Olivia
Online
Greg Bailey
@GRBail
Analyst @HuntressLabs | Instructor @SANSInstitute | neo-hippie | grateful dad | all around nice guy
Chicago, IL
Joined June 2011
1.6K Following
758 Followers
3.2K Posts
Pinned Tweet
On April 16, 2026, a threat actor used stolen VPN creds to pivot into a Huntress partner Windows workstation and dropped a SYSTEM-level backdoor using the Komari agent - a 4.3k-star, MIT-licensed, Go-based project on GitHub. 👇🧵
MICROSOFT OPEN-SOURCED THEIR ENTIRE SENTINEL SECURITY TOOLKIT
most teams building on azure figure out threat detection the hard way
trial and error, custom KQL, dashboards built from nothing, playbooks written by hand
nobody told them it was already done
the sentinel github repo has:
▫️ 1000+ pre-built threat detection rules
▫️ hunting queries for active threat investigation
▫️ automated response playbooks
▫️ security workbooks + dashboards
▫️ data connectors for 100s of sources
the hard part was already done
https://t.co/VHbH2pIRRe
On May 5, Huntress Threat Intel Analyst Casey Smith and special guest @sherrod_im, GM of Global Threat Intel at @MsftSecIntel, are breaking down what happened, why it worked, and how defenders can fight back.
Save your spot for the live event: https://t.co/erN9CJJeXo
#MSPartner
Who to follow
Matthew Toussain
@0sm0s1z
🏳️🌈 Founder @_OpenSecurity_ // Former @BHInfoSecurity // Former SANS // Former USAF / Former me… #RedTeamFit /https://t.co/TkCZZSc4xA
Joshua Wright
@joswr1ght
Hacker for @counterhacksec and SANS Faculty Fellow. Pirata informático. Photography at https://t.co/Qbh3jsSKAJ. He/him.
Tim Medin
@TimMedin
Kerberoast Guy • @RedSiege CEO • IANS Faculty • Former SANS SEC560 Author, Senior Instructor • Packers Owner #GoPackGo • Work Req: https://t.co/ALJldLMDfZ
In February 2026, EvilTokens weaponized Railway to stand up token-harvesting infrastructure at machine speed.
→ AI-generated lures tailored to role and industry
→ Legit Microsoft auth flows abused by design
→ Infrastructure running on trusted tooling like AWS and Cloudflare
Last week, the Huntress SOC observed Nightmare-Eclipse tooling, including BlueHammer, RedSun, and UnDefend, during a real-world intrusion investigation.
@Curity4201 breaks down the details. 🔍
Check out the full write-up: https://t.co/L04cFBqcrW
Got to work on this with the legend @_JohnHammond. A user asked Codex to fix suspicious behaviour on their machine. Codex "solved" it, but the cryptominer kept running.
Plus: How Gen-AI noise is complicating investigations and how SOCs need to evolve.
https://t.co/DnfhV86iA1
The Huntress SOC is observing the use of Nightmare-Eclipse's BlueHammer, RedSun, and UnDefend exploitation techniques.
Investigation by: @wbmmfq, @Curity4201, + @_JohnHammond 🧵👇
RMM abuse surged 277% last year, making up nearly a quarter of the incidents we observed. (Huntress 2026 Cyber Threat Report).
Not because people don't care.
Because these tools are trusted by default.
Attackers noticed.
And built a playbook around it. 🧵
We investigated a campaign where cybercriminals created fake OpenClaw installers on GitHub that showed up as the top AI search suggestion in Bing.
Details below. 🧵
There's a dark enterprise out there growing faster than any other business on earth.
And it's your hidden competition.
On March 18, @_JohnHammond and @JimBrowning11 are exposing how cybercriminal organizations actually operate.
Save your spot: https://t.co/Cj70GExfe4
Mohammad Muzahir thought he was taking a legit IT job.
Instead, he was trafficked into a scam compound and forced to defraud people under threat of violence.
What he shared with us pulls back the curtain on how the system works. ⬇️
https://t.co/GZNnYnonMg
Coming up on #TradecraftTuesday, we're breaking down AppDomainManager Injection, a technique cybercriminals are using to turn legit .NET binaries into "living-off-the-land" weapons. 👀
Join us live next week to see exactly how it works: https://t.co/cQITOicQkW
@VerizonSupport I need you to remove a carrier lock
CVE-2025-59287 is being actively exploited. Update Windows Server Update Services now to reduce risk of a threat actor achieving remote code execution with system privileges. See our Alert for details ➡️ https://t.co/t5xpDWjSWS #Cybersecurity
⚠️ Threat actors exploiting a recent Microsoft WSUS vulnerability (CVE-2025-59287)
- Microsoft released an out-of-band update for the flaw on 10/24
✅ Apply the update as soon as possible
IOCs, examples of adversary tradecraft, and remediations: https://t.co/I3Lrh6MFIB
One of the reasons I moved to @HuntressLabs is to work side-by-side with peers I respect.
https://t.co/xYD81WeSuc
Officially fall in Chicago 🍂
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.3M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers