They’re not even that stealthy. The code is bullshit, gitignore folder is super suspicious and malware is just a binary within the zip file. Clearly meant for script kiddies.

I played around with WebSockets and wrote a new tool: https://github.com/doyensec/wsrepl

It’s an interactive REPL interface like websocat, but it’s meant specifically for pentesting, not debugging, and it’s easily extensible in Python (while still retaining REPL interface). In future releases I’d like to expand the extensibility by adding declarative style configuration (the ultimate feature would be something like what Burp’s Autorize plugin does, but for websockets).