A sophisticated threat actor compromised a third-party IT services provider to abuse legitimate HPE Operations Agent infrastructure, enabling stealthy execution and discovery. The attackers established persistence and harvested credentials using malicious network provider and password filter DLLs on domain controllers, while utilizing web shells and ngrok tunnels to maintain long-term, undetected access.