Jonathan Semon

Search: “clear disk space on macOS” Click: legit ChatGPT convo Paste: “safe” Terminal command Boom: AMOS infostealer installed @stuartjash & @JSemonSecurity break down how Attackers are hijacking ChatGPT + Grok to deliver malware. huntress.com/blog/amos-stea…

@Octoberfest73 What's even worse is companies like Forbes reposting this content for the world to see, with zero fact-checking, or even a simple Google search of "Windows .lnk malware.". They might as well call sethc.exe a vulnerability and assign a CVE at this point. 🥴

JFC. Trend Micro released a report on lnk file argument hiding months ago as a “zero day” that has been observed for close to 10 year at this point. Now they have a CVE assigned for it with “remote code execution” in the description. What an absolute sham and embarrassment.

@uwu_underground Absolute love, thank you for sharing, yall are too kind. <3

OUR LATEST ALBUM APT TALES VOL 3 "GHOSTS IN THE WALLS" IS OFFICIALLY OUT NOW! uwuunderground.bandcamp.com/album/apt-tale…

I'm exhausted so if you respond, ill see it tomorrow, but to be clear, when browsing history is reviewed via the browser’s database, it isn’t limited to "just today," it’s everything since the last time history was cleared. That’s how the artifact works, and every analyst who has pulled that file knows it. You can see this yourself, pull your history.db file from Edge/Chrome, and open it in DB Browser for SQLite. Pair that with the fact Huntress is an EDR + MDR/SOC product: once alerts fire, it’s the SOC’s responsibility to investigate by whatever means are needed (within our ToS and EULA, of course) to scope the incident. Every alert is treated as a potential attack until proven otherwise, and customers receive reports showing exactly what was pulled and remediated. And honestly, be glad we don’t do what some EDRs do, like full HTTPS traffic decryption with ingestion into the telemetry platform. That’s far more invasive than validating a browser history artifact when alerts fire. 😅

This is actually crazy…

Nowhere did I say, "no customer notification." With any managed EDR, the workflow is simple: alerts occur, SOC investigates, reports sent. Pulling browser history is not exclusive to Huntress, and it happens only when required to validate the alert and scope an incident, and all the collected data is reported to the customer in the report for transparency.

@JSemonSecurity @IzzyBoopFPV @mrexodia So you're saying huntresslabs doesn't alert stake holders/customers when you're performing an investigation let alone pulling sensitive information such as browsing history?

Huntress is a Managed EDR/MDR product built for organizations. Whether a small business or an enterprise, installing the agent grants the SOC the authority to investigate that endpoint, that’s how all AV/EDR tools work. During sign-up, on the product page, “Business” and “Enterprise” are explicitly emphasized (Over 20 times iirc). If someone installs it outside that scope, they’re still consenting to telemetry collection and investigation when malicious activity occurs. Once installed, you are consenting to an investigation of your endpoint if the tooling considers malicious activity occurring to be severe enough to need further investigation. To be clear though, no SOC is pulling browser history "for fun." That level of review only happens when an investigation requires it, which unfortunately is quite often when we are attempting to find compromised domains or phishing portals that are used to hack hundreds of millions of people daily.

@JSemonSecurity @IzzyBoopFPV @mrexodia They saw an ad saying Enterprise-grade cybersecurity for ALL businesses and they download them.

Looks like others commented too, but to be clear, when you install a Managed EDR/AV, you are giving a company the ability to investigate your machine. Doesn't matter which company it is. We did not just see a random endpoint and go "Let's pull that one's history for giggles." Signals were generated that lead to an investigation, in this case clearly malicious activity occurring on that endpoint, and in that investigation, it was identified that downloads had occurred, and to identify where they came from and when, the browser history was pulled. In the browser history, was the download data, as well as all the shady shit the threat actor was doing.

@IzzyBoopFPV @JSemonSecurity @mrexodia I would like to know where you work at where you do whatever you wish without notifying your clients/customers.

@FJClayPro @mrexodia "Before you make the correlation" is wrong. The end user triggered alerts on their endpoint (we have no context), we investigate the alerts (to get context), and during the investigation we see that they're actually the bad actor themselves (we have context), that's a SOCs job.

@JSemonSecurity @mrexodia That doesn't make it better. You're basically saying you pulled their browsing history without their knowledge even before you make the correlation (just because it triggered some alerts). The more you say the worse it sounds.

@Btc4Cash @_JohnHammond @HuntressLabs X-post because I am lazy: Not quite. The threat actor installed Huntress on the endpoint. They triggered alerts (malicious tooling, downloads, etc.); the SOC investigated the telemetry and then pulled the history to confirm. Only after that was the hostname/data correlation made.

@_JohnHammond @HuntressLabs Good read but does it mean you identified this guy with his machine id just by him downloading huntress?

A threat actor installed Huntress. ... a hysterical mistake on their part, giving us first-hand insight to their tooling, workflow & routine. Phishing infra, stealer logs, Telegram+dark web sites, AI... Hilarious goldmine of cybercrime deets with a front row seat: huntress.com/blog/rare-look…

@mrexodia Not quite right. The threat actor installed Huntress on their own endpoint. They triggered alerts (malicious tooling, downloads, etc.); the SOC investigated the telemetry and then pulled the history to confirm. Only after that was the hostname/data correlation made.

My reading: the machine name was a red flag (as well as 'several other factors'), so you pulled the browser history for 3 months prior to them installing a trial of your product. Obviously that person is a criminal, but collecting evidence like this seems unethical at best...

@NotNordgaren @RussianPanda9xx @wbmmfq I swear 2025 is the year of Animal loving malware groups, that and Femboys according to Broadcom. 😔

@RussianPanda9xx @wbmmfq @JSemonSecurity With new memes to explore, or is it relatively the same?

Rumors on the internet that #DolphinLoader is back 👀 cc @wbmmfq @JSemonSecurity

@wbmmfq @SquiblydooBlog @s1dhy @SecurityAura @struppigel @RussianPanda9xx Can confirm, this is the same crap, different app. The same folks who make Onestart just license out the software stack to "partners" with absolutely no vetting, and even when called out for their "partners" slipping malware into the application code they deny any wrong doing.

@SquiblydooBlog @s1dhy @SecurityAura @struppigel I think this is what we've been seeing for a few weeks now, too. /cc @RussianPanda9xx @JSemonSecurity

These PDF editors are functional but each contain a backdoor ➡️virustotal.com/gui/file/fde67… #TamperedChef

As of Thurs Aug 14th we're seeing clear indications that a threat actor has now weaponised and is exploiting vulnerabilities in Axis camera software (CVE-2025-30023/4/5/6) which was presented at DEFCON. Props to @Cyber4a53 for find. axis.com/dam/public/9b/… CC: @HuntressLabs 👇

@SecurityAura @RussianPanda9xx @0xffaraday @wbmmfq Sold! Rib cage just to feel alive for a few minutes!

@RussianPanda9xx @0xffaraday @wbmmfq @JSemonSecurity If I ever join the hunt, let's get one 😂 (may be very very smoll)

Hanging with the gang at @HuntressLabs Summer Summit ☀️🍸 @0xffaraday , @wbmmfq , @JSemonSecurity , let the doxxing begin …

@wbmmfq @SecurityAura @RussianPanda9xx @HuntressLabs @0xffaraday Don't worry, I'll hold your hand through it all. ❤️😇

@SecurityAura @RussianPanda9xx @HuntressLabs @0xffaraday @JSemonSecurity stop the peer pressure that's too much commitment for me 😭

👀 DPRK threat actors are now using deepfakes and fake Zoom links to socially engineer macOS users. Starts with a Telegram message. Ends with AppleScript. Targets crypto wallets. Macs don't get viruses? 📖 by @stuartjash & @birchb0y & Jonathan Semon huntress.com/blog/inside-bl…