Huntress A.I CyberSecurity Scoring
Huntress
Company Information
Website:https://www.huntress.com/demo?utm_source=linkedin&utm_medium=social&utm_campaign=cy25-10-camp-brand-global-broad-all-organic_social_bio
Employees number:847
Number of followers:120,630
NAICS:541514
Industry Type:Computer and Network Security
Homepage:huntress.com
Huntress Risk Score (AI oriented)
Between 0 and 549
HuntressComputer and Network Security
Updated:
30/06/2026
30/06/2026
475/1000
Critical
C
Huntress Global Score (TPRM)
xxxx
HuntressComputer and Network Security
Score locked

HuntressCritical
Current Score
475C (CRITICAL)
01000
7 incidents
-49.17 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
476
JUNE 2026
537
Breach
25 Jun 2026 • Huntress
Klue: Klue Hit by Double Extortion as Second Hacker Group Emerges
Klue Faces Unprecedented Dual Extortion Attack After Data Breach
474
CRITICAL-63
KLU1782428022
Klue Faces Unprecedented Dual Extortion Attack After Data Breach
Vancouver-based market intelligence platform Klue has disclosed a rare and escalating cybersecurity crisis, involving two criminal groups with conflicting extortion demands following a data breach. The incident, first reported by TechCrunch, marks an unusual case of competing threats targeting the same victim highlighting evolving tactics in cyber extortion.
The breach initially involved a hacking group that stole sensitive customer data, including proprietary market research, competitive analysis, and strategic planning materials used by enterprise clients to track rivals. In a surprising turn, the original attackers later claimed they were deleting the stolen files, though Klue’s customers were warned not to assume the threat had passed. Before any relief could set in, a second criminal group emerged, demanding ransom for the same compromised data.
The situation leaves Klue’s enterprise clients including sales and marketing teams at major corporations in limbo, uncertain whether their highly sensitive business intelligence has been destroyed, leaked, or is now in the hands of multiple threat actors. The competitive intelligence sector handles particularly valuable data, such as go-to-market strategies and product roadmaps, which could cause significant damage if exposed.
Security researchers note that while secondary markets for stolen data are not new, the simultaneous, opposing claims from two criminal groups are highly unusual. The first group’s alleged data deletion could be a face-saving exit or genuine reversal, while the second group’s demands suggest they either independently accessed Klue’s systems or acquired the data from the original attackers.
Klue has not disclosed technical details of the breach, the scope of compromised data, or the number of affected customers. The incident underscores the cascading risks of B2B SaaS breaches, where third-party vendors handling critical business intelligence become high-value targets. It also arrives amid growing enterprise concerns over vendor security postures, following high-profile breaches at platforms like Okta and LastPass.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
JUNE 2026
556
Cyber Attack
17 Jun 2026 • Huntress
Huntress, Salesforce and Klue: Klue OAuth breach linked to 'Icarus' Salesforce data theft attacks
Klue OAuth Breach Exposes Salesforce Data in Icarus Extortion Campaign
536
CRITICAL-20
HUNSALKLU1781793603
Klue OAuth Breach Exposes Salesforce Data in Icarus Extortion Campaign
A recent OAuth breach at market intelligence platform Klue has enabled the Icarus threat group to steal Salesforce CRM data from multiple organizations as part of an ongoing extortion campaign. The attack, first reported by BleepingComputer and confirmed by cybersecurity firms ReliaQuest and Huntress, has prompted Salesforce to disable the Klue Battlecards integration while investigations continue.
### How the Attack Unfolded
Attackers compromised Klue’s backend systems, leveraging a dormant but active credential from a prototype integration. Once inside, they deployed a malicious code update to harvest OAuth tokens used by customers to connect Klue Battlecards with third-party platforms, including Salesforce.
Using these stolen tokens, the threat actors executed automated Python scripts to query Salesforce’s REST API for nearly 24 hours. Initial reconnaissance targeted the `/services/data/v59.0/sobjects` endpoint, followed by rapid data exfiltration via `/services/data/v59.0/query`. In one case, attackers sent nearly 1,000 queries in 15 minutes, shifting from stealthy reconnaissance to high-speed theft.
### Extortion Demands & Icarus Involvement
While initial activity resembled past attacks by ShinyHunters, BleepingComputer confirmed that the Icarus group active since April 2026 is behind the campaign. Victims received extortion emails from an alias "mr bean" with a Session Messenger ID for contact. Icarus’s data leak site also teased the campaign with a post titled "Get Ready," warning of upcoming corporate listings.
Huntress, one of the affected organizations, confirmed receiving a similar extortion email, with the provided Session ID matching Icarus’s dark web leak site. The stolen data includes business contacts, sales communications, price quotes, competitive intelligence reports, and account details, though no evidence suggests compromise of passwords, payment data, or engineering systems.
### Response & Mitigation
Klue has disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack while addressing the breach. Salesforce has also suspended the Klue Battlecards app, preventing new connections until further notice.
Security firms have shared IP addresses linked to the attacks:
- 138.226.246.94
- 212.86.125.24
- 213.111.148.90
- 94.154.32.160
Organizations using Klue integrations are urged to review logs, revoke OAuth tokens, terminate active sessions, and monitor for unusual API activity.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
JUNE 2026
616
Breach
01 Jun 2026 • Huntress
Huntress and FBI: Huntress CEO says threat hunter used 'poor judgment' in alerting ransomware crim about law enforcement probe
Huntress Investigates Alleged Insider Threat After Employee Shared FBI Intel with Ransomware Operator
554
CRITICAL-62
FBIHUN1782843828
Huntress Investigates Alleged Insider Threat After Employee Shared FBI Intel with Ransomware Operator
Huntress CEO Kyle Hanslovan has acknowledged "questionable" communications between a current threat hunter at the cybersecurity firm and a cybercriminal, describing the exchanges as a lapse in judgment. The incident surfaced after former Huntress analyst Ben Folland accused the employee of acting as an insider threat by allegedly sharing law enforcement details with Devman, a ransomware operator linked to Russia.
According to Hanslovan’s blog post, the employee disclosed to Devman that U.S. law enforcement had contacted them about the threat actor. While Hanslovan stated the disclosure was not illegal, he called it "poor judgment" and denied that it constituted insider activity. Huntress has since implemented stricter policies for researcher interactions with threat actors and taken administrative actions, though no evidence of illegal conduct or further disclosures was found.
Folland, however, disputes this characterization. In a LinkedIn post, he claimed the employee forwarded FBI communications including agent names to Devman, warning the ransomware operator of an active investigation. He also alleged the employee refused to cooperate with law enforcement, a claim the FBI reportedly confirmed to Folland. Folland argued the actions went beyond poor judgment, equating them to an insider tipping off a criminal under investigation.
Devman, known for using modified DragonForce ransomware built on leaked Conti source code, has been publicly targeting Folland and his family. The FBI has not responded to requests for comment, and Huntress has declined further statements.
The dispute highlights tensions over ethical boundaries in threat intelligence, with Huntress maintaining the employee’s actions were not malicious, while Folland insists they meet the definition of an insider threat. The investigation remains ongoing.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MAY 2026
616
APRIL 2026
610
MARCH 2026
627
Cyber Attack
04 Mar 2026 • Huntress
Huntress: How a Brute Force Attack Unmasked a Ransomware Infrastructure Network
Huntress Uncovers Ransomware-as-a-Service Ecosystem Behind 'Routine' RDP Brute-Force Attack
607
LOW-20
HUN1772642134
Huntress Uncovers Ransomware-as-a-Service Ecosystem Behind "Routine" RDP Brute-Force Attack
Security researchers at Huntress recently traced a seemingly ordinary Remote Desktop Protocol (RDP) brute-force attack to a sophisticated ransomware-as-a-service (RaaS) operation, exposing a network of initial access brokers and malicious infrastructure.
The incident began when Huntress’s SOC detected unusual domain enumeration activity on a network with an exposed RDP server a common but risky configuration. While brute-force attacks are frequent, this case stood out due to atypical behavior: the compromised account was accessed from multiple IP addresses, suggesting a single threat actor leveraging distributed infrastructure.
After gaining access, the attacker deviated from standard post-exploitation tactics. Instead of extracting credentials from Windows LSASS or the registry common methods in ransomware attacks they manually searched file shares and text files for passwords, an unusual approach that hinted at a more targeted operation.
Further investigation revealed the IP addresses involved were linked to known ransomware groups, including Hive and BlackSuite, as well as a suspicious VPN service (1vpns[.]com) marketed as "no-logs." The infrastructure included a web of geo-distributed servers under the domain specialsseason[.]com, with subdomains tied to multiple countries (e.g., NL-US.specialsseason[.]com, NL-RU.specialsseason[.]com). The naming convention and references to "big game hunting" a term for high-value ransomware targeting strongly indicated ties to RaaS operations.
The findings underscore how initial access brokers operate at scale, using legitimate-seeming services to obscure their activities. Huntress’s analysis also highlighted the value of digging beyond routine alerts, as even mundane incidents can reveal broader criminal ecosystems.
Key Indicators of Compromise (IOCs):
- IPs: 64.190.113[.]159, 147.135.36[.]162
- Domains: specialsseason[.]com, 1vpns[.]com
- Certificate Fingerprints (SHA-256): 6bc8b8f260f9f9bfea69863ef8d3c525568676ddadc09c14655191cad1acdb5b, b884cce828f06fb936fd5809d5945d861401c606c4ebe894464c99e6473e9570
INCIDENT DETAILS -
TYPE
MOTIVATION
REFERENCES
FEBRUARY 2026
624
JANUARY 2026
623
DECEMBER 2025
728
Ransomware
01 Dec 2025 • Huntress
Huntress: Ex-Huntress analyst claims company insider fed info to a ransomware crim. Social media drama ensues
Huntress Faces Allegations of Insider Threat Linked to Ransomware Group
618
CRITICAL-110
HUN1782426290
Huntress Faces Allegations of Insider Threat Linked to Ransomware Group
Security firm Huntress is embroiled in controversy after a former employee, Ben Folland, accused the company of concealing an insider threat involving a current employee allegedly leaking information to a ransomware operation. Folland, who left Huntress in February, took to LinkedIn to detail his claims, which stem from an incident unrelated to the recent supply-chain attack on Klue a separate breach Huntress disclosed last week.
According to Folland, in December 2025, he discovered that a Huntress employee had shared communications from U.S. law enforcement with a cybercriminal known as DevMan, a ransomware operator targeting Folland and his family. DevMan, which emerged in April 2025, is believed to use modified DragonForce ransomware code. Folland alleged the insider was "caught by the FBI" but remains employed at Huntress, raising concerns about ongoing risks to clients and the company’s reputation particularly as Huntress prepares for an IPO.
In a resignation letter posted online, Folland stated he left due to "personal reasons and a conflict of interest," later clarifying that Huntress had attempted to "silence" him with legal threats after he raised the issue. He pledged to release evidence over the next two weeks, including FBI communications, internal memos, and recorded conversations between the Huntress employee and DevMan.
Huntress CEO Kyle Hanslovan responded through a spokesperson, acknowledging the concerns but framing the incident as a case of "poor judgment" in communications with a cybercriminal. He emphasized that such interactions are sometimes necessary for threat intelligence gathering but assured stakeholders that the company takes the matter seriously. Hanslovan disputed Folland’s characterization of an "insider threat," calling the claims inaccurate and denying that Huntress prioritized its IPO over security. He noted that legal and law enforcement constraints limit public disclosure but hinted at an official statement in the future.
The allegations highlight tensions between transparency and operational security in cybersecurity firms, particularly when insider risks intersect with criminal investigations. The outcome may set a precedent for how companies handle similar breaches of trust.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
NOVEMBER 2025
747
Cyber Attack
01 Nov 2025 • Huntress
Huntress, Rhysida and Expel: Gootloader Malware Maintains Low Detection Rate While Bypassing Most Security Tools
Gootloader’s Sophisticated Anti-Detection Tactics Exposed in Latest Campaign
727
LOW-20
HUNREDEXP1768977371
Gootloader’s Sophisticated Anti-Detection Tactics Exposed in Latest Campaign
A recent analysis by Huntress and Expel reveals how the Gootloader malware leverages deliberately malformed ZIP archives to evade security tools while maintaining functionality for targeted victims. The threat actor, known for its role as an initial access broker in ransomware operations, has partnered with Vanilla Tempest, a group deploying Rhysida ransomware, in an ongoing campaign active since November 2025.
### Evasion Through Malformed ZIP Archives
Gootloader’s infection chain begins with weaponized ZIP files containing malicious JScript payloads, such as "Indiana_Animal_Protection_Laws_Guide.js." These archives are engineered to bypass analysis tools like 7-Zip and WinRAR while remaining extractable via Windows’ native unarchiving utility.
Key evasion techniques include:
- Concatenated ZIP structures: Each archive contains 500–1,000 nested ZIP files, with the End of Central Directory (EOCD) record strategically placed to direct extraction to the valid payload.
- Truncated EOCD records: Missing critical bytes violate ZIP format standards, causing parsing failures in security tools.
- Randomized metadata: Mismatched version numbers, timestamps, CRC32 checksums, and file sizes between local file headers and central directory records further disrupt analysis.
- Client-side generation: Victims receive XOR-encoded data blobs decoded by browsers, assembling into identical ZIP structures until reaching 70–80 MB despite the extracted JScript payload being only ~287 KB.
### Execution & Persistence
When victims extract and run the JScript file, Windows Script Host (WScript) processes it from `AppData\Local\Temp`, initiating a multi-stage attack:
1. Persistence: Creates LNK shortcuts in the Startup folder, referencing secondary scripts via NTFS short filenames (e.g., `FILENA~1.js`).
2. Obfuscated PowerShell execution: CScript launches the script, which spawns PowerShell processes with heavily obfuscated commands to establish command-and-control (C2) communications.
### Detection & Indicators of Compromise
Security teams can identify Gootloader activity by monitoring:
- Process patterns: `wscript.exe` executing JScript from temp directories, followed by `cscript.exe` invoking scripts via NTFS shortnames and spawning PowerShell.
- File characteristics: ZIP archives with >100 instances of `PK\x03\x04` (local file headers) or `PK\x05\x06` (EOCD records).
- Persistence artifacts: LNK files in `\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\`.
Known IOCs:
- File hash (SHA-256): `b05eb7a367b5b86f8527af7b14e97b311580a8ff73f27eaa1fb793abb902dc6e`
- Malicious extensions: `.js`, `.jse`
- Execution paths: Temp directories, NTFS shortname scripts
Gootloader remains a persistent threat, historically accounting for 11% of malware bypassing enterprise security solutions. Its collaboration with Vanilla Tempest underscores its role in facilitating Rhysida ransomware attacks.
INCIDENT DETAILS -
TYPE
MOTIVATION
DATA BREACH
REFERENCES
OCTOBER 2025
747
SEPTEMBER 2025
747
AUGUST 2025
746
JANUARY 2025
759
Cyber Attack
01 Jan 2025 • Huntress
Huntress: 'CrashFix' Scam Crashes Browsers, Delivers Malware
Sophisticated 'CrashFix' Campaign Targets Corporate Networks with ModeloRAT Malware
742
LOW-17
HUN1769991856
Sophisticated "CrashFix" Campaign Targets Corporate Networks with ModeloRAT Malware
Cybersecurity firm Huntress has uncovered a highly evolved malware campaign attributed to the threat actor KongTuke, which has been active since early 2025. The latest operation, dubbed "CrashFix," demonstrates a marked increase in sophistication, targeting corporate systems with a multi-stage attack chain while deploying a separate, less refined infection method for home users.
### Key Components of the Attack
1. NexShield Malicious Extension – A near-identical replica of the legitimate uBlock Origin Lite ad blocker, distributed via malicious ads. Once installed, the extension remains dormant for an hour before intentionally crashing the browser by flooding the system with connection requests, exhausting memory and CPU resources.
2. CrashFix Social Engineering – After the crash, victims are presented with a fake security warning instructing them to execute a "repair" command via the Windows Run dialog. This command triggers a PowerShell script that establishes contact with the attacker’s command-and-control (C2) server, initiating the infection.
3. ModeloRAT (Python-Based RAT) – Exclusively deployed on domain-joined corporate systems, this previously unseen remote access Trojan (RAT) conducts extensive reconnaissance, collecting data on:
- Operating system details
- Running processes
- Network configurations
- User privileges
- Installed security tools (e.g., antivirus, virtual machine indicators)
ModeloRAT uses RC4 encryption for C2 communications and establishes persistence by modifying Windows Registry keys, often masquerading as legitimate applications like Spotify or Discord to evade detection.
### Targeting & Tactics
- Corporate Systems (VIP Treatment) – KongTuke prioritizes enterprise networks, where compromised systems provide access to Active Directory, internal resources, and sensitive data. The malware’s advanced capabilities suggest a focus on high-value targets with greater potential for financial or espionage gains.
- Home Users (Test Payloads) – Non-domain systems receive a separate, less polished infection chain. Huntress researchers observed C2 responses labeled "TEST PAYLOAD!!!!", indicating this branch may still be in development or a lower priority.
- Anti-Analysis Techniques – The fake "repair" pop-up blocks keyboard shortcuts, disables developer tools, and prevents text selection to hinder investigation.
### Discovery & Indicators of Compromise
The campaign was uncovered when a researcher searching for an ad blocker was redirected via a malicious ad to the fraudulent NexShield extension in the Chrome Web Store. Huntress has published indicators of compromise (IoCs), advising organizations to monitor for:
- Unusual use of legitimate Windows utilities (e.g., PowerShell)
- Suspicious browser extensions with excessive permissions or recent creation dates
- Registry Run key entries mimicking legitimate software
- Python commands spawning hidden PowerShell processes
### Why This Matters
KongTuke’s shift toward enterprise-focused attacks reflects a broader trend of threat actors prioritizing corporate networks for higher returns. The CrashFix technique exploiting user frustration by creating a problem and then offering a "solution" demonstrates a self-sustaining infection loop that increases the likelihood of successful compromise. With ModeloRAT’s advanced reconnaissance and evasion tactics, this campaign poses a significant risk to organizations with domain-joined endpoints.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Huntress ??
What was Huntress's A.I Rankiteo Cyber Score in June 2026 ??
What was Huntress's A.I Rankiteo Cyber Score in May 2026 ??
What was Huntress's A.I Rankiteo Cyber Score in April 2026 ??
What was Huntress's A.I Rankiteo Cyber Score in March 2026 ??
What was Huntress's A.I Rankiteo Cyber Score in February 2026 ??
What was Huntress's A.I Rankiteo Cyber Score in January 2026 ??
What was Huntress's A.I Rankiteo Cyber Score in December 2025 ??
What was Huntress's A.I Rankiteo Cyber Score in November 2025 ??
What was Huntress's A.I Rankiteo Cyber Score in October 2025 ??
What was Huntress's A.I Rankiteo Cyber Score in September 2025 ??
What was Huntress's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Huntress's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Huntress ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Huntress's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?