The group came to the attention of security professionals who noticed them selling information stealer malware, capable of jumping air gapped systems, on underground markets. The attackers were using the malware to steal classified data from software companies and government organizations. The malware collects files and screenshots and stores them in hidden files on any connected USB device. When the device is connected to an internet enabled system, the data is sent back to command and control infrastructure located in Germany. Empty voice recording and key log files on the C2C servers suggest that the malware is still under development. Cloudsek claims to have found the malware attributed to the group masquerading as Santa Claus mobile games, which had infected about 8000 systems. The malware stole contact lists, SMS messages, call records, location information, calendars, pictures, video, environment readings, camera specifications, browser history, program information, sim card information, and device status. The mobile malware communicated with the C2C infrastructure via HTTP about once a minute. The C2C servers corresponding to the mobile infrastructure had separate login sections for user profiles and for administrative profiles. The victim information was organized according to user and then according to data type. The attacker could also arm the malware to send them an SMS alert if the victim left a regional area. This could allow the actor to track whether a victim has left home or the office, in real time. The adversary could also receive regular updates if a particular victim received an SMS message or phone call.