Max Rogers
LightNews LightNews
banner
maxrogers5.com
Max Rogers
@maxrogers5.com
190 followers 290 following 34 posts
Sr. Director of SOC at Huntress. Ex-Mandiant/FireEye. Bringing security to the Fortune 5,000,000.
Posts Media Videos Starter Packs
maxrogers5.com
Max Rogers @maxrogers5.com · 25d
This case is also a milestone for us at Huntress: it’s our first time reserving and publishing a CVE since being approved as a CVE Naming Authority (CNA).

Proud to have gone from spotting real-world exploitation → engaging the vendor → to publishing a CVE for the community.
2
maxrogers5.com
Max Rogers @maxrogers5.com · 25d
Until a patch is released, administrators should immediately apply the workaround detailed in our post:
1
maxrogers5.com
Max Rogers @maxrogers5.com · 25d
In observed attacks, threat actors leveraged the flaw to read sensitive files—including Web.config—and extract the application’s machine key. That access enabled further exploitation, including potential remote code execution.
1
maxrogers5.com
Max Rogers @maxrogers5.com · 25d
🚨 @HuntressLabs identified active exploitation of a Local File Inclusion vulnerability affecting Gladinet CentreStack and Triofox systems.

A temporary workaround is available while a patch is in development:

www.huntress.com/blog/gladine...
Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw | Huntress
Huntress has observed in-the-wild exploitation of a Local File Inclusion vulnerability in Gladinet CentreStack and Triofox products.
www.huntress.com
1
maxrogers5.com
Max Rogers @maxrogers5.com · 25d
Great job @jaiminton.com, @re.wtf, and James Northey
2
maxrogers5.com
Max Rogers @maxrogers5.com · 25d
4⃣ By repurposing a legitimate monitoring tool, the actor gained persistent access and a stable C2 channel. The Nezha agent was then used to deploy the final payload: a variant of Ghost RAT, a backdoor long associated with China-nexus threat groups.
1
maxrogers5.com
Max Rogers @maxrogers5.com · 25d
3⃣ From there, the actor used the AntSword management tool to interact with their web shell. This is a common TTP, but what came next was new to us. They used AntSword to download and install the Nezha agent, an open-source server monitoring tool, onto the victim.
1
maxrogers5.com
Max Rogers @maxrogers5.com · 25d
2⃣ The initial access was creative. The actor exploited a misconfigured, public-facing phpMyAdmin panel. They then used a log poisoning technique to write a one-liner PHP web shell (China Chopper) to disk, bypassing authentication and gaining initial command execution.
1
maxrogers5.com
Max Rogers @maxrogers5.com · 25d
1⃣ The Huntress team uncovered a campaign by a likely China-nexus threat actor. The most novel finding is use of a publicly available tool called Nezha as a post-exploitation C2 agent. This is the first public reporting of the tool I've seen.

www.huntress.com/blog/nezha-c...
The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors | Huntress
Beginning in mid-2025, Huntress discovered a new tool being used to facilitate webserver intrusions known as Nezha, which up until now hasn’t been publicly reported on. This was used in tandem with ot...
www.huntress.com
1 1
maxrogers5.com
Max Rogers @maxrogers5.com · Aug 22
Realizing the software getting exploited is owned by the same parent company who had a different app getting mass exploited in recent years.
spongebob squarepants is sitting at a table with a cup of coffee in a diner .
ALT: spongebob squarepants is sitting at a table with a cup of coffee in a diner .
media.tenor.com
maxrogers5.com
Max Rogers @maxrogers5.com · Jul 15
The gift that keeps on giving.
We have to detect the latest malware! Anomaly Detection! AI? We could look for single character EXEs?
1 1
maxrogers5.com
Max Rogers @maxrogers5.com · Jun 18
Mac's don't get viruses, right? 🍏

Deepfake Zoom calls. AppleScript lures. Rosetta 2 abuse.

Plenty of custom malware: Nim backdoor, Go infostealer, Obj-C keylogger, and more!

Amazing write-up by @re.wtf , @stuartjash.bsky.social and Jonathan Semon 🔥

🔗 www.huntress.com/blog/inside-...
Inside the BlueNoroff Web3 macOS Intrusion Analysis | Huntress
Learn how DPRK's BlueNoroff group executed a Web3 macOS intrusion. Explore the attack chain, malware, and techniques in our detailed technical report.
www.huntress.com
4
maxrogers5.com
Max Rogers @maxrogers5.com · May 22
As more companies deploy the Huntress SIEM, we've enjoyed finding the "Door Rattlers"🚪

We see an attacker failing to log in across a number of environments and then eventually succeeding in 1 organization.

Stopping attacks at initial access ❤️
Huntress SIEM Door Rattling Door Rattlers Detection Initial Access Brute Force
2
maxrogers5.com
Max Rogers @maxrogers5.com · Apr 26
I hate comcast.
Reposted by Max Rogers
huntress.com
Huntress @huntress.com · Apr 14
Huntress has observed in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in the Gladinet CentreStack enterprise file-sharing platform.
1 3 5
maxrogers5.com
Max Rogers @maxrogers5.com · Apr 7
All of these advances in AI and yet I still can't pass over a 1 page document and get a companion slide deck that doesn't look insane 🤦
1
maxrogers5.com
Max Rogers @maxrogers5.com · Mar 31
I’m right there with you! Simplicity is a cheat code.
Reposted by Max Rogers
thedfirreport.bsky.social
The DFIR Report @thedfirreport.bsky.social · Mar 31
🌟New report out today!🌟

Fake Zoom Ends in BlackSuit Ransomware

Analysis and reporting completed by @pigerlin, UC1 and @Miixxedup

Audio: Available on Spotify, Apple, YouTube and more!

thedfirreport.com/2025/03/31/f...
Fake Zoom Ends in BlackSuit Ransomware
Key Takeaways The threat actor gained initial access by a fake Zoom installer that used d3f@ckloader and IDAT loader to drop SectopRAT. After nine days of dwell time, the SectopRAT malware dropped …
thedfirreport.com
1 3 7
maxrogers5.com
Max Rogers @maxrogers5.com · Mar 31
Why are most "work management" tools still worse than a Google Sheet?
1 1
maxrogers5.com
Max Rogers @maxrogers5.com · Mar 11
Want some entertainment? Our Tradecraft Tuesday show is LIVE right now: www.youtube.com/watch?v=5_H3...

Come listen to @antonlovesdnb.bsky.social and Dray Agha discuss tradecraft we're seeing in the wild.
Tradecraft Tuesday | The Most Boring (Not Really) Tradecraft Tuesday Ever
YouTube video by Huntress
www.youtube.com
2
maxrogers5.com
Max Rogers @maxrogers5.com · Mar 10
"Outsized value" would have been a better choice of words.
2
maxrogers5.com
Max Rogers @maxrogers5.com · Mar 10
It pains me when organizations take their limited security budgets and get tricked into buying products that don't lead to exponential value.

Heck these days, lots of VPN and Firewall products are the direct source of business ending intrusions.
1
maxrogers5.com
Max Rogers @maxrogers5.com · Mar 3
netscan.exe, psexec.exe, mstsc.exe, netsh.exe, reg.exe
1
Reposted by Max Rogers
curatedintel.bsky.social
Curated Intel @curatedintel.bsky.social · Aug 8
ICYMI: In July 2023, Curated Intel members shared a brand new resource for the community called 'The Threat Actor Profile Guide for CTI Analysts'.

The Threat Actor Profile Guide for CTI Analysts (curatedintel.org)
The Threat Actor Profile Guide for CTI Analysts
Threat actor profiles are made for a range of reasons. An example trigger for creating  a new profile can include after an incident, e.g., a...
www.curatedintel.org
9 7
maxrogers5.com
Max Rogers @maxrogers5.com · Feb 25
Attackers love taking over M365 identities 😬 In the past ~60 days, Huntress has tracked phishing pages used to steal M365 sessions. Seeing `.com` isn't surprising but having `.online` in second place caught my eye 👀

Interested in Adversary in the Middle attacks? www.huntress.com/blog/unmaski...
2