Case Studies

Success Stories

Case studies—Next.js exploitation, zero-day workflows, crypto miners, and C2 infrastructure discovery.

Last updated May 2026

Success stories overview

These case studies reflect operational patterns seen across H1VE deployments—names anonymized, timelines condensed. Use them in customer briefings and internal SOC training.

Screenshot Placeholder

Timeline View

Insert: Investigation timeline spanning multiple lures with Critical markers and cross-lure IP correlation.

Screenshot Placeholder

Attack Analysis

Insert: Attack analysis modal or Research view showing CVE match, raw request, and Nuclei rule hit.

Next.js middleware exploitation detection

Executive Summary

A financial services customer deployed a Next.js CVE research lure alongside production-mimic portals. Within 48 hours, H1VE captured chained middleware bypass attempts not yet in public scanner templates.

Timeline

  • T+0hBaseline scan wave

    Nuclei templates hit VPN lures; low severity noise suppressed.

  • T+36hAnomalous POST to Next lure

    Unusual header combination flagged Potential 0-Day.

  • T+40hExploit chain replay

    Second IP reproduced payload; campaign edge created.

  • T+72hWAF export

    IOCs pushed to Cloudflare custom ruleset.

Technical Findings

  • Raw body preserved—enabled diff against public PoC
  • Two independent ASNs within 4 hours suggested tooling share, not single script kiddie
  • Research lure isolated from clone assets—no cross-container bleed

Customer Impact

Production WAF rules deployed 11 days before vendor advisory reached the customer's sector ISAC.

Actions Taken

  • Escalated IP to Investigation → KE-LA enrichment
  • Exported campaign CSV to SIEM
  • Scheduled Automation to deploy additional Node-adjacent lures

Lessons Learned

  • Maintain at least one research-class lure per major framework in your stack
  • Potential 0-Day queue needs dedicated analyst ownership—not optional backlog

Zero-day discovery workflow

Executive Summary

MSSP workspace flagged unknown RCE pattern against Apache Tomcat lure. Correlation across three lures linked a single actor cluster before public CVE assignment.

Timeline

  • Day 1Tomcat lure Critical

    Non-catalog payload size and Content-Type mismatch.

  • Day 2Cross-lure pivot

    Same JARM outbound from Grafana lure.

  • Day 5CVE assigned

    Public CVE matched internal fingerprint.

Technical Findings

  • Outbound callback attempted DNS exfil pattern—caught by SSRF logic
  • Artifact hash not in VirusTotal at time of capture

Customer Impact

Affected end-customer patched Tomcat tier during attacker dwell time—no production compromise confirmed.

Actions Taken

  • Preserved PCAP upload from lure
  • Coordinated disclosure via customer PSIRT
  • Updated admin suppression after CVE published

Lessons Learned

  • Preserve artifacts before blocking IP when safe
  • Timeline view essential for MSSP multi-tenant context switching

Crypto miner deployment detection

Executive Summary

ICS customer OpenPLC lure emitted process telemetry consistent with XMRig dropper after initial Modbus enumeration.

Timeline

  • +2mModbus scan

    Scanner group match—informational.

  • +18mWeb UI auth brute

    Critical on VPN persona sibling lure.

  • +41mMiner binary written

    File telemetry + outbound pool connection.

Technical Findings

  • Process name masquerading as systemd-update
  • Outbound to known pool port blocked at egress firewall

Customer Impact

Confirmed attacker would have pivoted to OT-adjacent decoy; production PLC network unaffected.

Actions Taken

  • Blocked IP at Fortinet WAF integration
  • Added scanner group merge in Admin

Lessons Learned

  • Privileged lure images require egress controls—not just container isolation

C2 infrastructure discovery

Executive Summary

Repeated VPN lure interactions led to C2 tag via JARM + OSINT convergence; infrastructure reused across two customer workspaces (MSSP).

Timeline

  • Week 1Initial beacon

    Low-volume HTTPS callbacks from clone lure.

  • Week 2JARM match

    C2 module positive on two IPs.

  • Week 3KE-LA enrichment

    Actor infrastructure graph expanded.

Technical Findings

  • Certificate serial reuse across ASNs
  • Campaign export linked 14 lures across workspaces

Customer Impact

Shared intel blocked infrastructure at 3 MSSP customers before ransomware deployment phase.

Actions Taken

  • Hidden Hand rescan triggered from Investigation
  • Webhook to SOAR playbook for auto-ticket

Lessons Learned

  • C2 tags without evidence erode trust—H1VE evidence gate validated in briefing
  • Cross-workspace campaign export is differentiator for MSSPs