The threat actor initially exploited CVE-2023-22527 on a public-facing Confluence server to achieve remote code execution. They followed a repeatable command sequence—installing AnyDesk, creating admin accounts, and enabling RDP—indicating automation or a playbook. Credential theft tools like Mimikatz, ProcessHacker, and Secretsdump were used....