HTML Smuggling Leads to Domain Wide Ransomware

This DFIR report documents a Nokoyawa ransomware campaign in which an email-delivered HTML smuggling lure installed a password-protected ZIP/ISO that executed a LNK to run IcedID (via a renamed rundll32), leading to Cobalt Strike deployment, credential theft and lateral movement to domain controllers and backup infrastructure, and full network encryption via PsExec/WMIC within ~12 hours; the report includes extensive IOCs (IPs, domains, JA3s, SSL cert data, filenames and hashes), persistence artifacts (scheduled task), discovery commands, and attribution to TA551 (distributor) and Microsoft-tracked Storm-0390.