TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Do Tigers Really Change Their Stripes?

2025-05-06 · Read original ↗

ATT&CK techniques detected

6 predictions
T1190Exploit Public-Facing Application
89%
“in particular at their indicators of compromise ( ioc ) sections, an astute reader will notice some commonalities between the two ; specifically, iocs such as the 2. 58. 56 [. ] 16 ip address, installation of the mesh agent rmm, and the d3d11. dll file. huntress analysts and rese…”
T1204.002Malicious File
58%
“in particular at their indicators of compromise ( ioc ) sections, an astute reader will notice some commonalities between the two ; specifically, iocs such as the 2. 58. 56 [. ] 16 ip address, installation of the mesh agent rmm, and the d3d11. dll file. huntress analysts and rese…”
T1219Remote Access Tools
54%
“cycle where they were able to install mesh agent, configured to connect to the rtb [. ] mftadsrvr [. ] com endpoint, before the endpoint was isolated. conclusion even with an admittedly limited aperture, the consistency in indicators across incidents involving markedly different …”
T1105Ingress Tool Transfer
47%
“and 13 april 2025, huntress reported several incidents that involved the exploitation of the gladinet centrestack & triofox vulnerability as a means of initial access. during these incidents, iis web server logs indicated that initial access to the / portal / loginpage. aspx web …”
T1588.006Vulnerabilities
36%
“do tigers really change their stripes? something we often hear within the cybersecurity community, and particularly within digital forensics and incident response ( dfir ), is that “ threat actors are always changing their tactics. ” if you ’ re just responding to incidents and p…”
T1055.001Dynamic-link Library Injection
32%
“58. 56 [. ] 16 ip address that resulted in files d3d11. dll and mesch. exe ( mesh agent installer ) being transferred to the endpoints. crushftp log entries illustrating the transfer of the d3d11. dll to the endpoint appear as follows : in both incidents, the d3d11. dll file was …”

Summary

Across the larger cybersecurity community, an often-used adage is that “threat actors always change their tactics.” However, when we really start to look at and track incident data, we begin to see that while some changes may be necessitated based on infrastructures and other challenges the threat actor may encounter, there are times when tactics remain consistent across incidents. Recent investigations into exploitation activity for CVE-2025-31151 and CVE-2025-30406 show similar TTPs across different incidents.