When a suspicious VBS file was blocked in a customer environment, LevelBlue’s MDR SOC team launched an investigation.

What appeared contained wasn’t.

That single alert led to the discovery of a broader malware campaign built on reusable infrastructure and multiple delivery paths; designed to persist beyond detection.

Deeper analysis from the LevelBlue SpiderLabs team revealed how attackers reused the same infrastructure to distribute different malware families, rotating delivery methods to evade controls. Block one path, and another remains active; supported by open directories, staged payloads, and a modular execution flow.

In this technical threat briefing, our experts walk through the investigation from initial detection to full infrastructure mapping. Using real MDR findings, you’ll see how one alert exposed a larger campaign; and how to identify similar patterns earlier in your own environment.

Why attend? 

Because investigating alerts in isolation leaves gaps. See how to connect the dots and uncover persistent threats earlier.

Key takeaways:

• How a single alert can point to a broader, multi-vector campaign
• Why attackers reuse infrastructure and rotate delivery paths 
• Practical ways to investigate beyond the initial event 

Speaker: Sean Shirley, Cyber Threat Intelligence Analyst

Read the blog.

📅 Thursday, April 2, 2026 | 10:00am CST