To start with, a malicious script is injected and run on the target page. This allows the attackers to load a JavaScript file from their C2 server which “stores in the browser’s LocalStorage its generated session-id and the client IP address”.
Read full article on HackRead