A user executed a malicious JavaScript file linked to Lunar Spider, initiating a two-month intrusion. The file downloaded a Brute Ratel DLL, which then injected Latrodectus malware. The threat actor used various tools including Cobalt Strike, BackConnect, and a custom .NET backdoor for persistence and lateral movement. They harvested credentials from multiple sources and exfiltrated data using Rclone. The intrusion lasted nearly two months with intermittent C2 connections, discovery, lateral movement, and data theft. Despite comprehensive access to critical infrastructure, no ransomware deployment was observed.