Features "clipper" functionality that monitors the system clipboard to replace legitimate cryptocurrency addresses with fraudulent ones.
The malware stores its critical settings (C2 domains, ports, and AES keys) in a hardcoded configuration block, often obfuscated in Base64 and encrypted via stormkitty | XWorm-5[.]6-main[.]zip | Triage XWorm-5.6-main.zip