Attacks as part of the campaign, which commenced in late August, involved the Amadey malware spreading a credential-flushing AutoIT script, which would launch a URL for replacing Google account passwords in kiosk mode and establish parameters that would prevent user escape via the F11 and Escape keys, an analysis from OALABS revealed.