The Curious Case of an Egg-Cellent Resume

This DFIR report analyzes a March 2024 intrusion attributed to TA4557/FIN6 where attackers used resume-themed lures to deliver a staged infection (ie4uinit.exe side‑load -> more_eggs via msxsl.exe), later deploying Cobalt Strike and Pyramid C2, exploiting CVE-2023-27532 against a Veeam backup server to create local/domain admin accounts, exfiltrate credentials (LSASS, Veeam DB), and install Cloudflared tunnels for persistent remote access; the report provides timeline, TTP mapping, sample IOCs (domains, IPs, hashes), and detection rules.