Threat actors went to elaborate lengths to maintain operational security around second-stage payload activation, company says.