A well-known attack group has compromised at least 13 telecommunications organizations since 2019, relying on custom toolsets and a novel C2 persistence method.