Microsoft Warns of Attackers Using Trusted HPE Operations Agent for Malware-Free Intrusions

HomeCyber Security News Microsoft Warns of Attackers Using Trusted HPE Operations Agent for Malware-Free Intrusions By Tushar Subhra Dutta May 15, 2026 A recent intrusion uncovered by security researchers revealed a calculated attack campaign that used a legitimate enterprise management tool as a weapon. The threat actor gained access through a compromised third-party IT services provider, then quietly moved through the victim’s environment using tools that were already approved and running. No obvious malware was dropped, and no loud alerts were triggered at any stage of the attack. Microsoft Incident Response investigators analyzed the full attack chain and published their findings, noting that the campaign abused the HPE Operations Agent (OA), a widely used enterprise monitoring tool, as its primary delivery mechanism.  Microsoft said in a report shared with Cyber Security News (CSN) that the abuse did not involve any flaw or vulnerability in HPE OA itself. The tool was simply weaponized because it already had legitimate and trusted access across the target environment. The campaign stretched across more than 100 days, from the initial compromise to the moment incident response was finally engaged. Attackers Using Trusted HPE Operations Agent During that time, the attackers harvested credentials, moved laterally across sensitive systems including domain controllers and SQL servers, and set up covert tunnels using ngrok to maintain persistent access without being detected. Since all activity flowed through a trusted management channel, it blended seamlessly with routine administrative work and stayed off the radar for an extended period. The scale and patience of this campaign highlight a broader shift in how sophisticated attackers operate today. Performed activities using HPOM (Source – Microsoft) They are no longer measured by the sophistication of their malware but by how effectively they can disappear inside a trusted environment and remain there undetected for months. The threat actor exploited the trust placed in HPE Operations Manager (HPOM), which was managed by a third-party IT services provider on behalf of the targeted organization. From that position, the attacker pushed VBScripts, specifically a file named abc003.vbs, to multiple servers including web servers and domain controllers across the environment. These scripts quietly gathered system information, mapped the network, and performed Active Directory discovery. Since the scripts ran through an approved and signed management platform, no security tool raised a flag. Flow of credentials to the malicious network provider in the sign-in process (Source – Microsoft) The attacker also deployed web shells named Errors.aspx and a modified Signoff.aspx on internet-facing servers, creating persistent backdoors that stayed active even if other individual tools were discovered and removed from the system. Credential Theft and Lateral Movement Tactics Once inside, the attackers turned their focus to stealing credentials directly at the source. They registered a malicious network provider DLL called mslogon.dll on domain controllers, which hooked into the Windows authentication process and captured usernames and passwords in plain text every time a user signed in or changed their password. Stolen credentials were quietly saved to a file path inside a public music folder, making them easy to retrieve later without drawing any attention. Later in the campaign, a password filter DLL called passms.dll was also registered on two domain controllers, intercepting credentials at the system level whenever a password was modified. Web shell creations and usage (Source – Microsoft) A companion module called msupdate.dll worked alongside it to transfer captured data over a network file share and even had the ability to email stolen credentials out under the subject line “Update Service.” The attacker also deployed ngrok on internal servers to create encrypted tunnels, enabling Remote Desktop Protocol sessions without needing to expose firewall ports. Microsoft recommends that organizations deploy endpoint detection and response (EDR) tools across all devices and apply a default-deny model for outbound traffic to block unauthorized connections. They also advise enabling detailed logging on web servers, removing unnecessary tools and software that could be abused, and actively monitoring for unexpected changes in authentication configurations such as LSA notification packages and network provider registrations to catch this type of stealthy abuse before it causes further damage. Indicators of Compromise (IoCs):- Type Indicator Description File Name abc003.vbs VBScript deployed via HPE Operations Manager for system, network, and AD discovery File Name Errors.aspx Initial web shell deployed on internet-facing web servers WEB-01 and WEB-02 File Name Signoff.aspx Legitimate application page modified to load a secondary web shell File Name ghost.inc Secondary web shell loaded from the Windows temporary directory File Name mslogon.dll Malicious network provider DLL registered on domain controllers to capture plaintext credentials File Name passms.dll Malicious password filter DLL registered on DC01 and DC02 to intercept credentials during password changes File Name msupdate.dll Companion module that transferred encoded credential data via SMB and email exfiltration File Path C:\Users\Public\Music\abc123c.d File path where cleartext credentials captured by mslogon.dll were stored File Path C:\ProgramData\WindowsUpdateService\UpdateDir\Ipd File path where encoded credential data captured by passms.dll was written File Name icon02.jpeg File name used to disguise exfiltrated credential data written to remote SMB shares Tool ngrok Legitimate tunneling tool abused to expose internal servers via encrypted RDP tunnels Email Subject Update Service Subject line used by msupdate.dll for outbound credential exfiltration via SMTP Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Fragnesia Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released MistralAI PyPI Package Compromised to Inject Malicious Code – Microsoft Warns New Infostealer Campaign Uses GitHub Releases for Payload Hosting and Evasion Critical GitLab Vulnerabilities Enables XSS and Unauthenticated DoS Attacks Hackers Use Fake DeepSeek TUI GitHub Repositories to Deliver Malware Latest News Cyber Security News Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems Cyber Security News Tycoon 2FA Operators Adopt OAuth Device Code Phishing to Bypass MFA Cyber Security News PraisonAI Vulnerability Exploited Within Hours of Public Disclosure Cyber Security News Amazon Redshift JDBC Driver Vulnerabilities Enables Remote Code Execution Attacks Cyber Security News Multiple cPanel Vulnerabilities Allows Access to Sensitive System Resources