Exploitation of public-facing vulnerabilities (e.g., Ivanti CVE-2024-8963, CVE-2024-8190)
Use of Operational Relay Box (ORB) networks (e.g., KMA VPN) to mask C2 traffic
Deployment of modular backdoor platforms (ShadowPad)
Use of custom Go-based backdoors (GOREshell, HydroRShell, RClient)
Spear-phishing using Microsoft Word documents with VBA macros
Strategic reconnaissance of internet-facing infrastructure
Supply chain targeting via third-party logistics providers