This lab simulates a multi-stage intrusion scenario where a corporate environment is compromised through a phishing campaign and a malicious Android application. The lab walks through each stage of the attack, beginning with the delivery of a trojanized APK designed to harvest sensitive data from the victim’s device. Once executed, the malware exfiltrates the collected information to an attacker-controlled server, enabling the adversary to pivot toward the corporate network. Using the stolen data, the threat actor establishes remote access via AnyDesk to a Windows workstation, where subsequent actions include file transfers, PowerShell-based C2 connections, and persistence through malicious service creation. The investigation further reveals the deployment of a second-stage payload injected into a legitimate Windows binary, blending malicious activity into normal system operations. Analysis of forensic artifacts and malware samples uncovers the use of Cobalt Strike Beacon for command-and-control, illustrating how a well-known penetration testing tool can be weaponized for real-world cyberattacks. This lab challenges participants to apply digital forensics, malware analysis, and log correlation techniques to trace the adversary’s activities, identify compromised assets, and understand the full attack chain from initial access to persistence and C2 communication.