Jonathan Semon @JSemonSecurity

@2Kgames @GearboxOfficial @2KSupport @GearboxSoftware for awareness as well.

Hey @2Kgames @GearboxOfficial Looks like your domain at gearboxsoftware.com was compromised via some Wordpress extension... Might wanna get that cleared up.

keyboard_arrow_left Previous keyboard_arrow_right Next

Confirmed to drop NetSupport.🐀

Leading to a lovely ClickFix page.😌

Search: “clear disk space on macOS” Click: legit ChatGPT convo Paste: “safe” Terminal command Boom: AMOS infostealer installed @stuartjash & @JSemonSecurity break down how Attackers are hijacking ChatGPT + Grok to deliver malware. huntress.com/blog/amos-stea…

@Octoberfest73 What's even worse is companies like Forbes reposting this content for the world to see, with zero fact-checking, or even a simple Google search of "Windows .lnk malware.". They might as well call sethc.exe a vulnerability and assign a CVE at this point. 🥴

@uwu_underground Absolute love, thank you for sharing, yall are too kind. <3

I'm exhausted so if you respond, ill see it tomorrow, but to be clear, when browsing history is reviewed via the browser’s database, it isn’t limited to "just today," it’s everything since the last time history was cleared. That’s how the artifact works, and every analyst who has pulled that file knows it. You can see this yourself, pull your history.db file from Edge/Chrome, and open it in DB Browser for SQLite. Pair that with the fact Huntress is an EDR + MDR/SOC product: once alerts fire, it’s the SOC’s responsibility to investigate by whatever means are needed (within our ToS and EULA, of course) to scope the incident. Every alert is treated as a potential attack until proven otherwise, and customers receive reports showing exactly what was pulled and remediated. And honestly, be glad we don’t do what some EDRs do, like full HTTPS traffic decryption with ingestion into the telemetry platform. That’s far more invasive than validating a browser history artifact when alerts fire. 😅

Nowhere did I say, "no customer notification." With any managed EDR, the workflow is simple: alerts occur, SOC investigates, reports sent. Pulling browser history is not exclusive to Huntress, and it happens only when required to validate the alert and scope an incident, and all the collected data is reported to the customer in the report for transparency.

Huntress is a Managed EDR/MDR product built for organizations. Whether a small business or an enterprise, installing the agent grants the SOC the authority to investigate that endpoint, that’s how all AV/EDR tools work. During sign-up, on the product page, “Business” and “Enterprise” are explicitly emphasized (Over 20 times iirc). If someone installs it outside that scope, they’re still consenting to telemetry collection and investigation when malicious activity occurs. Once installed, you are consenting to an investigation of your endpoint if the tooling considers malicious activity occurring to be severe enough to need further investigation. To be clear though, no SOC is pulling browser history "for fun." That level of review only happens when an investigation requires it, which unfortunately is quite often when we are attempting to find compromised domains or phishing portals that are used to hack hundreds of millions of people daily.

Looks like others commented too, but to be clear, when you install a Managed EDR/AV, you are giving a company the ability to investigate your machine. Doesn't matter which company it is. We did not just see a random endpoint and go "Let's pull that one's history for giggles." Signals were generated that lead to an investigation, in this case clearly malicious activity occurring on that endpoint, and in that investigation, it was identified that downloads had occurred, and to identify where they came from and when, the browser history was pulled. In the browser history, was the download data, as well as all the shady shit the threat actor was doing.

@FJClayPro @mrexodia "Before you make the correlation" is wrong. The end user triggered alerts on their endpoint (we have no context), we investigate the alerts (to get context), and during the investigation we see that they're actually the bad actor themselves (we have context), that's a SOCs job.

@Btc4Cash @_JohnHammond @HuntressLabs X-post because I am lazy: Not quite. The threat actor installed Huntress on the endpoint. They triggered alerts (malicious tooling, downloads, etc.); the SOC investigated the telemetry and then pulled the history to confirm. Only after that was the hostname/data correlation made.

@mrexodia Not quite right. The threat actor installed Huntress on their own endpoint. They triggered alerts (malicious tooling, downloads, etc.); the SOC investigated the telemetry and then pulled the history to confirm. Only after that was the hostname/data correlation made.

@NotNordgaren @RussianPanda9xx @wbmmfq I swear 2025 is the year of Animal loving malware groups, that and Femboys according to Broadcom. 😔

@wbmmfq @SquiblydooBlog @s1dhy @SecurityAura @struppigel @RussianPanda9xx Can confirm, this is the same crap, different app. The same folks who make Onestart just license out the software stack to "partners" with absolutely no vetting, and even when called out for their "partners" slipping malware into the application code they deny any wrong doing.

As of Thurs Aug 14th we're seeing clear indications that a threat actor has now weaponised and is exploiting vulnerabilities in Axis camera software (CVE-2025-30023/4/5/6) which was presented at DEFCON. Props to @Cyber4a53 for find. axis.com/dam/public/9b/… CC: @HuntressLabs 👇

@SecurityAura @RussianPanda9xx @0xffaraday @wbmmfq Sold! Rib cage just to feel alive for a few minutes!

@wbmmfq @SecurityAura @RussianPanda9xx @HuntressLabs @0xffaraday Don't worry, I'll hold your hand through it all. ❤️😇