Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign