^[2]

Metamorfo has used HTTP for C2.^[1][2]

Metamorfo can enumerate all windows on the victim’s machine.^[3][4]

Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.^[3]

Metamorfo has configured persistence to the Registry keyHKCU\Software\Microsoft\Windows\CurrentVersion\Run, Spotify =% APPDATA%\Spotify\Spotify.exe and used .LNK files in the startup folder to achieve persistence.^[1][3][4][2]

Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's.^[4][2]

Metamorfo has usedcmd.exe /c to execute files.^[1]

Metamorfo has used VBS code on victims’ systems.^[3]

Metamorfo includes payloads written in JavaScript.^[1]

Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address.^[4][2]

Upon execution,Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.^[1][3][2]

Metamorfo has encrypted C2 commands with AES-256.^[2]

Metamorfo's C2 communication has been encrypted using OpenSSL.^[1]

Metamorfo can send the data it collects to the C2 server.^[2]

Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.^[1][4][3]

Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.^[1]

Metamorfo has side-loaded its malicious DLL file.^[1][3][2]

Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.^[1][3]

Metamorfo has a command to delete a Registry key it uses,\Software\Microsoft\Internet Explorer\notes.^[3]

Metamorfo has deleted itself from the system after execution.^[1][4]

Metamorfo has used MSI files to download additional files to execute.^[1][3][4][2]

Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine.^[4][2]

Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims.^[3]

Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.^[1][2]

Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.^[1][4][3][2]

Metamorfo has used native WINAPI calls.^[1][4]

Metamorfo has used raw TCP for C2.^[3]

Metamorfo has communicated with hosts over raw TCP on port 9999.^[3]

Metamorfo has used VMProtect to pack and protect files.^[4]

Metamorfo has encrypted payloads and strings.^[1][2]

Metamorfo has been delivered to victims via emails with malicious HTML attachments.^[3][2]

Metamorfo has performed process name checks and has monitored applications.^[1]

Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).^[1]

Metamorfo can collect screenshots of the victim’s machine.^[3][2]

Metamorfo had used AutoIt to load and execute the DLL payload.^[4]

Metamorfo has searched the compromised system for banking applications.^[3][2]

Metamorfo collects a list of installed antivirus software from the victim’s system.^[4][2]

Metamorfo has digitally signed executables using AVAST Software certificates.^[1]

Metamorfo has used mshta.exe to execute a HTA payload.^[3]

Metamorfo has used MsiExec.exe to automatically execute files.^[4][2]

Metamorfo has collected the hostname and operating system version from the compromised host.^[3][4][2]

Metamorfo has collected the username from the victim's machine.^[2]

Metamorfo uses JavaScript to get the system time.^[1]

Metamorfo requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer.^[3][2]

Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution.^[1]

Metamorfo has used YouTube to store and hide C&C server domains.^[2]

Metamorfo has downloaded a zip file for execution on the system.^[1][3][4]