Key Takeaways
Attackers are increasingly hiding behind trusted tools, legitimate software, and normal business activity.
The biggest security risks often come from actions that appear completely legitimate.
Human-led attacks are designed around how defenders respond, making them difficult to detect with automated controls alone.
Security teams must be able to identify when trusted activity becomes malicious activity.
Continuous adversary emulation provides ongoing assurance that detections work against realistic attack behaviour.
On this page
Hiding in Plain Sight: What This Month’s Attacks Reveal
Your perimeter is secure. Everything is configured correctly and your team is on watch, ready for the next threat actor to make an attempt.
In each of this month’s cases, none of that was enough.
Not because the attackers broke through the defences.
The attackers were more sophisticated in a different way. They understood how to operate inside trusted processes, legitimate identities and normal business activity. Nothing they did looked obviously wrong.
They are not breaking through your defences. They are walking through the front door dressed as someone you trust.
This month, three cases stood out. The pattern across them is worth understanding carefully.
Case 1: EtherRAT and The Gentlemen Ransomware
Source: The DFIR Report, May 2026
- A user executed a fake Sysinternals utility. It deployed EtherRAT, which retrieved its C2 configuration from the Ethereum blockchain, invisible to traditional network defences.
- Mid-intrusion, AI-generated malware disguised as Greenshot and SyncTrayzor was deployed via DLL sideloading from trusted binaries.
- GoTo Resolve, a legitimate remote management tool, was used for lateral movement. To monitoring tools, it looked like routine IT administration.
- Data was exfiltrated via Rclone to cloud storage. Logs were cleared and forensic artifacts removed.
- Three days in, domain-wide ransomware was deployed via a malicious Group Policy Object across the entire environment.
Implication: Every stage of this attack had a plausible legitimate explanation. Nothing triggered an alert because nothing looked wrong. Detection required knowing what normal looked like, and noticing the deviation.
Case 2: MuddyWater: The Ransomware That Was Not Ransomware
Source: The Hacker News, May 2026
- The Iranian state-sponsored group MuddyWater used Microsoft Teams to contact employees directly, posing as IT support and initiating screen-sharing sessions.
- Employees were instructed to type credentials into text files. Some were directed to add attacker-controlled devices to their MFA configuration.
- Legitimate remote management tools, AnyDesk and DWAgent, were used to maintain access. No custom malware. No unusual binaries.
- No files were encrypted. The ransomware branding was a deliberate false flag. The real objective was long-term access, credential harvesting, and intelligence collection.
- Victim data was published to a leak site, creating the appearance of a financial attack while the espionage operation continued undetected beneath it.
Implication: The security team responded to the wrong incident. The attackers understood how defenders would react and designed the operation around it. That is not automation. That is human judgement.
Case 3: The EU’s Security Scanner Became the Attack Vector
- On 19 March 2026, the European Commission downloaded a routine update for Trivy, one of the world’s most widely used open-source vulnerability scanners. The update was malicious.
- Threat actor TeamPCP had compromised Trivy’s release infrastructure and pushed a poisoned version through normal software update channels. Anyone running Trivy that day pulled it automatically.
- The compromised version harvested AWS API keys, granting access to cloud accounts across multiple EU entities. TruffleHog, another legitimate security tool, was then used to scan for and validate additional credentials.
- 340GB of data was exfiltrated, affecting at least 29 EU entities. The data was subsequently published on a dark web leak site.
Implication: The tool designed to find vulnerabilities became the entry point. The organisation did everything correctly. That is precisely what the attacker relied on. The question is no longer just whether your software is patched. It is whether the tools you trust to protect you have themselves been compromised.
Key Patterns Across This Month’s Attacks
Three cases. Three different entry points. The same underlying theme running through all of them.
- Legitimate tooling was the attack surface. A trusted utility, a collaboration platform, a security scanner. In every case the initial access came through something the organisation already trusted.
- Defenders responded to the visible threat, not the real one. Ransomware branding directed attention away from persistent access. In the Trivy case, there was nothing visible at all until it was over.
- Signature-based detection had nothing to catch. No custom malware, no unusual binaries, no obvious indicators of compromise.
- The attacks were designed around the defender’s response. That level of operational awareness is not something automation can replicate.
Attackers are not breaking through your defences. They are hiding inside them.
Why This Matters for Enterprise Security Leaders
The cases above expose a challenge that many enterprise security programmes struggle to assess consistently.
Can your organisation reliably identify malicious activity when it appears to be business as usual?
These attacks were not successful because organisations lacked security controls. They were successful because the activity looked legitimate for long enough to achieve the attacker’s objective.
Common themes across all three cases included:
- Reliance on trusted tools, platforms, and processes.
- Little or no activity that appeared overtly malicious.
- Attacker actions designed to blend into normal operations.
- Success dependent on remaining unnoticed rather than overcoming technical controls.
The challenge for defenders is not simply detecting threats. It is recognising when otherwise legitimate activity does not fit the context of the environment.
That capability cannot be assumed. Organisations change. Teams change. Technology changes. Attackers change.
The question is not whether your organisation can detect this behaviour during a single assessment.
The question is whether it can detect it consistently over time.
How WRAITH Addresses This
The answer to attacks that hide in plain sight is not more detection tooling. It is testing whether your detection works against realistic, human-led behaviour in your specific environment.
WRAITH operators use the same techniques real attackers use: legitimate tooling, living-off-the-land tactics, trusted processes. Campaigns are unannounced and run continuously, which means your defensive team is tested under genuine conditions, not during a prepared exercise where everyone knows something is coming.
That matters because the attacks above could not have been caught by a scanner that identifies known vulnerabilities. They required someone who understood the environment well enough to notice that something trusted was being used in a way it should not be. WRAITH builds that understanding over months, not a two-week window. It tests whether your detections fire against subtle, low-noise activity. And it tells you whether your SOC would notice, before a real attacker finds out they would not.
The most dangerous attacks are not the ones that look dangerous. They are the ones that look completely normal.
WRAITH is built for large, complex organisations that need a continuous, realistic approach to security assurance. Find out how it works and which tier fits your organisation.
Jennifer Goulbourne
Jennifer is a Digital Marketing Executive at OmniCyber Security, where she's responsible for engaging the company's existing customer base across digital channels and creating helpful resources on threat intelligence and security operations for cybersecurity professionals and business leaders.
