We also found out that the malware connects to hxxps:///jj9a, which contains an encrypted Python script that checks if Little Snitch - a host-based application firewall for macOS - is running. This is the original Adobe Zii.app used to camouflage its malicious background activities. The contents are then extracted and executed in the system.
While running a copy of Adobe Zii.app, we observed that it downloads sample.app from hxxp://46226108171:80/sample.zip and saves it to the user directory ~/.
