KROLL：2026年深入分析：Kroll对GARUDA C2恶意软件的分析白皮书（英文版）

Kroll TI identified a multi‑OS malware campaign operated via a GitHub account that shifted from “mahesh97m” to “hellow2003” and was later wiped at commit 16935c4. Prior to the wipe, the repository contained cross‑platform downloaders, victim logs, executables and password‑protected archives; Kroll TI preserved the contents before removal. “Test” logs exposed the developer’s environment (Kali Linux host) and a global IPv6 address geolocating to Rajkot in Gujarat, India. Combined with Hindi gui