ehwrj/SECURITY.md

Security Scope

Ehwrj is a clean-room replacement for the benign War Thunder live map behavior observed in the analyzed sample.

Allowed behavior:

• Connect to 127.0.0.1:8111 only
• Read local War Thunder map endpoints
• Store user settings in %LOCALAPPDATA%\Ehwrj
• Create an optional visible overlay window controlled by the user

Disallowed behavior:

• Clipboard listeners
• Cryptocurrency wallet matching or replacement
• Startup persistence
• Windows Update impersonation
• ZIP, PE, or resource modification
• Hidden external network communication
• Credential, cookie, wallet, browser, or messenger file collection

Issues or pull requests that add disallowed behavior should be rejected.