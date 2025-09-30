Highly advanced cybercrime operation Lunar Spider launched a one-click intrusion in May 2024 to compromise credentials and ensure persistence on a Windows machine for almost two months, GBHackers News reports.

Attackers deceived a user into running a tax form-spoofing JavaScript file, which facilitated the remote download of an MSI package and the launch of a Brute Ratel DLL file through the rundll32 Windows utility as part of a multi-stage breach, according to The DFIR Report.

Subsequent injection of the Latrodectus malware allowed the retrieval of a specialized credential stealer module that targeted more than two dozen Chromium-based browsers within the first hour of access.

After pilfering Microsoft Outlook email configurations and server configurations, Luna Spider proceeded to run the Isassa.exe binary that permitted high-privilege access to the domain environment.

Other evasion and persistence mechanisms have also been employed by the threat group, which moved to steal file share server data by the 20th day of compromise.