From OneNote to RansomNote: An Ice Cold Intrusion

**Executive summary:** A multi-stage intrusion beginning in late February 2023 used malicious OneNote attachments to deliver IcedID, which maintained long-term C2 beaconing; on day 33 attackers deployed Cobalt Strike and AnyDesk to perform Active Directory discovery, LSASS credential theft, and lateral movement, used FileZilla to exfiltrate data, and ultimately deployed Nokoyawa ransomware to encrypt two servers after approximately 34 days (Time to Ransomware ~812 hours). The report provides comprehensive IOCs (domains, IPs, file hashes), detailed behavioral TTPs (process injection, masquerade, scheduled tasks, RDP/AnyDesk use), detection recommendations, and related Sigma/YARA rules.