Hide Your RDP: Password Spray Leads to RansomHub Deployment

This report documents a November 2024 intrusion where attackers gained initial access via RDP password spraying, used credential harvesting tools (Mimikatz, Nirsoft) and living‑off‑the‑land discovery to escalate and move laterally to domain controllers, exfiltrated ~2.03 GB of targeted files using Rclone over SFTP, and deployed RansomHub ransomware which propagated via SMB and executed remotely; persistent access was maintained via legitimate RMM tools (Atera, Splashtop).