RATANKBA appeared in a large watering-hole campaign that compromised legitimate websites visited by banks and other enterprises, with affected organizations spanning financial services, telecoms, IT, insurance, aviation, education, and multiple regions. Injected JavaScript fingerprinted browsers and plugins, then directed selected victims to exploit-hosting infrastructure using Flash, Silverlight, and other payload stages. RATANKBA surveyed infected hosts for tasks, domain data, shares, users, internet connectivity, and specific IP ranges, while HKTL_NBTSCAN-like tooling collected NetBIOS information and supported brute-force lateral movement over network shares. The campaign used multiple C2 servers, some compromised websites as proxies, and final payloads including banking malware and backdoors; Trend Micro noted the code and techniques resembled Lazarus activity but treated the attribution as uncertain. The use of awkward Russian command strings was assessed as likely false-flag behavior intended to confuse attribution.