The Cranefly hacker group was spotted leveraging Microsoft IIS to deploy a previously undocumented dropper, named Danfuan, on security tools such as load balancers and SANS arrays. With new custom tools and evasive techniques, Cranefly is maintaining a foothold on compromised servers and focusing on stealthily gathering intelligence.