EclecticIQ reports the malware executes entirely in memory via PowerShell, targeting Windows endpoints and exfiltrating collected data to an encrypted command-and-control server.
The researchers describe broad collection capabilities that include browser-stored credentials and session data for both Chromium-family browsers and Firefox, and extraction of authentication artifacts from collaboration and communication clients.
EclecticIQ lists targeted sources of secrets including:• Slack , Microsoft Teams , Discord , Zoom , Telegram Desktop and others, where session cookies, local state files and DPAPI-protected keys are collected;• OAuth tokens, CI/CD credentials and corporate VPN details, which EclecticIQ highlights as items of particular interest to financially motivated operators.
EclecticIQ also notes the stealer enables arbitrary remote code execution, providing operators a pathway to hands-on-keyboard intrusions after initial compromise.
EclecticIQ reports the malware executes entirely in memory via PowerShell, targeting Windows endpoints and exfiltrating collected data to an encrypted command-and-control server. The researchers describe broad collection capabilities that include browser-stored credentials and session data for both Chromium-family browsers and Firefox, and extraction of authentication artifacts from collaboration and communication clients. EclecticIQ lists targeted sources of secrets including:
• Slack , Microsoft Teams , Discord , Zoom , Telegram Desktop and others, where session cookies, local state files and DPAPI-protected keys are collected;
• OAuth tokens, CI/CD credentials and corporate VPN details, which EclecticIQ highlights as items of particular interest to financially motivated operators.
EclecticIQ also notes the stealer enables arbitrary remote code execution, providing operators a pathway to hands-on-keyboard intrusions after initial compromise.
