I actually think one of my clients got hit with this over the summer. I noticed the port number changed in the registry. It was the final straw that made me say, “There’s no way to know what other back doors they’ve installed.” So we nuked their entire environment.

Most of the utilities they were using were in Russian. Not sure if that’s the actual origin of the hack, but I’m guessing so. IP logs worthless of course because of VPNs/previously hacked companies.