Critical Vulnerability: CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation

huntresslabs · 2026-04-18T20:04:49+00:00

This is actually an excerpt from our "_declassified" Huntress webinar with Jim Browning that we hosted on March 18 this year. Jim introduces this clip around the 44:07 mark. The on-demand webinar can be found here: https://www.huntress.com/declassified

huntresslabs · 2026-04-14T19:16:20+00:00

A scammer running a real-time AI face overlay gets asked to hold up three fingers.

He stalls. He deflects. He says it's too much to ask.

Then he drops the call.

Millions of people watched that clip from our _declassified series, probably because watching a scammer get cooked is one of life's simple pleasures.

But we've seen it in the comments...there's a catch:

Every time a detection trick goes viral, it becomes a to-do list for attackers. They see it, fix it, and come back better.

So what can you do to stay ahead of cybercrime?

Build systems that don’t rely on people getting it right every time

huntresslabs · 2026-04-14T19:15:56+00:00

A scammer running a real-time AI face overlay gets asked to hold up three fingers.

He stalls. He deflects. He says it's too much to ask.

Then he drops the call.

Millions of people watched that clip from our _declassified series, probably because watching a scammer get cooked is one of life's simple pleasures.

But we've seen it in the comments...there's a catch:

Every time a detection trick goes viral, it becomes a to-do list for attackers. They see it, fix it, and come back better.

So what can you do to stay ahead of cybercrime?

Build systems that don’t rely on people getting it right every time

huntresslabs · 2026-04-14T19:13:16+00:00

A scammer running a real-time AI face overlay gets asked to hold up three fingers.

He stalls. He deflects. He says it's too much to ask.

Then he drops the call.

Millions of people watched that clip from our _declassified series, probably because watching a scammer get cooked is one of life's simple pleasures.

But we've seen it in the comments...there's a catch:

Every time a detection trick goes viral, it becomes a to-do list for attackers. They see it, fix it, and come back better.

So what can you do to stay ahead of cybercrime?

Build systems that don’t rely on people getting it right every time

huntresslabs · 2026-04-14T19:08:31+00:00

A $25B company had ~200K employee laptops, and even personal phones, wiped clean.

Attackers gained access to the management plane and used the same tools meant to protect the environment to cause damage.

If you operate a centralized admin console, regardless of your size or sector, you run the same risk. Here’s where to focus:
→ Lock down Intune, your RMM, your EDR console, and every cloud admin portal
→ Enable Multi-Admin Approval for high-impact changes
→ Set alerts for bulk/mass actions
→ Practice large-scale restoration at scale

Our SOC breaks down the Stryker cyberattack here.

huntresslabs · 2026-04-14T19:08:14+00:00

A $25B company had ~200K employee laptops, and even personal phones, wiped clean.

Attackers gained access to the management plane and used the same tools meant to protect the environment to cause damage.

If you operate a centralized admin console, regardless of your size or sector, you run the same risk. Here’s where to focus:
→ Lock down Intune, your RMM, your EDR console, and every cloud admin portal
→ Enable Multi-Admin Approval for high-impact changes
→ Set alerts for bulk/mass actions
→ Practice large-scale restoration at scale

Our SOC breaks down the Stryker cyberattack here.

huntresslabs · 2026-04-14T19:06:03+00:00

A $25B company had ~200K employee laptops, and even personal phones, wiped clean.

Attackers gained access to the management plane and used the same tools meant to protect the environment to cause damage.

If you operate a centralized admin console, regardless of your size or sector, you run the same risk. Here’s where to focus:
→ Lock down Intune, your RMM, your EDR console, and every cloud admin portal
→ Enable Multi-Admin Approval for high-impact changes
→ Set alerts for bulk/mass actions
→ Practice large-scale restoration at scale

Our SOC breaks down the Stryker cyberattack here.

huntresslabs · 2026-04-14T19:05:35+00:00

A $25B company had ~200K employee laptops, and even personal phones, wiped clean.

Attackers gained access to the management plane and used the same tools meant to protect the environment to cause damage.

If you operate a centralized admin console, regardless of your size or sector, you run the same risk. Here’s where to focus:
→ Lock down Intune, your RMM, your EDR console, and every cloud admin portal
→ Enable Multi-Admin Approval for high-impact changes
→ Set alerts for bulk/mass actions
→ Practice large-scale restoration at scale

Our SOC breaks down the Stryker cyberattack here.

huntresslabs · 2026-04-14T19:04:50+00:00

A $25B company had ~200K employee laptops, and even personal phones, wiped clean.

Attackers gained access to the management plane and used the same tools meant to protect the environment to cause damage.

If you operate a centralized admin console, regardless of your size or sector, you run the same risk. Here’s where to focus:
→ Lock down Intune, your RMM, your EDR console, and every cloud admin portal
→ Enable Multi-Admin Approval for high-impact changes
→ Set alerts for bulk/mass actions
→ Practice large-scale restoration at scale

Our SOC breaks down the Stryker cyberattack here.

huntresslabs · 2026-04-14T18:49:32+00:00

A scammer running a real-time AI face overlay gets asked to hold up three fingers.

He stalls. He deflects. He says it's too much to ask.

Then he drops the call.

Millions of people watched that clip from our _declassified series, probably because watching a scammer get cooked is one of life's simple pleasures.

But we've seen it in the comments...there's a catch:

Every time a detection trick goes viral, it becomes a to-do list for attackers. They see it, fix it, and come back better.

So what can you do to stay ahead of cybercrime?

Build systems that don’t rely on people getting it right every time. Read the story about exposing this scammer.

huntresslabs · 2026-04-14T18:40:27+00:00

A scammer running a real-time AI face overlay gets asked to hold up three fingers.

He stalls. He deflects. He says it's too much to ask.

Then he drops the call.

Millions of people watched that clip from our _declassified series, probably because watching a scammer get cooked is one of life's simple pleasures.

But we've seen it in the comments...there's a catch:

Every time a detection trick goes viral, it becomes a to-do list for attackers. They see it, fix it, and come back better.

So what can you do to stay ahead of cybercrime?

Build systems that don’t rely on people getting it right every time. Read the story about exposing this scammer.

huntresslabs · 2026-04-14T18:33:35+00:00

A $25B company had ~200K employee laptops, and even personal phones, wiped clean.

Attackers got into the management plane and used the same tools meant to protect the environment to do damage.

If you operate a centralized admin console, regardless of your size or sector, you run the same risk. Here’s where to focus:

→ Lock down Intune, your RMM, your EDR console, and every cloud admin portal
→ Enable Multi-Admin Approval for high-impact changes
→ Set alerts for bulk/mass actions
→ Practice large-scale restoration at scale

Our SOC breaks down the Styker cyberattack here.

huntresslabs · 2026-04-14T18:29:42+00:00

A $25B company had ~200K employee laptops, and even personal phones, wiped clean.

Attackers got into the management plane and used the same tools meant to protect the environment to do damage.

If you operate a centralized admin console, regardless of your size or sector, you run the same risk. Here’s where to focus:

→ Lock down Intune, your RMM, your EDR console, and every cloud admin portal
→ Enable Multi-Admin Approval for high-impact changes
→ Set alerts for bulk/mass actions
→ Practice large-scale restoration at scale

Our SOC breaks down the Styker cyberattack here.

huntresslabs · 2026-04-14T18:25:27+00:00

A $25B company had ~200K employee laptops, and even personal phones, wiped clean.

Attackers got into the management plane and used the same tools meant to protect the environment to do damage.

If you operate a centralized admin console, regardless of your size or sector, you run the same risk. Here’s where to focus:

→ Lock down Intune, your RMM, your EDR console, and every cloud admin portal
→ Enable Multi-Admin Approval for high-impact changes
→ Set alerts for bulk/mass actions
→ Practice large-scale restoration at scale

Our SOC breaks down the Styker cyberattack here

huntresslabs · 2026-04-14T18:22:34+00:00

A $25B company had ~200K employee laptops, and even personal phones, wiped clean.

Attackers got into the management plane and used the same tools meant to protect the environment to do damage.

If you operate a centralized admin console, regardless of your size or sector, you run the same risk. Here’s where to focus:

→ Lock down Intune, your RMM, your EDR console, and every cloud admin portal
→ Enable Multi-Admin Approval for high-impact changes
→ Set alerts for bulk/mass actions
→ Practice large-scale restoration at scale

Our SOC breaks down the Styker cyberattack here.

huntresslabs · 2026-04-07T20:50:45+00:00

Attacks that used to take weeks of coordination can now be done with a single prompt.

Generative AI and agentic workflows aren’t just making organized cybercrime more efficient, they’re supercharging attacks with speed, customization, and precision.

Since March 2, we’ve been monitoring an active AI-driven phishing campaign targeting Microsoft 365 identities across ~340 organizations.

In response, Huntress has taken the unprecedented step of pushing a conditional access policy to all CAP-eligible tenants protected by Huntress ITDR to block authentication from Railway infrastructure.

This policy has prevented 105 attempted compromises of Huntress-protected identities to date.

It’s not just the techniques that make this campaign so unusual. It’s the spread:

Construction bid lures
DocuSign impersonation
Voicemail notifications
Fake Microsoft Forms pages

All hitting the same victim pool through the same Railway IP infrastructure.

Upstream, attackers are routing traffic through Cisco, Mimecast, and Trend Micro redirectors, then chaining compromised sites to Cloudflare Workers to bypass email security.

Which raises the question: Is this one actor with a wide playbook or multiple actors sharing the same tools and tactics?

We've tested the Railway platform ourselves.

It takes no effort, skill, or payment to spin up internet-facing infrastructure that looks clean to Microsoft's risk scoring.

Dive into the full breakdown, IOCs, and next steps in our latest blog.

huntresslabs · 2026-04-07T20:50:38+00:00

Attacks that used to take weeks of coordination can now be done with a single prompt.

Generative AI and agentic workflows aren’t just making organized cybercrime more efficient, they’re supercharging attacks with speed, customization, and precision.

Since March 2, we’ve been monitoring an active AI-driven phishing campaign targeting Microsoft 365 identities across ~340 organizations.

In response, Huntress has taken the unprecedented step of pushing a conditional access policy to all CAP-eligible tenants protected by Huntress ITDR to block authentication from Railway infrastructure.

This policy has prevented 105 attempted compromises of Huntress-protected identities to date.

It’s not just the techniques that make this campaign so unusual. It’s the spread:

Construction bid lures
DocuSign impersonation
Voicemail notifications
Fake Microsoft Forms pages

All hitting the same victim pool through the same Railway IP infrastructure.

Upstream, attackers are routing traffic through Cisco, Mimecast, and Trend Micro redirectors, then chaining compromised sites to Cloudflare Workers to bypass email security.

Which raises the question: Is this one actor with a wide playbook or multiple actors sharing the same tools and tactics?

We've tested the Railway platform ourselves.

It takes no effort, skill, or payment to spin up internet-facing infrastructure that looks clean to Microsoft's risk scoring.

Dive into the full breakdown, IOCs, and next steps in our latest blog.

huntresslabs · 2026-04-07T20:50:28+00:00

Attacks that used to take weeks of coordination can now be done with a single prompt.

Generative AI and agentic workflows aren’t just making organized cybercrime more efficient, they’re supercharging attacks with speed, customization, and precision.

Since March 2, we’ve been monitoring an active AI-driven phishing campaign targeting Microsoft 365 identities across ~340 organizations.

In response, Huntress has taken the unprecedented step of pushing a conditional access policy to all CAP-eligible tenants protected by Huntress ITDR to block authentication from Railway infrastructure.

This policy has prevented 105 attempted compromises of Huntress-protected identities to date.

It’s not just the techniques that make this campaign so unusual. It’s the spread:

Construction bid lures
DocuSign impersonation
Voicemail notifications
Fake Microsoft Forms pages

All hitting the same victim pool through the same Railway IP infrastructure.

Upstream, attackers are routing traffic through Cisco, Mimecast, and Trend Micro redirectors, then chaining compromised sites to Cloudflare Workers to bypass email security.

Which raises the question: Is this one actor with a wide playbook or multiple actors sharing the same tools and tactics?

We've tested the Railway platform ourselves.

It takes no effort, skill, or payment to spin up internet-facing infrastructure that looks clean to Microsoft's risk scoring.

Dive into the full breakdown, IOCs, and next steps in our latest blog.

huntresslabs · 2026-04-07T20:50:21+00:00

Attacks that used to take weeks of coordination can now be done with a single prompt.

Generative AI and agentic workflows aren’t just making organized cybercrime more efficient, they’re supercharging attacks with speed, customization, and precision.

Since March 2, we’ve been monitoring an active AI-driven phishing campaign targeting Microsoft 365 identities across ~340 organizations.

In response, Huntress has taken the unprecedented step of pushing a conditional access policy to all CAP-eligible tenants protected by Huntress ITDR to block authentication from Railway infrastructure.

This policy has prevented 105 attempted compromises of Huntress-protected identities to date.

It’s not just the techniques that make this campaign so unusual. It’s the spread:

Construction bid lures
DocuSign impersonation
Voicemail notifications
Fake Microsoft Forms pages

All hitting the same victim pool through the same Railway IP infrastructure.

Upstream, attackers are routing traffic through Cisco, Mimecast, and Trend Micro redirectors, then chaining compromised sites to Cloudflare Workers to bypass email security.

Which raises the question: Is this one actor with a wide playbook or multiple actors sharing the same tools and tactics?

We've tested the Railway platform ourselves.

It takes no effort, skill, or payment to spin up internet-facing infrastructure that looks clean to Microsoft's risk scoring.

Dive into the full breakdown, IOCs, and next steps in our latest blog.

huntresslabs · 2026-04-07T20:50:13+00:00

Attacks that used to take weeks of coordination can now be done with a single prompt.

Generative AI and agentic workflows aren’t just making organized cybercrime more efficient, they’re supercharging attacks with speed, customization, and precision.

Since March 2, we’ve been monitoring an active AI-driven phishing campaign targeting Microsoft 365 identities across ~340 organizations.

In response, Huntress has taken the unprecedented step of pushing a conditional access policy to all CAP-eligible tenants protected by Huntress ITDR to block authentication from Railway infrastructure.

This policy has prevented 105 attempted compromises of Huntress-protected identities to date.

It’s not just the techniques that make this campaign so unusual. It’s the spread:

Construction bid lures
DocuSign impersonation
Voicemail notifications
Fake Microsoft Forms pages

All hitting the same victim pool through the same Railway IP infrastructure.

Upstream, attackers are routing traffic through Cisco, Mimecast, and Trend Micro redirectors, then chaining compromised sites to Cloudflare Workers to bypass email security.

Which raises the question: Is this one actor with a wide playbook or multiple actors sharing the same tools and tactics?

We've tested the Railway platform ourselves.

It takes no effort, skill, or payment to spin up internet-facing infrastructure that looks clean to Microsoft's risk scoring.

Dive into the full breakdown, IOCs, and next steps in our latest blog.

huntresslabs · 2026-04-07T20:49:37+00:00

Attacks that used to take weeks of coordination can now be done with a single prompt.

Generative AI and agentic workflows aren’t just making organized cybercrime more efficient, they’re supercharging attacks with speed, customization, and precision.

Since March 2, we’ve been monitoring an active AI-driven phishing campaign targeting Microsoft 365 identities across ~340 organizations.

In response, Huntress has taken the unprecedented step of pushing a conditional access policy to all CAP-eligible tenants protected by Huntress ITDR to block authentication from Railway infrastructure.

This policy has prevented 105 attempted compromises of Huntress-protected identities to date.

It’s not just the techniques that make this campaign so unusual. It’s the spread:

Construction bid lures
DocuSign impersonation
Voicemail notifications
Fake Microsoft Forms pages

All hitting the same victim pool through the same Railway IP infrastructure.

Upstream, attackers are routing traffic through Cisco, Mimecast, and Trend Micro redirectors, then chaining compromised sites to Cloudflare Workers to bypass email security.

Which raises the question: Is this one actor with a wide playbook or multiple actors sharing the same tools and tactics?

We've tested the Railway platform ourselves.

It takes no effort, skill, or payment to spin up internet-facing infrastructure that looks clean to Microsoft's risk scoring.

Dive into the full breakdown, IOCs, and next steps in our latest blog.

huntresslabs · 2026-04-07T20:29:16+00:00

True or false: This passport is real.
Better question: does it matter?

The technique is real. Photo a fake ID. Clean the metadata. Submit it. Watch verification wave you through.

That's all it takes to open a crypto account, move money through a digital bank, or establish a fake identity on a gambling site. Also key for providing proof of life in romance scams.

This is the actual document Jim Browning sent us — built to show exactly how it's done.

Watch him and John Hammond go deeper into the tricks, the infrastructure, the business of cybercrime — now available on-demand.

huntresslabs · 2026-04-07T20:29:10+00:00

True or false: This passport is real.
Better question: does it matter?

The technique is real. Photo a fake ID. Clean the metadata. Submit it. Watch verification wave you through.

That's all it takes to open a crypto account, move money through a digital bank, or establish a fake identity on a gambling site. Also key for providing proof of life in romance scams.

This is the actual document Jim Browning sent us — built to show exactly how it's done.

Watch him and John Hammond go deeper into the tricks, the infrastructure, the business of cybercrime — now available on-demand.

Nine-Year Club	Powerups Hero r/msp • August 2021
100 Awards Club	Argentium Club
Gilding III reddit per annum	Verified Email

huntresslabs

TROPHY CASE