It checks for the presence of debuggers, sandboxes, or virtual machines (VMs). If detected, it may terminate to avoid analysis. B. Data Harvesting (Infostealing) The malware scans the local system for:
Users searching for "Citrix HDX for Home" or "Remote Desktop Beta" are directed to spoofed websites.
Upon extraction and execution of the contents within the ZIP file, the following stages typically occur:
The malware connects to a remote server (C2) to upload the stolen data. These servers are often hosted on obfuscated IP addresses or use Telegram bots as a backend for data exfiltration. If you are investigating a machine for this file, look for:
Outbound connections to unknown IP addresses on ports like 80, 443, or specialized ports like 10044. 6. Remediation Steps If you have interacted with this file: Disconnect: Take the machine offline immediately.