Bitdefender asserts that *most* (but not all) victims have been government entities. However, based upon a very recent hack of a local security company, I believe that this is Trojan “in the wild“. One unique characteristic of this Trojan is its use of Nirsoft utilities to steal all kinds of passwords (local and network), and perform network monitoring and keylogging.
Nirsoft is one of those “White Hat/Black Hat” companies. I use products from Nirsoft to support forensic efforts although make no mistake, they are not liked by Bitdefender. Nirsoft themselves provide a listing of password storage locations for popular Windows programs, although a little dated.
In the case of this small local company, Nirsoft’s “MailPass View” was likely invoked Their stolen Email credentials were used by IP addresses originating in Ukraine to send out spam and malware. Note that Email account usernames and passwords don’t bring great value, but they are aggregated and traded on the “dark web“.
A locally cached version of Bitdefender’s PDF can be found here.