Incident responders at Huntress have detailed a web server breach in which attackers, after slipping in through an outdated Adobe ColdFusion install, ran nearly a dozen commands to blind the machine's defences and then dumped its stored passwords with Mimikatz. The case is a vivid tour of "defence impairment," the unglamorous but critical work attackers do to disable logging and security tools so their intrusion goes unseen.
Huntress responded to the compromise on June 7, 2026, with investigative work credited to Adrian Garcia, Amelia Casley, Olly Maxwell, and Anton Ovrutsky. The team traced the entry point to a vulnerable web server and found log evidence pointing to exploitation of old ColdFusion flaws, including the critical remote code execution bug CVE-2023-26360 along with the access control issue CVE-2023-29298 and the deserialization flaw CVE-2023-29300.
A webshell hidden in an image
Rather than drop an obvious backdoor, the attacker hid an ASPX webshell inside an image file, a steganography trick, and tucked it in the server's Images folder. The shell gave itself away when it spawned a whoami command from the IIS worker process, something a normal web application never does. Embedded in every shell was a marker string that decoded to "ONEPIECE." Huntress flagged and removed the shell, but the server was put back online before remediation finished, not once but twice, letting the intruder return on June 10 and again on June 11. The pattern echoes other intrusions where crews plant webshells on exposed servers to keep a foothold.
How the attack works
On the return visit the attacker left behind the whole playbook: a batch script named i.bat that the Huntress SOC grabbed before it could be deleted. The script read like a checklist for going dark. It switched off IIS HTTP logging, fired off a long run of commands to disable Microsoft Defender's real time monitoring, behavior monitoring, and sample submission, then killed and deleted security and logging services including Sysmon, Elastic Filebeat, and SentinelOne components. It also abused Image File Execution Options to freeze tools like Sysmon inside a debugger, and used timestomping to falsify file timestamps and corrupt the forensic timeline.
With the lights out, the attacker forced Windows to keep plaintext passwords in memory by flipping the WDigest UseLogonCredential registry value to 1, harvested database credentials stored in the clear in ODBC registry keys, and ran a Mimikatz driver to scrape credentials from memory. Telltale touches included enumerating local administrators across Nordic, German, Romanian, Spanish, and Polish language names, a hint the crew habitually targets Western and European victims, and probing for the FileZilla FTP client as a living off the land way to move stolen data. That reliance on built in tools and stolen logins mirrors ransomware operators who kill security software and lean on FileZilla for exfiltration.
What you should do
Huntress says the organization avoided data theft or encryption only because its endpoints were monitored and the intruder was caught mid operation. The lessons are foundational: keep internet facing software like ColdFusion fully patched, make sure web servers log properly and that those logs cannot be silently switched off, put servers that do not need to be public behind a firewall or VPN, and, crucially, finish remediation end to end. A half cleaned server that goes back online, as happened twice here, simply reopens the door. Sudden bursts of Set-MpPreference Defender changes, mass service deletions, or WDigest registry edits are high value alerts. The full command level breakdown is in the original Huntress write up.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.