Have you ever wondered how exactly threat actors spend their days? A recent Huntress investigation into a machine operated by a threat actor, who had installed a Huntress agent, gave an inside look into just that.
On July 9, an endpoint with the Huntress agent installed on it fired off a slew of endpoint detection and response (EDR) signals and antivirus alerts. Our ensuing investigation revealed the host was owned by a threat actor, due to evidence of the machine attempting to compromise victim accounts, the machine’s unique name being tied to several previous attacks, and more. We uninstalled the agent from the endpoint 84 minutes after initial installation – however, the incident gave us a rare look behind the curtain at how threat actors operate.
This inside look at a hacker’s day-to-day operations reveals what managed service providers (MSPs) are up against. Threat actors are putting in intensive hours, sometimes working 12 to 14 hours a day. They’re doing things like performing reconnaissance to study companies they want to target, looking for ways to increase their workflow efficiency through artificial intelligence (AI), and upping their game with tools like Evilginx.
Intensive working hours
One finding from the investigation is that threat actors work for many hours on different tasks. A retrospective look at the threat actor’s browser history telemetry showed that they spent their time:
- Researching various banking entities and bank personnel
- Finding and accessing running instances of Evilginx
- Looking at various security vendor websites, including signing up for trials at various vendors in order to test things
The threat actor also spent different parts of their days working on different tasks. Looking retrospectively at browser history items, for instance, we could see that on May 29, 2025, the attacker was mostly looking at various banking websites. They also spent their time researching various banks, reading about Telegram Bots, and more. The next day, on May 30, the attacker spent a little more time researching various attack infrastructure, in addition to focusing on banks.
Research and reconnaissance
The threat actor spent a lot of time researching companies across different sectors, from specific banks to “top real estate companies in the US.” Interestingly, they studied all parts of the ecosystem surrounding organizations of interest, from their customer bases to associated third-party companies across the supply chain.
The threat actor also used legitimate platforms to support their research, such as BuiltWith, which lets users identify and analyze the technology stacks used by websites. On July 8, browser entries show the attacker conducted an extensive level of research on a prominent ecommerce vendor for managing payments and subscriptions, including a list of its customers, contacts, and market share. The threat actor used BuiltWith to search for the websites relying on that vendor.
Use of AI
The adversary used AI tools to increase the operational efficiency of their workflows. We saw evidence of them using Make, a legitimate workflow automation software, paired with the platform’s Telegram Bot integration feature as a way to launch automated processes.
The threat actor also appeared to be interested in other AI tools to help with data generation and writing. We saw multiple Google searches for “free ai no signup” and for “csv generator ai.” We also saw the threat actor using Toolbaz AI, which is a writing assistant; the CSV spreadsheet generator feature of DocsBot AI, which is an AI chatbot tool; and the AI data generator feature of Explo AI, which is an embedded analytics tool.
While there have previously been many reports on how cybercriminals are using AI (based on indicators in phishing messages or landing page content), this is the first time that we have a close-up view of a threat actor embedding AI into their operations in order to automate—and speed up—their workflow.
Threat actors are moving fast – and MSPs need to stay ahead
For MSPs, this research provides an invaluable understanding into the mindset and behaviors of threat actors.
While threat actors are putting in time and effort to hit businesses, having the right protections in place can stop them in their tracks. Some of the basic necessities include:
- Managed endpoint detection and response (EDR) solutions to hunt for malicious activity
- Implementing multi-factor authentication (MFA) and password managers
- Using security awareness training to help employees recognize phishing and social engineering attacks
As MSPs work to help secure their customer environments, it’s important to have context around the ways that threat actors conduct research and launch attacks at the backend—and the different types of organizations, tools, and platforms that they are using. MSPs play a critical role in helping businesses not only keep up, but stay ahead of threat actors.
