Hancitor, a commodity malware downloader, continues to be an active threat to the average user and enterprise network. During the primary 2017 campaigns of the hancitor downloader, a particular focus was placed on attempting to track and monitor the operations behind the actor and malware deployment. This includes tracking the hancitor delivery approach, victim details, and potential leads of attribution with the help of OPSEC negligence. In this talk, we will discuss and share the findings of the research with the community in an effort to facilitate collaboration. Specifically we will review shifts in tooling, an understanding of the attacker approach, infrastructure, in addition to providing recommendations for limiting attacker benefit via public exposure of analyst findings.