Includes real-time screen recording, webcam access, audio monitoring, and keylogging.
Often delivered via phishing emails with malicious attachments (e.g., weaponized Excel files or PDFs).
Features a "clipper" module that monitors the system clipboard and replaces cryptocurrency wallet addresses with the attacker's own.
Exfiltrates browser credentials, cookies, Wi-Fi keys, and Discord/Telegram tokens.
Capable of launching Distributed Denial of Service attacks and functioning as basic ransomware by encrypting files. Technical Analysis of the v3.1 Update
The v3.1 update focused heavily on and anti-analysis . Researchers have observed it using a multi-stage infection chain: