Sakula is a well known malware variant linked to several significant targeted intrusion campaigns over the past 2-3 years. This remote access toolkit has been publicly examined multiple times by the threat intelligence community. CrowdStrike has released two blog posts detailing Sakula campaigns and continues to investigate its usage. In the past two years, two campaigns of Sakula activity stand out as being particularly significant – the “French Aerospace” Campaign and the “Ironman” Campaign. In recent months, CrowdStrike has observed limited use of what appears to be a third Sakula variant.