According to CISA's joint advisory (AA24-038A), here's specifically how they stayed inside for 5 years: Valid credentials and stolen accounts. They repeatedly dumped NTDS.dit (the Active Directory database) from domain controllers to harvest every credential in the environment. In one confirmed case they extracted NTDS.dit from three domain controllers over a four-year period. They kept coming back to re-dump so they always had current, valid passwords. Only operated during normal business hours. They studied the victim's work patterns and only used compromised credentials when legitimate admins would be active, so authentication logs looked normal. Targeted log deletion. They deleted specific logs to cover their tracks. Routed traffic through compromised SOHO routers. Fortinet, Cisco RV320, Netgear, and other end-of-life home/small office routers. Made their traffic appear to originate from legitimate residential IPs, not foreign infrastructure. Zero malware. Literally none. They used only wmic, ntdsutil, netsh, PowerShell, cmd.exe, certutil, ldifde, net, and other native Windows tools. Nothing for an EDR to signature match against. Minimal activity between credential dumps. They got in, dumped creds, did light recon, then went silent. They weren't exfiltrating data. They were pre-positioning for future disruption. That silence is what made them invisible.