Once the HTA script, a Windows standalone program written in HTML is executed, it initiates PowerShell code that eventually establishes C2, downloads decoy PDF files for evasion, and a malicious shell injector.

“These files aim to inject the final stealer into legitimate processes, initiating malicious activities and sending the stolen data back to a C2 server,” Fortinet added.

The target applications for the observed stealer included web browsers, crypto wallets, messengers, email clients, VPN services, password managers, AnyDesk, and MySQL Workbench, among many others.