Attacks by CeranaKeeper involved the deployment of the Mustang Panda-linked TONESHELL backdoor, a credential dumping tool, and a legitimate Avast driver before proceeding with the delivery of the WavyExfiller Python uploader for data gathering, the DropboxFlop payload, the Microsoft OneDrive REST API-exploiting OneDoor backdoor, and the BingoShell Python backdoor.