McAfee ATR expanded its Operation North Star analysis by examining the campaign's command-and-control backend, showing how the operators selected and assessed victims before deciding whether to continue exploitation. The campaign used LinkedIn conversations, tailored defense-contractor job lures, spearphishing emails, and DOTM template injection to reach specific defense-sector targets in Australia, India, Israel, Russia, and South Korea-related contexts. The first-stage implant collected host and user details, then campaign logic determined whether to deploy Torisma, a previously undocumented second-stage implant used for monitoring, shellcode execution, and payload actions tied to victim profile and observed events. Compromised legitimate domains in the United States and Italy hosted C2 services, helping the operators blend into trusted web traffic. McAfee noted code overlap with a 2019 Hidden Cobra campaign but did not independently attribute Operation North Star, making the main value the visibility into selective espionage targeting and infrastructure-driven victim triage.