The email changes the text and the compressed attachment. Inside, however, there is an exe with the same malware and the stolen data is exfiltrated via Telegram Api to the same C2.
A fake email from an Indian company contains an r.00 attachment, with an exe file inside: the malware. The infostealer doesn’t have a C2, but sends the stolen data by email.