The malware connects to a remote server (C2) to upload the stolen data. These servers are often hosted on obfuscated IP addresses or use Telegram bots as a backend for data exfiltration. If you are investigating a machine for this file, look for:
Targets browser extensions like MetaMask or desktop wallets (e.g., Atomic, Exodus). File: hdx-home-beta-windows.zip ...
Check %AppData% or %LocalAppData% for randomly named folders containing .sqlite or .txt files (logs of stolen data). The malware connects to a remote server (C2)
hdx-home-beta.exe (or similar executable inside the archive). Classification: Trojan / Infostealer. Common Families: RedLine Stealer or Vidar . 3. Infection Vector The malware typically spreads through: Check %AppData% or %LocalAppData% for randomly named folders
Upon extraction and execution of the contents within the ZIP file, the following stages typically occur:
Steals Discord tokens and Telegram session files to bypass 2FA. C. Command & Control (C2) Communication
The executable often uses a "packer" to hide its actual code from basic antivirus scans.