An APT mercenary group is believed to be behind a cyber espionage campaign involving the industrial sector. The attack in question is believed to involve the acquisition of financial information or the negotiation of high-profile contracts. These groups offer their services to the highest bidder. Their techniques are sophisticated and powerful. The company targeted in this campaign is involved with architectural projects in New York, London, Australia, and Oman. It is hypothesized that due to the sophistication of the attack, the group had prior knowledge of the company’s security posture. Using a malicious plugin for Autodesk 3ds Max, the group was able to infiltrate the company. Prior to infiltration, the group conducted tests against the company’s security by deploying a payload in an effort to avoid detection upon infiltration. The plugin, PhysXPluginMfx, has the ability to corrupt 3ds Max to run malicious code and propagate MAX files. The file is encrypted with Autodesk’s specific encryption script and contains an embedded DLL file. The script begins with HTTP POST requests and executes responses in memory. Furthermore, a periodic job is created to clean certain maxscripts which are known to cause issues with the malicious file(s). Code is then downloaded from the C2 and executed. Lastly, the script contains code to implement persistence. This is done via a hidden file in the startup folder of the 3ds Max software. Information is collected from the victim machine and encrypted with a custom algorithm so it appears to be base64 content. More files are downloaded from the C2 at this point, which are used to evade detection by modifying timestamps, applying hidden attributes, and clean up of ALC/CRP third-party maxscripts. Other binaries are downloaded from the C2 server to collect screenshots, passwords, and browser history. The attackers use HdCrawler (used to list, compress, and upload files) and InfoStealer (B4E6HVVnCvY.dll).