The actors began the campaign by targeting mid-level to senior-level executives with spear phishing emails that contain malicious droppers that install the Mirage malware. The droppers are disguised as PDF attachments. If opened, then the dropper is deployed and an embedded PDF of a news story, relevant to the target, opens. The dropper contains a copy of the Mirage malware, which executes and copies itself into either C: Documents or C: Windows. The copy starts and the original closes. The new Mirage establishes persistence in the event of reboot by creating registry keys. The malware obfuscates its presence through the creation of one or more files named svchost.exe, ernel32.dll, thumb.db, csrss.exe, Reader_SL.exe, and MSN.exe. The malware profiles the system (MAC address, CPU speed, memory size, system name, and user name) and sends the information back to the command and control infrastructure via a HTTP request over ports 80, 443, and 8080. It can implement SSL for added security. The first variant of Mirage communicated via a HTTP POST request and it transferred information that was lightly encrypted by adding each character’s ASCII value to its offset from the start of the payload. The second variant of the malware communicated through HTTP GET requests and it encrypted data the same way as the former version except that the payload of the initial request is encapsulated in a Base64-encoded string. The Mirage toolkit consisted of a backdoor and a remote access trojan (RAT). At the time of its discovery in 2012, the command and control structure consisted of over 100 domains. By the end of 2012, the Mirage team campaign went dormant. However, some of its infrastructure reappeared in the 2015 Hellsing campaign.