Cisco Talos said the attackers behind the operation have moved from using malicious emails to alternative delivery methods such as the exploitation of a now-patched RCE flaw in Netwrix auditor as well as the Raspberry Robin worm.