Early February, we identified 2 DLL samples impersonating legitimate products and tools uploaded from Kazakhstan to a popular online file analysis platform. These DLLs notably provide an operator with command execution and file download capabilities, and rely on Telegram for C2 communication.

We were able to retrieve the operators' activity log from the Telegram channels, as well as some of the intended next stages. These logs gave us some insights into the compromised organizations and the likely targeting. It also revealed the struggle the operators went through to attempt to run their downloaded next stages, ultimately failing to do so.

In this lightning talk, we will present the operators' activity journal associated with 2 different machines, highlighting the failed attempts to run the next stages, their troubleshooting attempts and the culmination of their frustration resulting in very noisy activity.