The intrusion began in September 2024 via a malicious EarthTime installer that deployed SectopRAT and connected to its C2 server. Persistence was established by moving the file and adding a Startup shortcut, followed by creating a local admin account. The actor deployed SystemBC, accessed the host via RDP, ran discovery commands, and performed a DCSync attack....