Steals Discord tokens and Telegram session files to bypass 2FA. C. Command & Control (C2) Communication
Users searching for "Citrix HDX for Home" or "Remote Desktop Beta" are directed to spoofed websites.
Use hardware keys or app-based authenticators for all sensitive accounts. File: hdx-home-beta-windows.zip ...
It checks for the presence of debuggers, sandboxes, or virtual machines (VMs). If detected, it may terminate to avoid analysis. B. Data Harvesting (Infostealing) The malware scans the local system for:
Check %AppData% or %LocalAppData% for randomly named folders containing .sqlite or .txt files (logs of stolen data). Steals Discord tokens and Telegram session files to
Upon extraction and execution of the contents within the ZIP file, the following stages typically occur:
The executable often uses a "packer" to hide its actual code from basic antivirus scans. Use hardware keys or app-based authenticators for all
Outbound connections to unknown IP addresses on ports like 80, 443, or specialized ports like 10044. 6. Remediation Steps If you have interacted with this file: Disconnect: Take the machine offline immediately.