: It extracts saved passwords, cookies, and credit card information from Chrome, Firefox, and Safari.
: A user downloads the .zip file believing it contains a legitimate prize or utility.
Security analysts have noted that this specific file variant is often flagged by heuristic detection as a . If you encounter this file, do not open it. If it has already been executed, the safest course of action is to change all passwords stored on that device and monitor financial accounts for unauthorized activity. Hoobamon_Reward_96.zip
: The collected data is bundled and sent to an attacker-controlled server via HTTPS. Detection and Protection
Once authorized, the script inside the archive begins a rapid "harvesting" process: : It extracts saved passwords, cookies, and credit
: It specifically targets browser extensions for cryptocurrency wallets like MetaMask and Coinbase.
: Inside the archive is usually a .dmg or an app bundle designed to look official. If you encounter this file, do not open it
: When opened, the malware often prompts the user for their system password through a fake administrative pop-up. This is the critical moment where the user unknowingly grants the stealer access to their protected data. The Payload: What it Steals