Targets browser extensions like MetaMask or desktop wallets (e.g., Atomic, Exodus).
Steals saved passwords, auto-fill data, and credit card info from Google Chrome , Microsoft Edge , and Mozilla Firefox . File: hdx-home-beta-windows.zip ...
The malware connects to a remote server (C2) to upload the stolen data. These servers are often hosted on obfuscated IP addresses or use Telegram bots as a backend for data exfiltration. If you are investigating a machine for this file, look for: Targets browser extensions like MetaMask or desktop wallets
Change all passwords from a different, clean device , focusing first on email and financial accounts. These servers are often hosted on obfuscated IP
Use a reputable tool like Malwarebytes or Microsoft Defender Offline.
It checks for the presence of debuggers, sandboxes, or virtual machines (VMs). If detected, it may terminate to avoid analysis. B. Data Harvesting (Infostealing) The malware scans the local system for:
Upon extraction and execution of the contents within the ZIP file, the following stages typically occur: