The final payload is an infostealer (in this case an obfuscated and encrypted Python script that cleans up after its operations and then deletes itself), which goes through various levels of decoding and decrypting to get to the final code. The infostealer can collect, ZIP and exfiltrate a wide range of sensitive data to a remote email account, including but is not limited to:

  • PDF files and directories
  • browser data such as session cookies and saved credit card details
  • bitcoin-related extensions
  • web browsing histories (and MasterKeys of Chrome, Edge, Yandex, and Brave browsers)