ClickFix-style social engineering lures
Spear-phishing via LNK files in ZIP archives
Abuse of mshta.exe for script execution
Use of BroaderAspect .NET loader for persistence
Deployment of Delphi-compiled malware to evade detection
Rapid rotation of RATs (DRAT V2, XenoRAT, SparkRAT, AresRAT, CurlBack, etc.)
Custom TCP-based server-initiated C2 protocols
Use of bulletproof European hosting infrastructure