Talos links Lazarus Group activity exploiting CVE-2022-47966 in ManageEngine ServiceDesk to the deployment of CollectionRAT, alongside QuiteRAT and other tools hosted on reused infrastructure. CollectionRAT is a Windows RAT that fingerprints infected systems, communicates with command-and-control servers, supports arbitrary command execution, file operations, process creation, payload deployment, and self-removal. The report connects CollectionRAT to Jupiter/EarlyRAT through shared code-signing certificate evidence, while noting EarlyRAT has been associated by Kaspersky with Andariel under the Lazarus umbrella. Lazarus also used open-source DeimosC2 as an ELF implant for Linux endpoints and malicious Plink binaries for reverse tunneling, showing a shift toward open-source and dual-use tooling during initial access as well as post-compromise operations.