KaraKurt
A threat actor that primarily uses VPN credentials to gain initial access to a victim’s network, either by sourcing them from sellers or phishing them themselves. The persistence is established by dropping the widely abused Cobalt Strike remote access tool, although, in recent attacks, they have switched to using the AnyDesk remote access tool. Next, the actor steals additional credentials belonging to administrators by employing and using them for admin privilege escalation.