Overview
- Infected hosts poll public Polygon RPC endpoints using eth_call to invoke getDomain (selector 0xb68d1809), receive an AES-256-GCM encrypted command, decrypt locally, then execute.
- Qrator Labs and independent analysts published indicators, including a smart contract at 0x4d70C3393C5d9EC325Edf8b3f289cFA9777e64B0 and related wallets, which defenders can use for proactive decryption and threat hunting.
- Operators issue instructions via a web panel that writes commands into smart contracts, manage multiple contracts for payloads such as stealers, clippers, RATs, or miners, and typically reach bots in two to three minutes.
- Operating costs remain low, with roughly $1 in MATIC funding 100–150 command transactions and no need for hosted servers or registered domains.
- The toolkit, linked to the seller "LenAI," was marketed at about $200 for panel access or $4,000 for the full C++ source, with a later attempt to sell the entire project for $10,000 reported.