The primary targets of this infostealer campaign appear to be Linux and Windows endpoints, with the majority of victims located in the United States. Notably, the malware includes a unique feature that exclusively targets modders and developers within the Minecraft community.
In the later stages of infection, the malware specifically targets Windows Sandbox instances, commonly used by modders for testing. It attempts to manipulate the clipboard contents to infect the host machine. This behavior is limited to Windows Sandbox, as it is the only virtualization environment that allows such alteration of the host clipboard contents while running in the background, as explained by the researchers.
