Symantec attributes intrusions against an Asian materials research organization to a previously unknown group it tracks as Clasiopa, while noting there is no firm evidence of the group’s origin or sponsor. The activity used a distinct toolset including the custom Atharvan RAT, modified Lilith RAT variants, Thumbsender for file-name collection and exfiltration, a custom proxy tool, and additional backdoors and hacktools. Observed tradecraft included possible brute-force access to public-facing servers, attempts to stop Symantec Endpoint Protection, clearing Sysmon and Windows event logs, and creating a scheduled task named "network service" to list files. Atharvan uses the mutex "SAPTARISHI-ATHARVAN-101", hardcoded HTTP POST communications with a Host header of "update.microsoft.com", scheduled C2 check-ins, and a hardcoded C2 address hosted in AWS South Korea, giving defenders concrete behavioral and IOC leads without supporting confident attribution.