The malicious file, disguised as “Recommendation for the award of President’s.docm,” contained a VBA script that executed the CrimsonRAT remote control program, capable of stealing sensitive information.

Xorbot utilizes encryption and decryption algorithms, borrowed from the Mirai source code, to encrypt communication with its command and control server and store sensitive information.

These variants utilize different tactics such as modifying go-live processes, introducing new encryption algorithms, and incorporating OpenNIC domains to evade detection and enhance their malicious activities.