MALICIOUS (1) campaign cataloged at 2024-08-11(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2024-08-fireindahole.fun

Clones real package and hoddens an obfuscated code trying to run remote scripts as well as establish backdoor through SSH.

Abuse categories

action-hidden-in-lib-usage

The malicious action is hidden in the code and starts when user interacts with it (e.g. during class initialization or by exfiltrating given credentials).

backdoor

Campaign uses backdoor.

clones_real_package

The package is a clone of a legitimate package or library, but with malicious code added.

dependency-confusion

An attempt to exploit dependency confusion

obfuscation

Code uses obfuscation techniques to hide its true purpose.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• fireindahole.fun

• hxxp://main.fireindahole.fun/script4separator.sh

• hxxp://main.fireindahole.fun/script3separator.sh

• hxxps://grabify.link/IFKU0H

Packages in the campaign

campaign:2024-08-fireindahole.fun

• audio-separator-fork