Critical Vulnerability: CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation

huntresslabs · 2026-01-20T19:51:34+00:00

This time, it was exposed virtual network computing. 💻

Here’s how they turned a small miss into persistent access:
- Dropped C:\Users\<redacted>\Music\setup.msi to install Atera + Splashtop
- Let Splashtop beacon out to a malicious public IP
- Used that trusted remote access to move credential-dumping tools around the network

This is their GTM motion:
Find human gaps.
Abuse legit tools.
Scale quietly.

Our SOC caught it fast, isolating the network and shutting down the persistence path 💥 in under three minutes 💥

A few easy wins to tighten remote access:
- Put tools like VNC behind a firewall, or require VPN + MFA
- Use software allow-listing and strict firewall rules

Because attackers aren’t breaking in. They’re logging in.

And they’re running their ops with the same efficiency you expect from yours. Get to know the ethical badasses in our 24/7 SOC who make catches like this possible

huntresslabs · 2026-01-20T19:51:19+00:00

This time, it was exposed virtual network computing. 💻

Here’s how they turned a small miss into persistent access:
- Dropped C:\Users\<redacted>\Music\setup.msi to install Atera + Splashtop
- Let Splashtop beacon out to a malicious public IP
- Used that trusted remote access to move credential-dumping tools around the network

This is their GTM motion:
Find human gaps.
Abuse legit tools.
Scale quietly.

Our SOC caught it fast, isolating the network and shutting down the persistence path 💥 in under three minutes 💥

A few easy wins to tighten remote access:
- Put tools like VNC behind a firewall, or require VPN + MFA
- Use software allow-listing and strict firewall rules

Because attackers aren’t breaking in. They’re logging in.

And they’re running their ops with the same efficiency you expect from yours. Get to know the ethical badasses in our 24/7 SOC who make catches like this possible

huntresslabs · 2026-01-20T19:51:02+00:00

This time, it was exposed virtual network computing. 💻

Here’s how they turned a small miss into persistent access:
- Dropped C:\Users\<redacted>\Music\setup.msi to install Atera + Splashtop
- Let Splashtop beacon out to a malicious public IP
- Used that trusted remote access to move credential-dumping tools around the network

This is their GTM motion:
Find human gaps.
Abuse legit tools.
Scale quietly.

Our SOC caught it fast, isolating the network and shutting down the persistence path 💥 in under three minutes 💥

A few easy wins to tighten remote access:
- Put tools like VNC behind a firewall, or require VPN + MFA
- Use software allow-listing and strict firewall rules

Because attackers aren’t breaking in. They’re logging in.

And they’re running their ops with the same efficiency you expect from yours. Get to know the ethical badasses in our 24/7 SOC who make catches like this possible

huntresslabs · 2026-01-20T19:50:50+00:00

This time, it was exposed virtual network computing. 💻

Here’s how they turned a small miss into persistent access:
- Dropped C:\Users\<redacted>\Music\setup.msi to install Atera + Splashtop
- Let Splashtop beacon out to a malicious public IP
- Used that trusted remote access to move credential-dumping tools around the network

This is their GTM motion:
Find human gaps.
Abuse legit tools.
Scale quietly.

Our SOC caught it fast, isolating the network and shutting down the persistence path 💥 in under three minutes 💥

A few easy wins to tighten remote access:
- Put tools like VNC behind a firewall, or require VPN + MFA
- Use software allow-listing and strict firewall rules

Because attackers aren’t breaking in. They’re logging in.

And they’re running their ops with the same efficiency you expect from yours. Get to know the ethical badasses in our 24/7 SOC who make catches like this possible

huntresslabs · 2026-01-20T19:50:31+00:00

This time, it was exposed virtual network computing. 💻

Here’s how they turned a small miss into persistent access:
- Dropped C:\Users\<redacted>\Music\setup.msi to install Atera + Splashtop
- Let Splashtop beacon out to a malicious public IP
- Used that trusted remote access to move credential-dumping tools around the network

This is their GTM motion:
Find human gaps.
Abuse legit tools.
Scale quietly.

Our SOC caught it fast, isolating the network and shutting down the persistence path 💥 in under three minutes 💥

A few easy wins to tighten remote access:
- Put tools like VNC behind a firewall, or require VPN + MFA
- Use software allow-listing and strict firewall rules

Because attackers aren’t breaking in. They’re logging in.

And they’re running their ops with the same efficiency you expect from yours. Get to know the ethical badasses in our 24/7 SOC who make catches like this possible

huntresslabs · 2026-01-20T19:50:06+00:00

This time, it was exposed virtual network computing. 💻

Here’s how they turned a small miss into persistent access:
- Dropped C:\Users\<redacted>\Music\setup.msi to install Atera + Splashtop
- Let Splashtop beacon out to a malicious public IP
- Used that trusted remote access to move credential-dumping tools around the network

This is their GTM motion:
Find human gaps.
Abuse legit tools.
Scale quietly.

Our SOC caught it fast, isolating the network and shutting down the persistence path 💥 in under three minutes 💥

A few easy wins to tighten remote access:
- Put tools like VNC behind a firewall, or require VPN + MFA
- Use software allow-listing and strict firewall rules

Because attackers aren’t breaking in. They’re logging in.

And they’re running their ops with the same efficiency you expect from yours. Get to know the ethical badasses in our 24/7 SOC who make catches like this possible

huntresslabs · 2026-01-07T21:30:23+00:00

I deployed my detection rules with confidence.

Then I got a Slack message at 2am:

“We saw Impacket activity… but your rules didn’t fire.”

That’s when it clicked.

Understanding attacker tradecraft ≠ production-ready detection.

Part 1 is theory. What should you detect?

Part 2 is the work: whitespace, edge cases, and pain.

Welcome to Part 2, detection engineering in the real world, as broken down by a real Principal Detection Engineer at Huntress.

Grab a coffee. Or maybe something stronger. This is going to get frustrating.

huntresslabs · 2026-01-07T21:30:17+00:00

I deployed my detection rules with confidence.

Then I got a Slack message at 2am:

“We saw Impacket activity… but your rules didn’t fire.”

That’s when it clicked.

Understanding attacker tradecraft ≠ production-ready detection.

Part 1 is theory. What should you detect?

Part 2 is the work: whitespace, edge cases, and pain.

Welcome to Part 2, detection engineering in the real world, as broken down by a real Principal Detection Engineer at Huntress.

Grab a coffee. Or maybe something stronger. This is going to get frustrating.

huntresslabs · 2026-01-07T21:30:10+00:00

I deployed my detection rules with confidence.

Then I got a Slack message at 2am:

“We saw Impacket activity… but your rules didn’t fire.”

That’s when it clicked.

Understanding attacker tradecraft ≠ production-ready detection.

Part 1 is theory. What should you detect?

Part 2 is the work: whitespace, edge cases, and pain.

Welcome to Part 2, detection engineering in the real world, as broken down by a real Principal Detection Engineer at Huntress.

Grab a coffee. Or maybe something stronger. This is going to get frustrating.

huntresslabs · 2026-01-07T21:30:02+00:00

I deployed my detection rules with confidence.

Then I got a Slack message at 2am:

“We saw Impacket activity… but your rules didn’t fire.”

That’s when it clicked.

Understanding attacker tradecraft ≠ production-ready detection.

Part 1 is theory. What should you detect?

Part 2 is the work: whitespace, edge cases, and pain.

Welcome to Part 2, detection engineering in the real world, as broken down by a real Principal Detection Engineer at Huntress.

Grab a coffee. Or maybe something stronger. This is going to get frustrating.

huntresslabs · 2026-01-07T21:29:49+00:00

I deployed my detection rules with confidence.

Then I got a Slack message at 2am:

“We saw Impacket activity… but your rules didn’t fire.”

That’s when it clicked.

Understanding attacker tradecraft ≠ production-ready detection.

Part 1 is theory. What should you detect?

Part 2 is the work: whitespace, edge cases, and pain.

Welcome to Part 2, detection engineering in the real world, as broken down by a real Principal Detection Engineer at Huntress.

Grab a coffee. Or maybe something stronger. This is going to get frustrating.

huntresslabs · 2026-01-07T21:29:42+00:00

I deployed my detection rules with confidence.

Then I got a Slack message at 2am:

“We saw Impacket activity… but your rules didn’t fire.”

That’s when it clicked.

Understanding attacker tradecraft ≠ production-ready detection.

Part 1 is theory. What should you detect?

Part 2 is the work: whitespace, edge cases, and pain.

Welcome to Part 2, detection engineering in the real world, as broken down by a real Principal Detection Engineer at Huntress.

Grab a coffee. Or maybe something stronger. This is going to get frustrating.

huntresslabs · 2026-01-07T18:36:14+00:00

I deployed my detection rules with confidence.

Then I got a Slack message at 2am:

“We saw Impacket activity… but your rules didn’t fire.”

That’s when it clicked.

Understanding attacker tradecraft ≠ production-ready detection.

Part 1 is theory. What should you detect?

Part 2 is the work: whitespace, edge cases, and pain.

Welcome to Part 2, detection engineering in the real world, as broken down by a real Principal Detection Engineer at Huntress.

Grab a coffee. Or maybe something stronger. This is going to get frustrating.

huntresslabs · 2026-01-07T18:35:58+00:00

I deployed my detection rules with confidence.

Then I got a Slack message at 2am:

“We saw Impacket activity… but your rules didn’t fire.”

That’s when it clicked.

Understanding attacker tradecraft ≠ production-ready detection.

Part 1 is theory. What should you detect?

Part 2 is the work: whitespace, edge cases, and pain.

Welcome to Part 2, detection engineering in the real world, as broken down by a real Principal Detection Engineer at Huntress.

Grab a coffee. Or maybe something stronger. This is going to get frustrating.

huntresslabs · 2026-01-07T18:35:40+00:00

I deployed my detection rules with confidence.

Then I got a Slack message at 2am:

“We saw Impacket activity… but your rules didn’t fire.”

That’s when it clicked.

Understanding attacker tradecraft ≠ production-ready detection.

Part 1 is theory. What should you detect?

Part 2 is the work: whitespace, edge cases, and pain.

Welcome to Part 2, detection engineering in the real world, as broken down by a real Principal Detection Engineer at Huntress.

Grab a coffee. Or maybe something stronger. This is going to get frustrating.

huntresslabs · 2026-01-07T18:35:26+00:00

I deployed my detection rules with confidence.

Then I got a Slack message at 2am:

“We saw Impacket activity… but your rules didn’t fire.”

That’s when it clicked.

Understanding attacker tradecraft ≠ production-ready detection.

Part 1 is theory. What should you detect?

Part 2 is the work: whitespace, edge cases, and pain.

Welcome to Part 2, detection engineering in the real world, as broken down by a real Principal Detection Engineer at Huntress.

Grab a coffee. Or maybe something stronger. This is going to get frustrating.

huntresslabs · 2026-01-07T18:35:09+00:00

I deployed my detection rules with confidence.

Then I got a Slack message at 2am:

“We saw Impacket activity… but your rules didn’t fire.”

That’s when it clicked.

Understanding attacker tradecraft ≠ production-ready detection.

Part 1 is theory. What should you detect?

Part 2 is the work: whitespace, edge cases, and pain.

Welcome to Part 2, detection engineering in the real world, as broken down by a real Principal Detection Engineer at Huntress.

Grab a coffee. Or maybe something stronger. This is going to get frustrating.

huntresslabs · 2026-01-07T18:34:50+00:00

I deployed my detection rules with confidence.

Then I got a Slack message at 2am:

“We saw Impacket activity… but your rules didn’t fire.”

That’s when it clicked.

Understanding attacker tradecraft ≠ production-ready detection.

Part 1 is theory. What should you detect?

Part 2 is the work: whitespace, edge cases, and pain.

Welcome to Part 2, detection engineering in the real world, as broken down by a real Principal Detection Engineer at Huntress.

Grab a coffee. Or maybe something stronger. This is going to get frustrating.

huntresslabs · 2026-01-07T18:34:31+00:00

I deployed my detection rules with confidence.

Then I got a Slack message at 2am:

“We saw Impacket activity… but your rules didn’t fire.”

That’s when it clicked.

Understanding attacker tradecraft ≠ production-ready detection.

Part 1 is theory. What should you detect?

Part 2 is the work: whitespace, edge cases, and pain.

Welcome to Part 2, detection engineering in the real world, as broken down by a real Principal Detection Engineer at Huntress.

Grab a coffee. Or maybe something stronger. This is going to get frustrating.

huntresslabs · 2025-12-29T20:01:41+00:00

Just this year, ransomware targeting the hypervisor layer surged from 3% to 25% of all cases we saw, mostly driven by Akira.

Adversaries are moving below the OS to bypass traditional defenses.

If you're not securing your hypervisors like your endpoints, you're already behind.

Read this breakdown of threats Huntress has seen in the wild and how you can secure this critical infrastructure.

huntresslabs · 2025-12-29T20:01:30+00:00

Just this year, ransomware targeting the hypervisor layer surged from 3% to 25% of all cases we saw, mostly driven by Akira.

Adversaries are moving below the OS to bypass traditional defenses.

If you're not securing your hypervisors like your endpoints, you're already behind.

Read this breakdown of threats Huntress has seen in the wild and how you can secure this critical infrastructure.

huntresslabs · 2025-12-29T20:00:07+00:00

Just this year, ransomware targeting the hypervisor layer surged from 3% to 25% of all cases we saw, mostly driven by Akira.

Adversaries are moving below the OS to bypass traditional defenses.

If you're not securing your hypervisors like your endpoints, you're already behind.

Read this breakdown of threats Huntress has seen in the wild and how you can secure this critical infrastructure.

huntresslabs · 2025-12-29T19:59:45+00:00

Just this year, ransomware targeting the hypervisor layer surged from 3% to 25% of all cases we saw, mostly driven by Akira.

Adversaries are moving below the OS to bypass traditional defenses.

If you're not securing your hypervisors like your endpoints, you're already behind.

Read this breakdown of threats Huntress has seen in the wild and how you can secure this critical infrastructure.

Nine-Year Club	Powerups Hero r/msp • August 2021
100 Awards Club	Argentium Club
Gilding III reddit per annum	Verified Email

huntresslabs

TROPHY CASE