That script then proceeds to download three python scripts that use the aforementioned python environment and do their business, qwen is having trouble de-obfuscating their urls and I am busy.
I'm actually curios to know how do you people visit the link securely? I guess a VM but could in theory something be resilient enough to misuse the Shared Clipboard or something to access your host machine?
Also what is your go to OS?
Hm, when I think of it an old Raspberry Pi could be my go to for this, but always physically.
> why qwen
I have it running locally, and i don't want to add credentials to the vm with the malware.
According to qwen:
It's cross platform
It has a bunch of persistence mechanisms.
It downloads another pack from pub-1fe39d600a4447ba895ef1c848d32e7e.r2.dev, Verified I got the secondary payload
This pack looks like a python 3.10 environment along with an executable called cupsd.
And downloads another js script from http://138.201.125.58:1224/client/99/77
That script then proceeds to download three python scripts that use the aforementioned python environment and do their business, qwen is having trouble de-obfuscating their urls and I am busy.
I'm actually curios to know how do you people visit the link securely? I guess a VM but could in theory something be resilient enough to misuse the Shared Clipboard or something to access your host machine?
Also what is your go to OS?
Hm, when I think of it an old Raspberry Pi could be my go to for this, but always physically.