Researchers at Kaspersky have identified numerous variants of spyware that are being deployed on systems within industrial enterprises to steal credentials. Threat actors are using off-the-shelf spyware tools deployed for very short time periods. The average length of deployment per variant of spyware is 25 days. Utilizing different variants for such a short amount of time helps the threat actors remain undetected by defense services. Examples of the commodity malware being used in attacks include AgentTesla/Origin Logger, HawkEye, Noon/Formbook, Masslogger, Snake Keylogger, Azorult, and Lokibot. The threat actors are also utilizing the SMTP-based communication protocol for exfiltrating data to the command-and-control (C2) server that is run by the threat actor. This is unique, because unlike HTTPS, which is the most standard way for spyware campaigns to conduct C2 communication, SMTP is a one-way channel that caters to data theft and thrives on simplicity and its ability to blend with regular network traffic.