VERY IMPORTANT

A seemingly harmless desktop application named calendaromatic.exe was discovered to be a sophisticated malware utilizing NeutralinoJS, Unicode homoglyphs, and hidden payloads. The malware, distributed through an aggressive ad campaign, exploited NeutralinoJS's native APIs to interact directly with the host operating system. The key to its operation was a function named clean() that scanned for Unicode homoglyphs in holiday JSON data, using them to encode hidden instructions. This technique allowed the malware to receive and execute arbitrary code smuggled into holiday names using lookalike characters. The investigation was accelerated by AI, which helped parse and annotate the minified JavaScript code.