Cybereason reported targeted campaigns against financial, manufacturing, and retail organizations in the United States and Europe that began with phishing and TrickBot infection before progressing into interactive intrusion activity. The phishing lure used a Google Docs link to deliver a signed TrickBot downloader disguised as a Microsoft Word document named like an annual bonus report, then injected TrickBot into svchost.exe. The attackers profiled infected hosts, contacted C2 infrastructure including TOR-related domains, stole browser and application credentials, and used Windows utilities and PowerShell for reconnaissance and lateral movement. On selected high-value targets, the activity deployed Anchor_DNS and a newly documented Anchor variant, backdoors described as tightly connected to TrickBot and used selectively. The excerpt does not provide DPRK attribution, so the supported finding is a TrickBot/Anchor intrusion pattern with potential outcomes including POS compromise, ransomware, or theft of sensitive financial data.