The archived thread links the axios supply-chain attack to BlueNoroff's GhostCall campaign and says an updated SysPhon, also known as WAVESHAPER, was used to profile valuable hosts and fetch additional payloads. The attack abused an attacker-controlled dependency during the installation lifecycle rather than modifying the main source code, overlapping with GhostHire-style activity and matching BlueNoroff interest in credential data through the SilentSiphon stealer suite. The campaign affected Windows, macOS, and Linux under a unified C2 setup, with Windows VBS and PowerShell scripts used to deploy later payloads. The thread notes operational weaknesses including reused user-agents, a Linux SysPhon flaw, a single C2 URL, shared OS-specific payload hashes, and no additional payloads beyond SysPhon V2 observed at the time.