Having been in this field myself at one time, this is fairly common (self-infection when testing) and why you would never develop or test on an internet facing machine. It's also why you ensure your command and control and all comms are encrypted, keys rotated, expirations, etc.
Most people developing advanced malware don't want someone else sniffing around, finding their drops, using their tools, or worse, discovering what's been exfiled and why the target was specifically selected.
Alternatively, they might have guessed the password and then uploaded the file from the web gui.
I wouldn’t be surprised if the log file can have additional entries spoofed with new lines also ;)
At the very least something has to be providing that HTTP_CLIENT_IP which is given the highest priority. It would be odd to prioritize that over HTTP_X_FORWARDED_FOR if you weren't adding special cases for different upstream proxies.
Kind of a buzzword, not really applied all that consistently (sounds scary, if you're selling something it gets attention, if you're explaining why you failed to defend it always helps to make the attacker seem sophisticated)
Also, when defining a custom keyboard layout you have relative freedom in picking the name and language/region it's classified as. So that "ENG\nIN" could be anything.
Source: I have two layouts installed. The default regional keyboard layout so co-workers using my machine don't go insane (shown as "DEU \nDE" [=Language\nRegion]), and for myself a customized variant of the US layout. I can't recall the exact reason why I configured it as it is (maybe to avoid installing the "ENG" language pack?), but that custom US layout shows as plain "DEU" (no second line).
I thought it was a bad idea, back then, and I think most folks were of the same mind. I’m actually shocked that OLE is still a thing.
When your attempt to copy the Equation Group is a little too literal.
