A type of malware used concurrently with SunOrcal malware since at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants that communicate using either HTTP or raw TCP connections. The malware's final payload masquerades as a control panel link (CPL) file.