A sophisticated intrusion by the threat actor known as Lunar Spider persisted within a target network for 57 days, originating from a single employee click on a malicious link. The incident began with a phishing email that successfully bypassed security filters, leading to a prolonged period of attacker activity characterized by reconnaissance, lateral movement, and data exfiltration.

The initial access vector was an email containing a link to a password-protected ZIP archive. Inside this archive was a malicious ISO file which, when mounted by the user, executed a loader for the IcedID malware. This provided Lunar Spider with their initial foothold and a channel for command-and-control (C2) communications.

Establishing Persistence and Moving Laterally

Once initial access was established, the threat actors quickly worked to secure their presence. IcedID was used to deploy a Cobalt Strike beacon, which enabled hands-on-keyboard activity. The attackers performed extensive internal reconnaissance using legitimate Windows tools such as net.exe and nltest.exe to map the Active Directory environment. Within days, they used the harvested credentials to move laterally from the initial workstation to a domain controller. This access allowed the attackers to dump credentials from the Local Security Authority Subsystem Service (LSASS) process, granting them higher levels of privilege across the network.

Data Exfiltration and Final Actions

With domain-level administrative access, Lunar Spider focused on identifying and staging valuable data. They used tools like AdFind to query Active Directory for sensitive information and locate file servers. The final stage of the attack involved data exfiltration. The actors deployed the legitimate data synchronization tool Rclone to exfiltrate multiple gigabytes of compressed data to a cloud storage provider. The entire intrusion, from the initial click to final data transfer, spanned nearly two months before the activity was ultimately detected and remediated by incident response teams.

Source: https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/