In a sophisticated cyberattack targeting a German entity, an unattributed threat actor used social engineering and a fake Falcon Crash Reporter installer to deploy a custom Mythic C2 agent, named Ciro, executed as LLVM Intermediate Representation (IR) bitcode. The attack began with voice phishing, where the actor impersonated an internal IT member, instructing the victim to download and execute the installer, which required a specific password to continue. This password was designed to mimic legitimate domain patterns to enhance the credibility of the social engineering tactic. Once executed, the installer set up a complex chain of operations, including the placement of shortcuts in the Startup folder and the execution of Java8Runtime.exe as a modified LLVM interpreter. The Ciro agent, likely written in C++, performed dynamic API function resolutions and communicated with its command-and-control server using encrypted payloads over HTTP, showcasing a high level of operational security and sophistication. CrowdStrike Intelligence assesses the attack as highly targeted, with recommendations emphasizing the importance of verifying software sources, training users against executing files from untrusted sources, and monitoring for suspicious LLVM interpreter activities.