The malware is what gathered users hostname and MAC and sent it back to their server outside of Tor. It was delivered via a javascript exploit. They could have delivered any payload they wanted.