Sophisticated spear-phishing
Social engineering via fake personas (journalists, academics, NGOs)
Honeytrap operations
Credential harvesting
Exploitation of enterprise vulnerabilities (e.g., ProxyShell, Exchange EWS)
Custom malware (BellaCPP, HYPERSCRAPE)
Abuse of legitimate RMM tools (Atera, AnyDesk, ScreenConnect)
AI-assisted disinformation
Cloud-centric identity intelligence collection
Telegram-based C2 and operator notifications