Modern cyber intrusions are no longer dependent on noisy malware campaigns or exploit-heavy operations. Today’s advanced threat actors increasingly rely on trusted infrastructure, legitimate administrative tooling, and operational blind spots to establish persistence while avoiding detection. One recent investigation demonstrated how attackers leveraged a compromised third-party IT services provider and enterprise management software to silently maintain access inside a corporate environment for more than 100 days.

The intrusion highlighted a growing cybersecurity reality: organizations often extend implicit trust to external vendors, infrastructure management platforms, and automation systems without continuously validating their behavior. Attackers exploited that trust boundary to execute scripts, intercept credentials, deploy persistence mechanisms, and move laterally across critical systems without relying on traditional malware delivery techniques.

Abuse of Trusted Enterprise Management Systems

The investigation identified the use of HPE Operations Agent (OA), a legitimate enterprise monitoring and automation platform, as the primary execution channel used by the attackers. Importantly, no vulnerability existed within the software itself. Instead, attackers abused the operational trust associated with the platform after compromising a third-party IT service provider responsible for managing the environment.

Because HPE OA was an approved and digitally signed administrative solution already integrated into normal enterprise operations, malicious activities executed through the platform appeared indistinguishable from legitimate administrative tasks. This allowed threat actors to deploy scripts and binaries across multiple systems while blending into routine operational telemetry. Such activity aligns closely with the MITRE ATT&CK technique T1199 – Trusted Relationship, where attackers exploit existing trusted connections to gain unauthorized access.

The attackers leveraged HP Operations Manager (HPOM) to execute malicious VBScript payloads, including abc003.vbs, on web servers and domain controllers. These scripts performed Active Directory enumeration, network reconnaissance, and external IP discovery using PowerShell commands. Because execution originated from trusted infrastructure, traditional security monitoring controls failed to generate immediate alerts.

Credential Theft Through Windows Authentication Abuse

Rather than deploying commodity credential stealers, the attackers implemented highly stealthy credential interception mechanisms deeply integrated into Windows authentication workflows. On the domain controller DC01, the attackers registered a malicious network provider named mslogon.dll through the HPE OA framework.

This DLL abused legitimate Windows Credential Manager APIs such as NPLogonNotify and NPPasswordChangeNotify to capture user credentials during authentication and password changes. Whenever users logged in or changed passwords, the DLL intercepted usernames and passwords in cleartext before storing them locally in files disguised within public directories.

The attackers later escalated persistence by registering malicious password filter DLLs named passms.dll on multiple domain controllers. Password filters are legitimate Windows extensibility components loaded by LSASS during password operations. By injecting into this process, the attackers gained continuous access to password modification events occurring across the domain infrastructure.

Captured credential data was then encoded using Base64 and a custom obfuscation algorithm before being staged for exfiltration. Another module, msupdate.dll, transferred the encoded data over SMB shares into files disguised as image assets such as icon02.jpeg. The malware also included SMTP-based exfiltration functionality capable of emailing stolen credentials using predefined mail server configurations.

Web Shell Persistence and Covert Remote Access

Persistence within internet-facing infrastructure was maintained through multiple ASPX-based web shells, including Errors.aspx and modified versions of Signoff.aspx. These shells allowed attackers to upload files, execute PowerShell scripts, and deploy additional payloads directly on exposed servers.

The threat actors also deployed ngrok tunnels on internal systems to bypass perimeter defenses and maintain covert Remote Desktop Protocol (RDP) access. By exposing internal servers through encrypted outbound tunnels, attackers avoided opening inbound firewall ports while masking the true origin of their connections.

Lateral movement across the network relied heavily on compromised privileged credentials harvested from the malicious authentication components. Attackers used RDP sessions, Windows Management Instrumentation (WMI), and SMB transfers to pivot between SQL servers, web servers, and domain controllers while remaining largely undetected.

Why This Intrusion Was Difficult to Detect

One of the most significant lessons from this campaign is that sophisticated intrusions increasingly avoid malware-centric tradecraft. Instead of exploiting vulnerabilities or deploying ransomware immediately, attackers focused on operational stealth and persistence through legitimate systems already trusted within the environment.

Traditional security controls often prioritize identifying malicious binaries, exploit signatures, or suspicious network payloads. However, when attackers operate entirely through approved enterprise tooling, those indicators become substantially harder to identify. The absence of endpoint detection coverage on critical internet-facing systems further reduced visibility and delayed incident response efforts.

This case also demonstrates how third-party service providers can unintentionally become attack pathways into enterprise networks. Once attackers compromise a managed services relationship, they inherit the trust and privileges associated with that provider’s operational access.

Our Opinion on This Incident

This intrusion represents a critical shift in modern cyber warfare where trust itself has become the primary attack surface. The attackers did not need advanced zero-day exploits or destructive malware because the organization’s operational architecture already provided trusted execution channels, privileged management access, and implicit vendor trust relationships. That combination created an environment where malicious behavior could blend naturally into normal enterprise activity. In our view, the most concerning aspect of this campaign is the abuse of legitimate Windows authentication extensibility mechanisms and enterprise management platforms. Many organizations still assume that approved software and trusted vendors inherently reduce risk. In reality, trusted systems require continuous monitoring, behavioral validation, and strict segmentation because attackers increasingly target those relationships directly.

This case also highlights the importance of endpoint visibility across all infrastructure tiers, particularly internet-facing servers and domain controllers. The lack of EDR coverage significantly limited early detection opportunities. Additionally, organizations must strengthen governance around third-party administrative access by implementing privileged access management, session monitoring, and strict audit validation. Ultimately, this campaign proves that cybersecurity defenses can no longer focus solely on malware prevention. Modern defense strategies must prioritize identity monitoring, operational telemetry analysis, authentication integrity, and continuous validation of trusted relationships. Zero Trust principles are no longer optional; they are essential for defending against stealth-focused intrusions designed for long-term persistence and strategic access.