AhnLab describes Play ransomware intrusion tradecraft and notes Palo Alto Unit42 reporting that linked Play activity to Andariel through shared infrastructure after Andariel used Sliver and DTrack for information theft. The excerpt states that Play operators gain access through valid accounts or exposed-service vulnerabilities such as Exchange ProxyNotShell and FortiOS flaws, then perform discovery with NetScan, Nltest, AdFind, and BloodHound. Post-compromise activity includes privilege escalation with WinPEAS, credential theft with Mimikatz or LSASS dumps via Task Manager, and command-and-control through Cobalt Strike, Empire, AnyDesk, Plink, and other remote administration tools. The ransomware workflow also includes lateral movement with Cobalt Strike SMB beacons and PsExec, defense evasion with tools such as Process Hacker, GMER, and IOBit Uninstaller, and collection/exfiltration using WinRAR and WinSCP before encryption.