UNC1945 compromised managed service providers to target organizations within financial and professional consulting industries through third-party network access. The actor demonstrated advanced capabilities across Oracle Solaris, Windows, and Linux systems, utilizing custom virtual machines pre-loaded with post-exploitation tools. Operations included exploiting CVE-2020-14871, a zero-day vulnerability in Oracle Solaris PAM, and deploying multiple custom backdoors including SLAPSTICK, LEMONSTICK, and STEELCORGI. The threat actor maintained persistence through SSH tunneling, credential theft, and anti-forensics techniques while traversing segmented networks. With an observed dwell time of approximately 519 days, UNC1945 demonstrated sophisticated operational security by loading entire virtual machines containing numerous exploitation tools, modifying timestamps, and selectively manipulating log files to evade detection.