Exploitation of REDCap (Research Electronic Data Capture) servers
Deployment of custom malware (INFINITERED)
Use of trojanized system files as recursive droppers
Credential harvesting via web application vulnerabilities (CWE-287, CWE-494)
Persistence via web shells (e.g., help.php)
Stealthy data exfiltration via domain content compliance rules (BCC forwarding to Gmail)
Abuse of enterprise administrative tools for lateral movement
Disciplined operational security to evade EDR and network monitoring