Threat actors believed to be Russian state-sponsored attacked a software company in Ukraine with a slightly modified version of the open-source GoMet backdoor.
For persistence, the malware executed a cronjob every two seconds to confirm a connection to the command-and-control server or replaced an existing autorun executable with the malware.
The malicious software also opened a blank CMD process and executed the "systeminfo" command to gather data about the system.
