CISA analyzed a 64-bit Windows DLL named infostealer.dll, identified as an ICONICSTEALER variant used in the 3CXDesktopApp supply-chain attack. The DLL was included in a 3CXDesktopApp installer and attempted to read the local 3CXDesktopApp config.json while collecting host, domain, and OS version details. Its main function was to target Chrome, Edge, Brave, and Firefox browser data, using an embedded SQLite library to query browser databases for recently visited websites and sensitive parameters that could include credentials or payment data. CISA found no exfiltration capability in this component, indicating the stolen data was likely prepared for retrieval by a separate malicious component.