The attackers upload a malicious DLL as a User-Defined Function library, allowing them to execute commands and deploy the Ddostf malware. The malware collects system information and waits for commands to launch DDoS attacks.