Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity

This report analyzes an open directory revealing over a year of activity from a persistent threat actor who scanned and exploited numerous public-facing services across government, defense, finance, telecoms and other sectors using open-source tooling (httpx, nuclei, sqlmap, ghauri), commodity C2 frameworks (Sliver, Metasploit), and exploit scripts for multiple CVEs; observed actions include SQL injection data theft, remote code execution against Exchange, VMware, WebLogic and other services, deployment of web shells, lateral movement, credential harvesting (LSA/NTDS/DCSync/Golden Ticket), and resource hijacking via xmrig crypto-miner, with extracted IOCs (domains, IPs, hashes, Sliver beacons) and detailed MITRE-mapped TTPs.