Macnica analyzed a ransomware intrusion at an overseas site of a Japanese company where attackers encrypted dozens of servers and backups after gaining domain administrator access. The initial compromise abused CVE-2020-10189 in an internet-exposed Zoho ManageEngine Desktop Central server to install Cobalt Strike, then investigators found msupdate.exe, identified as Lazarus-linked Dtrack, downloaded through BITS on the same server. The attackers later used RDP, PowerShell stagers, domain controller access, and Jetico BestCrypt to encrypt server volumes within five days. Macnica noted the early tradecraft resembled APT41 reporting, but the Dtrack discovery required considering Lazarus involvement while avoiding firm attribution.