So far, we haven’t been able to trace back to the initial compromise vector in the campaigns seen in our telemetry.
They hypothesize that attaching a compromised USB drive to an air gapped system is to blame. That seems to be a well known vector at this point. Does it matter much what tool is used to copy data once it’s in?