The watering hole attack employed social engineering to deceive users into manually downloading and executing malware by manipulating a legitimate website they frequently visited, bypassing traditional vulnerability exploitation methods.

The malware, FlashUpdateInstall.exe, disguises itself as a successful Adobe Flash Player update notification, whose primary function is to install the core malware, system32.dll, which could potentially execute malicious activities on the infected system. The malware injects a DLL into processes, likely to evade detection, which also terminates specific antivirus processes and employs anti-analysis techniques, such as checking system resource usage and virtual machine environments. Details of a suspected Cobalt Strike beacon configuration, where the server communicates with patient-flower-*.nifttymailcom.workers.dev using HTTPS and port 443.

‍