there is a malware called Glupteba that has been infecting computers for a couple of years. it exploits vulnerabilities in windows,... to infect and then steals sensitive information. later on it added a Monero miner to its code to also mine this altcoin on user's computers.
there is no bitcoin involved so far.
then there is this:
A router exploiter that attacks MikroTik routers in local network with the CVE-2018-14847 vulnerability. It will schedule a task on the router for command and control (C&C) and upload the stolen administrator credentials to a remote server. A compromised router will be configured as a SOCKS proxy to relay malicious traffic, matching the original purpose of the Glupteba botnet on Windows.
whenever they want to change these C&C servers they create a new bitcoin transaction to an address hardcoded in the malware and put the server address in its new OP_RETURN output.
then the malware uses the bitcoin network to fetch that bitcoin transaction using Electrum servers, reads the OP_RETURN data and decodes it to the server address and some additional info.
there is no "attack on btc blockchain" and has nothing to do with "electrum wallet" and there is no bitcoin being transferred using this malware either.