- The lure: a fake WeChat or Miro installer
- The delivery: a typo-squatted domain, mlcrosoft[.]co[.]com
- The execution: dressed up as an Apple XProtectRemediator security update
- The persistence: a fake Google Software Update directory, beaconing every 60 seconds