Maze is found being spread in post initial access phase. The loader this time is a Maze affiliate called SNOW. Access is gained through brute force attacks, SMB exploitation and RDP attacks.
This loader has been leveraged in its unpacked form being directly downloaded from (hxxp://37[.]1.210[.]52/vologda.dll). The loader SNOW uses the following tools.