Microsoft’s Defender ATP Research team detected a campaign they labeled Dexphot. At that point, the Microsoft team began tracking this campaign which turned out to be a polymorphic attack that deployed files that changed every half hour. Dexphot used multiple levels of obfuscation, encryption, and random file names to evade detection. Once a foothold had been gained on a victim system, it then used fileless techniques to further evade detection and forensics. Legitimately running applications were injected with the malware code to disguise the malicious behavior. Services that monitored the malware’s activity and that executed scheduled tasks to re-infect a system were deployed to ensure that the final payload, a cryptominer, was allowed to continue running. As time went by, the malware was upgraded, new running processes were targeted, and efforts to work around defensive measures were added. Except for the installer portion of the infection, all other executables are legitimate applications, such as msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe. Applications targeted for its process hollowing technique included svchost.exe, tracert.exe, and setup.exe.