As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. The Microsoft Detection and Response Team (DART) in collaboration with the Microsoft Threat Intelligence Center (MSTIC) identified a multi-stage attack targeting the Zoho Manage Engine Rest API authentication bypass vulnerability to initially implant a Godzilla web shell with similar properties detailed by the Unit42 team in a previous blog. Tarrask malware uses scheduled tasks for defense evasion
Note: I don’t see how this got attributed to HAFNIUM, I guess it’s easy for Prism collectors, Chinese letters -> Chinese APT -> DONE. Also I puked a little in my mouth because of the link to Microsoft but the info might be useful to some of my readers.