BLUELIGHT can use HTTP/S for C2 using the Microsoft Graph API.^[1]

BLUELIGHT can zip files before exfiltration.^[1]

BLUELIGHT has encoded data into a binary blob using XOR.^[1]

BLUELIGHT can collect passwords stored in web browers, including Internet Explorer, Edge, Chrome, and Naver Whale.^[1]

BLUELIGHT has exfiltrated data over its C2 channel.^[1]

BLUELIGHT can enumerate files and collect associated metadata.^[1]

BLUELIGHT can uninstall itself.^[1]

BLUELIGHT can download additional files onto the host.^[1]

BLUELIGHT has a XOR-encoded payload.^[1]

BLUELIGHT can collect process filenames and SID authority level.^[1]

BLUELIGHT has captured a screenshot of the display every 30 seconds for the first 5 minutes after initiating a C2 loop, and then once every five minutes thereafter.^[1]

BLUELIGHT can collect a list of anti-virus products installed on a machine.^[1]

BLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers.^[1]

BLUELIGHT has collected the computer name and OS version from victim machines.^[1]

BLUELIGHT can collect IP information from the victim’s machine.^[1]

BLUELIGHT can collect the username on a compromised host.^[1]

BLUELIGHT can collect the local time on a compromised host.^[1]

BLUELIGHT can check to see if the infected machine has VM tools running.^[1]

BLUELIGHT can use different cloud providers for its C2.^[1]

^[1]