This did steal 2FA
As they mentioned in the article this malware got the 2FA code and the C&C server logged in.
These phone app 2FAs are kinda fake anyway. As far as I can tell there is no jitter introduced into the timing and the codes are completely synched to NTP time. Therefore it is not a second factor at all and is just a knowledge based.