Initial access via phishing and exploitation of public-facing vulnerabilities (CVEs)
Use of Cobalt Strike for command and control (C2) and lateral movement
Data exfiltration using Rclone and other cloud synchronization tools
Credential harvesting via Mimikatz and LSASS dumping
Lateral movement utilizing RDP, SMB, and PsExec
Double extortion via a proprietary data leak site
Disabling security software and deleting volume shadow copies to prevent recovery