• Initial access was via a resume lure as part of a TA4557/FIN6 campaign.
• The threat actor abused LOLbins like ie4uinit.exe and msxsl.exe to run the more_eggs malware.
• Cobalt Strike and python-based C2 Pyramid were employed by the threat actor for post-exploitation activity.
• The threat actor abused CVE-2023-27532 to exploit a Veeam server and facilitate lateral movement and privilege escalation activities.
• The threat actor installed Cloudflared to assist in tunneling RDP traffic.
• This case was first published as a Private Threat Brief for customers in April of 2024.
• Eight new rules were created from this report and added to our Private Detection Ruleset.

Read the new Microsoft Threat Intelligence tax season report to learn about the techniques that threat actors use to mislead taxpayers.

ESET researchers uncover a Lazarus attack against an aerospace company in Spain, where the group deployed several tools, including a publicly undocumented backdoor we named LightlessCan.

We reveal how hackers have begun leveraging fake DDoS protection pages to trick users into downloading remote access trojans (RATs) onto their computers.