Huntress Specialists Tracked a Hacker Who Installed Their Product

Last week, cybersecurity company Huntress published research stemming from an unusual event: a hacker had installed a trial version of its endpoint detection and response (EDR) tool. What began as a rare chance to monitor attacker behavior from the inside soon sparked debate, as critics questioned the level of access Huntress holds over client systems—even when only a free trial is used.

A Rare Window into Attacker Operations

In their report, Huntress researchers described the case as a “rare opportunity” to observe threat actor operations. The attacker, perhaps inadvertently, installed a trial version of Huntress EDR while searching for “Bitdefender” on Google and clicking a sponsored link.

For the next three months, Huntress tracked the hacker’s activities in detail. According to the company, red flags quickly revealed this was no ordinary user. The unique computer name used by the attacker matched identifiers seen in prior incidents. Browser history showed signs of malicious intent, including attempts to craft phishing messages, probe Evilginx instances, and target organizations.

Researchers also suspected the system may have been used as a jump box by multiple actors, though conclusive evidence was lacking. Extensive use of Google Translate suggested the individual spoke Thai, Spanish, and Portuguese, converting messages into English for phishing campaigns aimed at harvesting banking credentials.

Controversy over Access and Ethics

While some in the security community found the scenario—an attacker accidentally running the very software meant to stop them—amusing, others raised serious concerns. The report reignited debate about how much visibility EDR vendors truly have into client systems.

“This gave defenders unique insights, but it also raised a real question: should a private company have the right to track a threat actor in this way, or was it obligated to notify the authorities once it moved from incident response to intelligence gathering?” wrote Horizon3.ai CEO Snehal Antani.

Other experts went further, calling the case a “complete breach of privacy” by the vendor.

Huntress Responds

Amid the criticism, Huntress updated its report with an official statement addressing the ethical questions. The company stressed that its methods were consistent with industry-standard EDR practices, which inherently involve deep system-level access.

“We first encountered the host mentioned in this publication because we responded to numerous alerts related to malware execution on it. As part of this process, our SOC team carefully examines signals and collects artifacts related to EDR telemetry on the host. It was only upon further examination of this telemetry that we discovered signals indicating malicious behavior,” the company explained.

Huntress emphasized that its agent does not provide capabilities such as remote screen viewing or screenshots. Browser history mentioned in the report was reconstructed from forensic artifacts tied to malicious activity, not through direct surveillance.

“In deciding what information to publish about this investigation, we carefully weighed several factors, including strict adherence to our privacy obligations, as well as providing EDR telemetry that reflects the very threats and behavioral patterns that can help defenders. Overall, this investigation reflects what we do best: transparency, education, and fighting hackers,” the company summarized.