Who are Peterson Technology Partners?

Peterson Technology Partners, also known as PTP, is a staffing and consultancy firm, located in Chicago and operating globally. PTP specializes in providing IT staffing and talent supply management solutions.

What services does PTP offer?

PTP is known for sourcing best-in-class talent for the IT industry, specializing in the fields of Artificial Intelligence, Data Science, Cloud Computing, DevOps, and Cybersecurity.

What are the benefits of working with PTP?

PTP’s proprietary 5-step assessment process ensures that our clients receive only the absolute best-in-class talent for their staffing needs. Our 4-point promise to every client guarantees Quality, Speed, Agility, and Customization.

Do I have to pay for this service?

We require no payment from job-seekers. If you’re a job-seeker looking for your next great opportunity visit the Jobs page. If you’re an employer looking for top-tier talent to meet your staffing needs, Contact Us to start building your customized service plan.

Cybersec Risk Focus: Multi-Stage Malware

AI is making waves across sectors and throughout the world. It’s also amplifying cyberattacks.

Last time out in our Cybersec Risk Focus, we covered Zero Trust Architecture and discussed last year’s eye-popping 1,265% increase in phishing attacks.

Today we look in depth at how some of these attacks play out, with phishing increasingly the first step in elaborate, multi-stage malware schemes. These steal credentials, change configurations, open backdoors, and move laterally for data exfiltration and ransomware attacks. Some continue to lurk for months, seeing viable targets and waiting for the opportune time to act.

And by combining techniques, they can often be launched without immediate, visible impact, seeking to achieve their goals without arousing suspicion.

Today we look in depth at several examples.

The What

Whether it’s seemingly legitimate office documents or PDFs with embedded content, QR codes or direct links with multiple redirects (passing even through legit sites), using stolen credentials or moving from on-prem to cloud (and back), multi-stage malware attacks seek out areas of opportunity, often leveraging legitimate functionality to hide their behaviors.

While there’s variation in the phases based on the attacker, target, and objectives, multi-stage cyberattacks often move through a series of steps:

What’s notable about these attacks is both their patience and level of sophistication. The goal is to gain access secretly and, once in, make a broad exploration, execute necessary changes, and prepare for either a criminal operation (such as lock-down or theft) or ongoing surveillance across systems.

The How: Actual Cases

For a look at specific techniques these attacks utilize, we break down four examples. These target differing devices and industries, and for varying purposes.

Some are Advanced Persistent Threats (APT), part of high-level, state-sponsored campaigns, while others operate at a smaller scale, aimed for sheer gain through extortion from targets of opportunity.

Operation Triangulation (2019–present)

Starting more than four years ago with details breaking late last year, this cyberattack of iOS devices was geared at surveillance and remains among the most complex ever pulled off, with an unprecedented 14 steps involved in its chain of execution.

Target: iOS devices

Attack Objective: Exfiltrate data including passwords, files, text messages, and geolocation while avoiding detection.

Steps:

Initial Access: This attack sent iMessage users invisible messages containing a compressed file with an embedded PDF. Not only did users not have to open the PDF for this attack to start, but they also likely weren’t even aware of the files nor the messages that carried them.
Payload Delivery: The compressed PDF ran code to open Safari in the background, where it loaded components from the attacker’s servers, exploiting three different zero-day vulnerabilities at this phase. One of these was largely undocumented (potentially used for debugging), indicating first-hand knowledge from Apple or the hardware providers. This all continued to remain entirely invisible to the user.
Lateral Movement and Escalation: Operating in memory, the attack avoided detection by leaving no traces. Once executed, it could monitor communications, track location information, modify files and processes, extract passwords, move files to the attacker’s server, and more.

Impacts: Memory-only execution and four zero-day exploits made these attacks extremely difficult to detect. Rebooting the phone would clear the malware, but the attacker could repeat the process by sending another invisible message.

Apple patched these vulnerabilities last summer, and the best giveaway that a phone was infected was its failure to be updated.

The recommended response was factory reset with disabled iMessage until all updates could be installed, including the fixes.

Kaspersky Labs uncovered the attacks, finding it was impacting thousands of their own phones, though accusations of who was to blame came from various nations. Several nations have banned the use of iPhones by certain government personnel as a result.

BlueNoroff Cryptocurrency Campaign (2023-2024)

Named for the suspected North Korean–sponsored hacking group, this multi-stage attack also targeted Apple devices, aiming for persistence in affected systems.

Target: Cryptocurrency-connected businesses using macOS-based systems

Attack Objective: Persistent surveillance, data breaches (exfiltration), and cyber-currency theft.

Steps:

Initial Access: The attackers sent phishing emails containing links to fake cryptocurrency-related news and updates aiming for specific targets and posing as actual influencers. These links, if clicked, launched malicious PDFs. Some of these used actual academic papers as their delivery mechanism.
Secondary Payload Delivery: The PDF opened in the viewer as a decoy, with a hidden script executed that downloaded the malicious program. This attack took advantage of official Apple notarization that was acquired in October. Capable of running on both Intel and Apple-based systems, it could bypass Apple security features.
Persistence Mechanism: The attack modified the “.zshenv” configuration file in the user’s home directory and loaded during Zsh sessions. With a backdoor to the hacker’s server, it ran commands and downloaded additional payloads without triggering alarm.
Exfiltration: Files could be manipulated and exfiltrated directly by the lurking hackers.

Impacts: Detailed by SentinelLabs researchers and tied to a year-long campaign, these attacks were notable for their clever use of a malicious Zshenv file for persistence. They also demonstrated an ongoing capacity to leverage new Apple developer accounts, enabling official notarization.

Storm-0501 Hybrid Cloud Attack (2024)

Target: U.S. government agencies and critical infrastructure sectors, including manufacturing, transportation, and law enforcement

Attack Objective: Persistent backdoor for surveillance and exfiltration, also ransomware deployment.

Steps:

Initial Access: It’s believed these attacks used existing access from prior attacks, stolen credentials, and known vulnerabilities in unpatched servers. This access was boosted by leveraging over-privileged accounts.
Credential Harvesting: Once inside, they used Impacket’s SecretsDump module to extract credentials across devices via the network, moving and collecting more, until they had necessary admin credentials.
Lateral Movement: Using tools like Cobalt Strike, they moved across the network with these stolen credentials, using command-and-control (C2) capacity to reach endpoints and issue commands. This included a pivot from on-premises to cloud, where the attackers established persistent backdoors.
Payload Deployment: Once sufficient access was achieved, ransomware could be deployed across devices in the network. Data exfiltration occurred simultaneously, with sensitive files transferred to attacker-controlled servers.
Final Stage: Using double extortion tactics, leaked files were used to pressure the target who also faced systems locked by ransomware. In other cases, persistence was maintained in the network without visible attacks, either for future action or ongoing surveillance.

Impacts: As detailed by Microsoft Security, these attacks are noteworthy for their on-prem to cloud pivots, taking advantage of hybrid cloud structures to find vulnerabilities. Like the attacks detailed above, they also manage to create persistent backdoors that evaded detection with a variety of tactics.

Altice Corporation Impersonation Campaign (2024)

A similar attack was uncovered in July, posing as the Altice corporation. This targeted private enterprises, started through infected Microsoft Office attachments.

Target: Private businesses, particularly in finance and telecommunications

Attack Objective: Credential theft, data exfiltration, and long-term persistence in enterprise networks.

Steps:

Initial Access: Well-crafted fake financial reports were part of a phishing campaign impersonating the Altice corporation. These targeted finance departments and individuals likely to engage, using emails including Word and Excel files or links to them, all well disguised as financial reports.
Secondary Payload: The macro extracted a hardcoded DLL binary, written to disk and injected into memory. This downloaded a BAT from a C2 server to establish a backdoor, a private key for authentication, and a Cobalt Strike beacon for lateral movement.
Evasion and Persistence: The beacon was executed a legitimate Windows error-reporting tool to evade malware detection. By hiding in trusted system processes, attacks like this don’t trigger alarms. And by having a secondary backdoor, actions could continue even as other components were discovered.
Data Exfiltration and Future Action: From here, sensitive data was harvested, and the infected systems could be used to launch additional attacks, including the potential to move into additional, external partners.

Impacts: Launched in various stages and geared to avoid detection, this attack focused on stealth to gain as much data and access as possible without revealing its entire footprint.

The Role of Skilled Cybersecurity Professionals

What’s so insidious about these attacks is they include feints, mimic legitimate processes and applications, and roll out in various stages, even across multiple machines, operating with the goal of going undetected while additional work is performed.

This makes uncovering them difficult, as the targeted party may never realize they’ve been hacked. In addition to lingering and having access to a user’s files, they can also use that system as a springboard.

Once unusual activity is discovered, the attackers have often already spread far and wide, overwhelming defensive systems and hiding not only their original source of entry, but also their end goal.

Protecting against these attacks is increasingly difficult, as they, too, leverage additional steps in the attempt to stay ahead.

It’s important to have threat intelligence that not only stays abreast of risks but moves proactively, just as it is to alert users on the existence of such sophisticated cybercrime.

Other defensive measures include:

Phishing and cybersecurity training that includes the range of current techniques, along with examples that show the increasing capacity of approaches to be personalized and look authentic.

Utilizing zero-trust defenses that don’t allow lateral movement in cyberattacks, once outer defenses are breached.

Data privacy engineering techniques to isolate, anonymize, and protect critical data even in the event of intrusion.

Continued monitoring of network behavior to establish baselines and flag unusual activity.

Regular review of access to ensure permissions are assigned for the least possible, across the board, and are regularly rotated.

And just as attackers layer steps, so, too, should security teams layer their defensive systems. This should include regular security tests and assessments.

Staying up to date on vulnerabilities and ensuring patching closes known gaps ASAP. Note that several of these attacks take advantage of zero-day vulnerabilities or finding unpatched devices to make their initial entry.

How IT Recruiting Services Help Fill Critical Gaps

Much of this is part of any set of cybersecurity best practices for 2025.

But that brings us to PTP and what we offer. With the increasing sophistication of such attacks, it’s critical to ensure that you don’t fall behind on staffing or expertise, especially with surging demand for specialists and the growing prevalence of cybersecurity risks.

PTP can help, both on-site and remotely, with our experience and global access to a broad array of cybersecurity talent.

Conclusion

This ends this edition of our cybersecurity risk focus. Multi-stage malware is just another step in the ongoing arms race between criminals and target organizations, escalated in scale and intensity by the power of AI systems.

The sophistication of some of these attacks is really eye-opening, showing the need for organizations not only to stay on top of security trends and attack types but also the ongoing monitoring and defense of their own systems.

For help staying up to date, check out our bi-monthly cybersecurity roundups and the full range of articles in our PTP Report on cybersecurity.