A sophisticated multi-stage intrusion began with the compromise of an internet-facing F5 BIG-IP load balancer running an end-of-life version. The threat actor established SSH access to a Linux server using privileged credentials, then conducted extensive reconnaissance including network scanning with Nmap and service enumeration with gowitness. Following horizontal and vertical scanning operations, the actor identified and compromised an unpatched internal Atlassian Confluence server via remote code execution. Credentials extracted from Confluence configuration files were subsequently used to attempt Kerberos relay attacks against Active Directory infrastructure and exploit CVE-2025-33073. The incident demonstrates how edge device compromises enable lateral movement across hybrid environments, bypassing traditional security controls through trusted relationships and exploiting insufficient monitoring of non-Windows systems and internal applications.