Spear-phishing using ministry/department reorganization decoys
Exploitation of N-day vulnerabilities (e.g., Microsoft Exchange, SAP, Atlassian Crowd CVE-2019-11580)
ShadowGuard (custom Linux kernel-level eBPF rootkit)
Web shells (Behinder, Neo-reGeorg, Godzilla)
Cobalt Strike, VShell, Havoc, Sliver, and SparkRAT
C2 tunneling via GOST, FRPS, and IOX utilities
Sandbox evasion (screen resolution and file-based integrity checks)