Attackers used a combination of crypto mining and wallet hijacking https://www.duocircle.com/announcements/cyber-security-news-update-week-16-of-2025. The installed malware ran a crypto miner to utilize victims’ system resources for generating cryptocurrency. Additionally, a clipper was deployed to replace cryptocurrency wallet addresses during transactions, redirecting funds to the attacker. Data exfiltration and further malware delivery were managed through Telegram, enabling continuous control and exploitation of infected systems.