I downloaded the fake BCD wallet, i think it was Electrum-BCD-3.1.2-portable.exe from electrumdiamond.org (that is now closed/suspended).
What fooled me was the guides on Reddit to claim your forks.
Of course I downloaded the malicious software, I'm a little surprised that the AV's didn't caught this as apparently it's pretty old, not 0-day stuff. However still my mistake, I shouldn't have used the PC where I trade.


I limit the firewall usage coz I'm behind a NAT, while you still exposed to the outgoing connections that can be exploited only by a malicious software running on the PC, that is the case. It's the first time that a file passed through my checks and scans. I would have probably authorized the wallet network traffic anyway ...maybe the firewall would have caught the RAT after the installation, but it's all assumptions here.

What I know is that even while knowing the infections, no scan have found it (I also give it a pass with malwarebytes), I had to trace it back "manually".

And it wasn't a traditional RAT, there was no "fake" app starting with my PC, and no port listening (it wouldn't have worked while behind a NAT without a proper port forwarding or uPNP). It was the app calling the remote server from my PC, and the app was a perfectly legit instance of notepad. I mean if it wasn't for the network activity, I would have never found it.

So they well obfuscated the code to not get caught, and used notepad as wrapper (proxy) to run the malicious code (you run the legit process as suspended, and they you gonna use the allocated space to run your own code).