Hey,
Last week Israeli police officer lure me to work on Infected documents, that contain RAT with at less next functionality:
- Remote edit of documents
- Clipboard manipulations
- In browser realtime data change
- Remote freezing of VM by command (I believe they unable to escape of pvh vm this time)
Infected AppVM based on debian-13, with standard debian-13 template.
At the moment I keep this AppVM with Prohibit start flag on.
Same extra security measures was to strictly limit files and clipboard functionality in Qubes, before create this VM.
Look for certified cyber security professional that want and can handle investigation of such malware.
Will happy to share copy of this AppVM In exchange for investigation report that I can provide to international authorities.