Lunar Spider Intrusion Lasted Nearly Two Months After Single Click on Fake Tax Form
The DFIR Report details a May 2024 intrusion by the Lunar Spider initial access group that began with a single click on a malicious JavaScript file masquerading as a tax form and persisted for nearly two months.
The DFIR Report has published a detailed case study of a May 2024 intrusion by the Lunar Spider initial access group that began with a single click on a malicious JavaScript file masquerading as a legitimate tax form. The intrusion lasted nearly two months, with the threat actor maintaining intermittent command and control access, conducting extensive reconnaissance, lateral movement, and data exfiltration before being evicted from the environment. No ransomware deployment was observed during this intrusion.
The infection chain started when a user executed a heavily obfuscated JavaScript file named Form_W-9_Ver-i40_53b043910-86g91352u7972-6495q3.js. This file, previously associated with Lunar Spider by EclecticIQ, contained only a small amount of executable code dispersed among extensive filler content used for evasion. The JavaScript payload triggered the download of an MSI package, which deployed a Brute Ratel DLL file using rundll32. The Brute Ratel loader subsequently injected Latrodectus malware into the explorer.exe process and established command and control communications with multiple CloudFlare-proxied domains.
Approximately one hour after initial access, the threat actor began reconnaissance activities using built-in Windows commands for host and domain enumeration, including ipconfig, systeminfo, nltest, and whoami commands. Around six hours after initial access, the threat actor established a BackConnect session and initiated VNC-based remote access capabilities, allowing them to browse the file system and upload additional malware to the beachhead host.
On day three, the threat actor discovered and accessed an unattend.xml Windows Answer file containing plaintext domain administrator credentials left over from an automated deployment process. This provided the threat actor with immediate high-privilege access to the domain environment. On day four, the threat actor expanded their activity by deploying Cobalt Strike beacons, escalating privileges using Windows' Secondary Logon service and the runas command to authenticate as the domain admin account. The threat actor then conducted extensive Active Directory reconnaissance using AdFind and began lateral movement using PsExec to remotely deploy Cobalt Strike DLL beacons to several remote hosts, including a domain controller as well as file and backup servers.
After a five-hour pause, the threat actor deployed a custom .NET backdoor that created a scheduled task for persistence and set up an additional command and control channel. They also dropped another Cobalt Strike beacon with a new command and control server. The threat actor then used a custom tool that exploited the Zerologon vulnerability (CVE-2020-1472) to attempt additional lateral movement to a second domain controller. They also tried to execute Metasploit laterally to that domain controller via a remote service but were unable to establish a command and control channel from this action.
On day five, the threat actor returned using RDP to access a new server where they dropped the newest Cobalt Strike beacon, followed by an RDP logon to a file share server where they also deployed Cobalt Strike. After a large gap, on day 20 since initial access, the threat actor became active again, deploying a set of scripts to execute a renamed rclone binary to exfiltrate data from the file share server using FTP over a roughly 10-hour period. On day 26, the threat actor returned to the backup server and used a PowerShell script to dump credentials from the backup server software. Two days later, they dropped a network scanning tool, rustscan, which they used to scan subnets across the environment.
The threat actor maintained intermittent command and control access for nearly two months following initial compromise, leveraging BackConnect VNC capabilities and multiple payloads, including Latrodectus, Brute Ratel, and Cobalt Strike, before being evicted from the environment. The DFIR Report notes that this case was featured in their September 2025 DFIR Labs Forensics Challenge and was originally published as a Threat Brief to customers in February 2025. The report highlights the critical importance of securing unattend.xml files and other deployment artifacts that may contain plaintext credentials, as well as the need for robust monitoring to detect and respond to intrusions that may persist for extended periods.