To obtain distinct C&C URLs, the malware randomly selects an ICO file from a GitHub repository. This malware can gather system data and take control of data and login credentials stored in user profiles on various web browsers, including Chrome, Edge, Brave, and Firefox. This attack has been attributed to North Korean Threat Actors (TAs). The attack involves a Trojanized version of the 3CX, a Voice Over Internet Protocol (VOIP) desktop client, which has been digitally signed.