Earth Estries exploited vulnerabilities in public-facing servers, such as CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN, and CVE-2022-3236 in Sophos Firewall, to gain initial access. They then used web shells like GHOSTSPIDER and SNAPPYBEE for persistence and command and control, allowing them to maintain long-term access to the victim’s network.