The file is typically distributed as a compressed ZIP archive to bypass basic email filters. Once extracted, it often contains an (shortcut) or a JavaScript (.js) file disguised as a video or image gallery.
: It creates "Run" keys to ensure it starts every time the computer reboots. 🛠️ Indicators of Compromise (IoCs)
: It scrapes saved passwords, cookies, and credit card info from Chrome, Firefox, and Edge. WednesdayAddamFamily.zip
: It checks if it’s running in a "sandbox" (a researcher's environment) and shuts down if detected.
: It searches for browser extensions and local files related to Bitcoin, Ethereum, and other wallets. The file is typically distributed as a compressed
: Change all passwords (especially banking and email) from a different, clean device .
: Unusual background activity from powershell.exe or cmd.exe . ✅ Response & Remediation If you or someone in your network downloaded this: 🛠️ Indicators of Compromise (IoCs) : It scrapes
: Connections to suspicious IP addresses in Russia, Eastern Europe, or via the Tor network.