Komari Red: The Monitoring Tool with a Built-in Reverse Shell

Huntress describes a confirmed intrusion where stolen VPN credentials led to smbexec-based lateral access and RDP, followed by installation of the Komari monitoring agent as a SYSTEM service (masquerading as "Windows Update Service") using NSSM; Komari's built-in WebSocket-based exec/terminal/ping features provided a persistent C2. The report includes a forensic timeline, IoCs (binary hash, IPs, install URL, registry/service keys), analysis of Komari's protocol and capabilities, and remediation steps taken to contain the incident.