Ixeshe uses HTTP for command and control.^[1][2]

Ixeshe can achieve persistence by adding itself to theHKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry key.^[2]

Ixeshe is capable of executing commands viacmd.^[2]

Ixeshe uses custom Base64 encoding schemes to obfuscate command and control traffic in the message body of HTTP requests.^[1][2]

Ixeshe can collect data from a local system.^[2]

Ixeshe can list file and directory information.^[2]

Ixeshe sets its own executable file's attributes to hidden.^[2]

Ixeshe has a command to delete a file from the machine.^[2]

Ixeshe can download and execute additional files.^[2]

Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.^[2]

Ixeshe can list running processes.^[2]

Ixeshe collects the computer name of the victim's system during the initial infection.^[2]

Ixeshe enumerates the IP address, network proxy settings, and domain name from a victim's system.^[2]

Ixeshe collects the username from the victim’s machine.^[2]

Ixeshe can list running services.^[2]

^[1][3]