He published it at 3:14 AM.
He opened a private channel on a matrix server—one frequented by threat intel analysts who tracked gaming-related malware. He pasted the hash of the Romanian-hosted file and the query spike data. horion client скачать
Within 90 seconds, three replies. : Yes. We’re tracking a TA group calling themselves 'БлокДуша' (BlockSoul). They’ve been seeding this since January. Targets EDU and gov adjacent. Koschei : The скачать keyword is key. Legit Horion users download from GitHub or known mirrors. The Russian 'скачать' indicates the victim is looking for a cracked/premium version. Classic supply chain. Axiom : We saw a variant two weeks ago that deploys a Python-based keylogger. Screenshots every 10 seconds. If you’ve executed it, consider your machine pwned. Alex sat back. His VM was still clean. But the 142 users he’d observed? Most of them had already clicked. He decided to go deeper. He published it at 3:14 AM
Alex made a decision he would regret within the hour. Within 90 seconds, three replies
Alex ran the file through a dynamic analyzer. The executable dropped a second-stage payload from a Pastebin URL. The payload was a PowerShell script that deobfuscated into a C2 beacon. The beacon’s domain: minecraft-updates[.]org .