In May 2024, an intrusion attributed to the Lunar Spider threat actor commenced when a user executed a malicious JavaScript file disguised as a tax form. This file, associated with the Lunar Spider group, contained obfuscated code that triggered the download of an MSI installer, which subsequently deployed a Brute Ratel DLL file using the Windows utility rundll32. Upon execution, the Brute Ratel loader injected Latrodectus malware into the explorer.exe process, establishing command and control (C2) communications with multiple domains. The attack began with extensive reconnaissance activities approximately one hour after the initial access, utilizing built-in Windows commands to enumerate hosts and domains. Subsequent actions included establishing a BackConnect session for remote access via VNC, and accessing an unattend.xml file to extract plaintext domain administrator credentials.