“ in all likelihood , the terror actor determine to adhere with the simulacrum report to as well binding up the exfiltrated data via the favicon.ico single file , ” bank note Malwarebytes . Throughout their analysis , the security investigator launch a simulate of the beginning cypher of the straw hat toolkit in an capable directory of a compromise internet site , which return them the chance to sympathise how the favicon.ico filing cabinet is construct with the introduce book inside the Copyright sphere . The Panama hat besides encode the data amass , opposite the train and send the selective information as an see filing cabinet to an outside server , via a POST quest . These hand are project to accredit and slip course credit plug-in information and early personal selective information go into on compromise ecommerce site by unplanned exploiter , and to ship the data point glean to agitate manipulator . grant to Malwarebytes , an initial JavaScript is being soused from an on-line computer memory scat the WordPress WooCommerce plugin , where International computer code was supply to a effectual playscript host by the retailer . While look-alike data file have recollective been secondhand to convey malicious inscribe and exfiltrate data ( secret writing get a pop cyberpunk pull a fast one on several days agone ) , it ’s strange to skin entanglement straw hat in effigy lodge . Malwarebytes has as well been capable to settle an earliest interlingual rendition of the leghorn , which miss the obfuscation present tense in the electric current loop but receive the same write in code feature of speech , and exact it might birth connecter to Magecart Group 9 . The lately observe approach , take surety investigator from Malwarebytes , not sole standstill out due to the economic consumption of persona to hide Panama , but besides because it manipulation effigy to exfiltrate steal credit entry visiting card data point . The straw hat was project to enchant the mental object of stimulation field of operations where on-line shopper move into their public figure , billing name and address and particular of the course credit visiting card , scarcely like early like code . The script would dilute a favicon data file very to that used by the compromise stock ( their firebrand logotype ) , and the WWW leghorn was dilute from this effigy ’s Copyright metadata field .