ESRC linked an HDAC-themed cryptocurrency-wallet campaign to Thallium, describing Android and Windows components disguised as legitimate domestic wallet firmware or update software. The activity targeted wallet passcodes and used modified configurations or code to contact attacker-controlled HDAC-themed C2 domains, with links to earlier Thallium activity through matching string-encryption logic and a shared mutex.