Overview
- Huntress recovered the custom PowerShell file Untitled1.ps1 from a compromised, domain-joined Windows server that attackers accessed with pre-compromised RDP credentials in early June 2026.
- The script ran exhaustive Active Directory discovery using multiple fallback methods, exported users, computers, groups and trusts to timestamped CSV files, produced a formatted HTML AD_Report, and archived the output for staging.
- About 30 minutes after the recon run, the actor deployed legitimate utilities s5cmd.exe and SharpShares.exe to find bulk files and network shares and to prepare data for exfiltration.
- Huntress assessed the code was almost certainly produced by iterating with a large language model because of telltale artifacts such as an AI-style internal title, placeholder server names, over-engineered fallback logic, and presentation-focused outputs.
- Defenders detected the activity through behavioral telemetry and SIEM rules rather than file signatures, and researchers say organizations must prioritize runtime behavior detection, strong identity hygiene, and monitoring of AD exports and bulk cloud-tool usage to stop similar attacks.