![[Op Report] CastleRAT Campaign leads to Hands-on-Keyboard ATO Operations](https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/1767793678317-MTIGND4AMP67UTF74C4V/chrome_history.png)
[Op Report] CastleRAT Campaign leads to Hands-on-Keyboard ATO Operations
This Deception.Pro operation captured a multi-stage malware intrusion culminating in hands-on-keyboard (HoK) activity focused exclusively on account takeover (ATO): not ransomware staging or enterprise lateral movement.
![[Op Report] Oyster → Vidar → Supper socks shell Campaign Leads to Hands-on-Keyboard Activity](https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/1767642653039-86IPRKFUTBYBZYCXUH0I/screenshot-2025-11-28T16_54_21.278084%2B00_00.png)
[Op Report] Oyster → Vidar → Supper socks shell Campaign Leads to Hands-on-Keyboard Activity
A recent Deception.Pro operation involving a replica victim in the travel and tourism sector revealed a multi-stage infection beginning with an Oyster malware dropper masquerading as a Microsoft Teams installer.
![[Update] New Features Added!](https://images.squarespace-cdn.com/content/v1/695bcc1736756e49405972c8/1767644847426-OATTDGOFRHYK5BZYJ4T8/unsplash-image-SYTO3xs06fU.jpg)