nexus threat groups.

3⃣ From there, the actor used the AntSword management tool to interact with their web shell. This is a common TTP, but what came next was new to us. They used AntSword to download and install the Nezha agent, an open-source server monitoring tool, onto the victim.

2⃣The initial access was creative. The actor exploited a misconfigured, public-facing phpMyAdmin panel. They then used a log poisoning technique to write a one-liner PHP web shell (China Chopper) to disk, bypassing authentication and gaining initial command execution.

1⃣ The @Huntress team uncovered a campaign by a likely China-nexus threat actor. The most novel finding is use of a publicly available tool called Nezha as a post-exploitation C2 agent. This is the first public reporting of the tool I've seen.

Small update for Community Reports in the Ransomware Tool Matrix - I have included Mermaid ERDs in the template to summarise reports too, looks pretty nice IMO 👇 Thanks again to @SecurityAura & @polygonben for being the first to submit, great stuff both!

Vibe coded apps will have the most 🔥 FIRE readme to ever exist only to have 2% of the desired functionality and every button returns a 404.

If you’re returning from Mastodon or Bluesky and looking for solid infosec content on X This “Cyber” list is a curated feed of high-signal accounts - Pin it to get a timeline tab (see screenshots) - Or follow the members directly - Regularly updated https://t.co/lZcrXsHXhi

Very glad to see the first Community Report shared by @SecurityAura about Akira's tools! https://t.co/U13CXtkKVi

I want to spotlight one of our most genuine and humble analysts in the Huntress SOC. Give @dipotwb a follow 🚀

We installed Huntress *one time* and this....

Cheers to @TheDFIRReport team for all the guidance and mentorship. This was a really interesting case to work!

Me explaining Salesloft Drift-Salesforce-Cloudflare-downstream customers at my family bbq later

New podcast is out! https://t.co/nTlS9Fh9s8

We are thrilled to announce that @_JohnHammond will be the keynote speaker at @BSidesNYC on October 18, 2025! We look forward to John sharing his insights.

A look at a newer ransomware variant that we've seen here at @HuntressLabs Thanks to Harlan Carvey and @LindseyOD123 and awesome analysis by @birchb0y and @RussianPanda9xx of the binary! https://t.co/pRutOq0KYe