A new Trojan (unnamed) being spread as a visa application. The legitimate application is encrypted within the dropper used to spread the Trojan. This particular malware contains a 32 and 64-bit next stage malware. Using little known HTTP status codes, the malware operators are able to command the Trojan on its next steps. The malware is able to acquire the target’s geolocation, gather host and network data, keylogging, and screenshots. The Trojan is self-propagating and has a dynamically resolving address to further complicate analysis. In order to exfiltrate data to the C2, the malware uses RSA encryption. Additionally, the Trojan is able to hide data locally using LZNT1 and a one-byte XOR encryption. At this time, it is unknown how the malware is added to systems, however, the analysis revealed the first stage dropper was downloaded from a shared directory on the local area network. The Trojan is able to use .DOC and .PDF files as transport for delivery of the main module. It is within this module where the HTTP status-based Trojan resides. As long as the C2 supports TLS in its configuration, communications will be over HTTPS and port 443. If TLS is not supported, all communication is over HTTP and port 80.