Attacks commence with the targeting of vulnerable Apache RocketMQ servers with perfctl, which would then download the primary payload httpd for persistence and concealment before its execution to facilitate cryptocurrency mining and proxyjacking activities.