From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

A multi-stage intrusion (May 2024) attributed to Lunar Spider/Latrodectus initiated by a malicious tax-themed JavaScript dropped a MSI that installed Brute Ratel, which deployed Latrodectus and ultimately Cobalt Strike and a .NET backdoor; the actor performed host/domain enumeration, obtained plaintext domain admin credentials from an unattend.xml, used Zerologon to target domain controllers, maintained persistent BackConnect VNC access, exfiltrated data via a renamed rclone over FTP, and retained intermittent access for nearly two months with extensive IOCs provided.