A new variant of the Glupteba malware dropper is using Bitcoin to fetch command and control (C2) server domains from Bitcoin transactions marked with OP_RETURN script opcodes. The new variant uses Bitcoin transactions info parsed from a hardcoded Bitcoin address to retrieve C2 server addresses using a discoverDomain function designed to work on a schedule or when triggered by the attackers. The info stealer component added to this new variant makes it possible to collect browser profiles, cookies, and accounts names, and to extract saved passwords from Google Chrome, Opera, and Yandex web browsers.
Source: https://www.bleepingcomputer.com/news/security/glupteba-malware-uses-bitcoin-blockchain-to-update-c2-domains/