Damballa discovers new toolset linked to Destover Attackers arsenal helps them to broaden attack surface. Destover and setMFT are related via the lengthy license key used with the Eldos driver used by Destover to gain direct access to disk. The utilities would be used during an attack to evade detection while moving laterally through a network to broaden the attack surface. Both utilities had usage statements and were named as setMft and afset. Timestomping is used to copy the timestamp settings from a source file on disk to a destination file.”]