This only affects a shitcoin wallet called Atomic Wallet, but I imagine a similar approach could be used for a bitcoin-only wallet.
On import, the package uses Electron tooling to unpack Atomic Wallet’s app.asar, replace a vendor bundle with a malicious payload, repackage the application, and remove traces by deleting its working directory. Inside the wallet runtime, the injected code overwrites the recipient address with hardcoded wallets controlled by the threat actor, redirecting Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP (XRP), and Solana (SOL) transactions.
This is one reason why you might choose a hardware signer with a screen over one that does not have a screen: it let's you verify addresses independently.
Moral of the story is do bitcoin on a device you only use for bitcoin and always verify addresses with a second device.