Iranian hackers installed crypto miner on federal agency’s network after exploiting unpatched Log4Shell vulnerability on the VMWare Horizon server to gain access. The threat actors moved laterally to the domain controller, compromised credentials and implanted reverse proxies on several hosts to maintain persistence.