Kaspersky's Q2 2023 APT trends report says the MATA cluster, previously attributed to Lazarus, targeted defense contractors in Eastern Europe from September 2022 through March 2023. The campaign used spear-phishing and multi-stage validators, abused security and anti-malware tools in victim environments, and delivered updated MATA components including a Linux backdoor and an implant designed to operate across air-gapped networks through USB media. Kaspersky says the rewritten MATA orchestrator changed encryption, configuration, and communication protocols, while MATAv5 added loadable and embedded modules and plugins. The actor also used Plink and the Rust-based bore tool to build tunnels between malicious infrastructure and victim servers.