HackersEye describes an intrusion against an Israeli enterprise where an attacker used admin access to a Check Point firewall, moved from the GAIA web interface to SSH, and installed a malicious MeshAgent based ELF implant. The implant disguised itself as a legitimate process, gave the attacker encrypted C2 and persistence on the firewall Linux system, and let the actor operate as root. The attacker then used the firewall foothold for credential theft, password spraying or brute force activity, port forwarding, and RDP tunneling into internal systems. HackersEye says the TTPs resemble Cisco Talos reporting on LilacSquid, but the excerpt frames the attribution as similarity based rather than definitive.