SOC Incident Toolkit
Back to Campaigns
VENOMOUS HELPER / STAC6405  Dual RMM Phishing Campaign Targeting 80+ Organisations

VENOMOUS HELPER / STAC6405 Dual RMM Phishing Campaign Targeting 80+ Organisations

VENOMOUS#HELPERSTAC6405ScreenConnectLogMeIn ResolveJWrapperdual-RMMphishingSSA impersonationPunchbowl lureEvite lureIRS lureRMM abuseInitial Access Brokerransomware precursorSafe Mode persistencewmic.exe.bakfinancially motivated

An active phishing campaign tracked by Securonix as VENOMOUS HELPER and overlapping with the Sophos cluster STAC6405 has been impersonating the U.S. Social Security Administration (SSA) and other lures - event invitations, tender invitations, and IRS forms - to deliver legitimate, vendor-signed Remote Monitoring and Management (RMM) software for silent persistent access. Securonix reports that more than 80 organisations have been impacted, predominantly in the United States, since at least April 2025.

Indicators of Compromise

Domains (4)

delicate-dew.serveftp.comexploit_siak_bahasa.pysystemd-update.serviceexfil_docs_v2.sh

Hashes (4)

974E272AD1DC7D5AADC3C7A48EC00EB201D04BA59EC5B0B17C2F8E9CD2F9C9CD734F0D04DC2683E19E629B8EC7F55349B5BCFF4EB4F2F36F6ADBBDE1C023A24F1CFEADF01D24182362887B7C5F683E8BDB0E84CDDCE03E3B7564B2D9AB5D15CF64674342041873DBB18B1DD9BB1CA391AF85B5E755DEFFB4C1612EF668349325

IPv4 (1)

95.111.250.175

Notes

<span id="docs-internal-guid-178cd9ec-7fff-2a27-1a9e-8c8365ea78f5"><div style="line-height:1.2;margin-top:12pt;margin-bottom:6pt;"><span style="font-size: 16pt; font-family: Arial, sans-serif; color: rgb(31, 42, 68); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CONCLUSION</span></div><br><br><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">VENOMOUS#HELPER / STAC6405 is a textbook illustration of why signature-based detection alone has stopped being sufficient against modern initial-access operations. Every binary in the chain - SimpleHelp 5.0.1, ScreenConnect, LogMeIn Resolve - carries a valid Authenticode signature from a globally trusted CA. Antivirus sees nothing unusual, Windows SmartScreen and Mark-of-the-Web protections are bypassed by the certificates, and network controls see outbound traffic to commercial software endpoints rather than to known-malicious infrastructure.</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">What remains visible is behaviour. Periodic SecurityCenter2 enumeration on a 67-second cadence, mouse-position polling, the creation of a 'Remote Access Service' Windows service with a SafeBoot persistence key, and the placement of wmic.exe.bak in the wbem directory are all artefacts that no legitimate IT use of SimpleHelp would produce. Defenders should anchor their detection strategy on those behaviours rather than on file hashes alone, because the operator can - and will - rotate file hashes, lure themes, and distribution domains.</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Strategically, the campaign should be treated as an Initial Access Broker storefront. The relatively low operator engagement after install, the broad sector targeting, and the dual-RMM redundancy together describe an access-as-a-service operation that monetises later through ransomware deployment, data theft, or onward sale. Critical controls for defenders: maintain a strict allow-list of approved RMM tools and enforce it through Application Control; restrict who can grant UAC approval; remove default browser credential storage in favour of passkeys or enterprise password managers; and treat the IOCs in this advisory as a starting point for retro-hunting in EDR, email gateway, and proxy logs. SOCRadar customers can leverage IOC Radar, Cyber Threat Intelligence, and Attack Surface Management to identify exposure to this activity at speed.</span></p><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></div></span>

Mitigation

<span id="docs-internal-guid-32697ecf-7fff-551c-74b6-50ef2c72d1b7"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">MITIGATION</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/">REF</a></span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col><col></colgroup><thead><tr style="height:0pt;"><th style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#1f2a44;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique ID</span></p></th><th style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#1f2a44;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique Name</span></p></th><th style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#1f2a44;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Tactic</span></p></th><th style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#1f2a44;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation ID</span></p></th><th style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#1f2a44;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Description</span></p></th></tr></thead><tbody><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1566.001</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Phishing: Spearphishing Attachment</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1049</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Antivirus / Antimalware - Deploy advanced email security with attachment sandboxing and URL detonation. Inspect file extensions before delivery and quarantine JWrapper-packaged executables masquerading as government documents.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1566.002</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Phishing: Spearphishing Link</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1017</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">User Training - Train users to spot SSA, Punchbowl/Evite, IRS-themed and tender-invitation lures. Encourage hover-before-click and reporting of links pointing to .com.mx or unfamiliar TLDs claiming to host U.S. government content.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1219</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Remote Access Software</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Control</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1038</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Execution Prevention - Maintain a strict allowlist of approved RMM tools. Block unsanctioned RMM binaries (SimpleHelp, ScreenConnect, LogMeIn Resolve, Atera, PDQ Connect, ITarian) at the endpoint via Application Control or AppLocker.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1543.003</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Create or Modify System Process: Windows Service</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Persistence / Privilege Escalation</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1018</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">User Account Management - Restrict service-creation rights to admins only. Audit new services in C:\ProgramData\ subdirectories, especially services with the display name 'Remote Access Service'.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1562.009</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Impair Defenses: Safe Mode Boot</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1024</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Restrict Registry Permissions - Audit and restrict write access to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot. Alert on any new subkey created under SafeBoot\Network outside change windows.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1134.001</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Access Token Manipulation: Token Impersonation/Theft</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion / Privilege Escalation</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1026</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Privileged Account Management - Restrict SeDebugPrivilege to a small, audited group. Use Credential Guard and Protected Process Light (PPL) to harden winlogon.exe against token theft.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1548.002</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Abuse Elevation Control Mechanism: Bypass UAC</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Privilege Escalation</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1052</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">User Account Control - Set UAC to its highest enforcement level. Where possible, remove local-admin rights from end-user accounts so a UAC approval cannot grant SYSTEM-level access.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1518.001</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Software Discovery: Security Software Discovery</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Discovery</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1042</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Disable or Remove Feature or Program - Restrict use of WMI namespace root\SecurityCenter2 to administrators. Detect periodic enumeration of AntiVirusProduct, AntiSpywareProduct, and FirewallProduct from non-administrator processes.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1036.003</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Masquerading: Rename System Utilities</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1038</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Execution Prevention - Block executions where a process binary's filename does not match its embedded original filename. Specifically alert on wmic.exe.bak placed in C:\Windows\System32\wbem\.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1497.001</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Virtualization/Sandbox Evasion: System Checks</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1040</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Behavior Prevention on Endpoint - Use EDR behavioral rules that flag periodic mouse-position polling and idle-state probing - signals consistent with operator wait-for-idle techniques.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1027</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Obfuscated Files or Information</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1049</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Antivirus / Antimalware - Use static and dynamic analysis to inspect JWrapper-style installers. Decrypted hex-encoded launch properties and oversized PE overlays are useful triage signals.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1584.001</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Compromise Infrastructure: Domains</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Resource Development</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1031</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Network Intrusion Prevention - Filter traffic to newly-seen .com.mx, .top and .run.place domains, especially those serving Windows executables. Maintain DNS and proxy block lists for the campaign IOCs in this advisory.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1204.002</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">User Execution: Malicious File</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Execution</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1017</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">User Training - Educate users that valid Authenticode signatures (including 'SimpleHelp Ltd' and 'ConnectWise') do not by themselves indicate a safe executable. Files arriving via SSA/IRS/event-invitation themes should never be opened.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1573</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Encrypted Channel</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Control</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1031</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Network Intrusion Prevention - Inspect outbound TLS to non-corporate cloud or commodity VPS providers (e.g., IONOS DE AS8560). Apply egress allowlists for endpoints that have no business reason to reach 213.136.71.246 or 84.200.205.233.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1555.003</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Credentials from Password Stores: Web Browsers</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Credential Access</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1027</span></p></td><td style="border-left:solid #efefef 0.5pt;border-right:solid #efefef 0.5pt;border-bottom:solid #efefef 0.5pt;border-top:solid #efefef 0.5pt;vertical-align:middle;background-color:#efefef;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Password Policies - Migrate users to passkeys or enterprise password managers, and disable browser-built-in credential storage in policy. This neutralises the infostealer secondary stage observed by Sophos.</span></p></td></tr></tbody></table></div></span>