The actor, which Microsoft says is state sponsored, installed Chopper web shells to gain hands-on-keyboard access, conduct Active Directory reconnaissance and exfiltrate data.