: Unexpected .tmp or .dat files in %AppData% or %LocalAppData% .
: Outbound connections to suspicious IP addresses or api.telegram.org . WitchLogger.zip
: Once the user extracts the .zip and runs the executable (e.g., WitchLogger.exe ), it often performs an "anti-analysis" check to see if it is running in a virtual machine or sandbox. : Unexpected
Frequently distributed via phishing emails containing the .zip archive, often disguised as an invoice, shipping document, or software update. Execution Chain often disguised as an invoice
: It targets Chrome, Firefox, and Edge to extract saved passwords and session cookies.
: It hooks into the Windows API to record every character typed by the user.