VERY IMPORTANT

An intrusion began with a user downloading and executing a malicious file impersonating DeskSoft's EarthTime application, which deployed SectopRAT malware. The threat actor used multiple malware families, including SystemBC and Betruger, and various tools for reconnaissance and lateral movement. They moved across systems using RDP and Impacket's wmiexec, maintaining persistence through local account creation and startup folder shortcuts. Data was collected using WinRAR and exfiltrated via WinSCP to an FTP server. The discovery of tools linked to Play ransomware, DragonForce ransomware, and RansomHub suggests the threat actor was likely an affiliate operating across multiple ransomware groups.