Targets Chrome, Firefox, and Edge for saved passwords and cookies.
Sends stolen data back to a Command and Control (C2) server via SMTP, FTP, or Telegram API. Indicators of Compromise (IoCs) PL_BFRn.rar
The file is identified as a malicious archive, typically associated with Agent Tesla or Guploader malware campaigns . These files are often distributed via phishing emails disguised as business documents like purchase orders or price lists (hence the "PL" prefix). 🛡️ Technical Summary Targets Chrome, Firefox, and Edge for saved passwords
Look for new entries in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run . These files are often distributed via phishing emails
Connections to unusual SMTP ports (587, 465) or known malicious IP addresses.
💡 Do not attempt to open or extract this file on a primary machine. Use a dedicated sandbox environment if you must inspect it further.
Scans for credentials in Outlook, Thunderbird, and FileZilla. Screenshots: Periodically captures the user's screen.