Often masquerades as legitimate system processes or uses randomized strings.
It creates scheduled tasks or registry keys to ensure it runs every time the system starts.
Threat actors capitalize on the high search volume for free versions of popular software.