Skip to content

PROBABLY_PENTEST (1) campaign cataloged at 2024-09-07(2).

  1. Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.
  2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2024-08-old-cobo-sectest

It appears to be a forgotten pentest checking typosquatting against cobo-custody package, but may also have malicious purposes. During installation, if a machine is Mac, an obfuscated code attempts to download and execute a shell script. Currently, the server does not respond.

Abuse categories

clones_real_package

The package is a clone of a legitimate package or library, but with malicious code added.

crypto-related

Malicious activity is related to cryptocurrencies or blockchain, e.g. stealing crypto wallets.

obfuscation

Code uses obfuscation techniques to hide its true purpose.

override_install

The package overrides the install command in setup.py to execute malicious code during installation.

remote_executable

Downloads and executes a remote executable.

typosquatting

The package name is an typosquatting variant of a popular package.

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

  • hxxp://114.132.245.217:40081

Packages in the campaign

campaign:2024-08-old-cobo-sectest