PROBABLY_PENTEST (1) campaign cataloged at 2024-09-07(2).

1. Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2024-08-old-cobo-sectest

It appears to be a forgotten pentest checking typosquatting against cobo-custody package, but may also have malicious purposes. During installation, if a machine is Mac, an obfuscated code attempts to download and execute a shell script. Currently, the server does not respond.

Abuse categories

clons_real_package

The package is a clone of a real package, but with malicious code added.

crypto-related

Campaign uses crypto-related.

obfuscation

Campaign uses obfuscation.

override_install

The package overrides the install command in setup.py to execute malicious code during installation.

remote_executable

Downloads and executes a remote executable.

typosquatting

Campaign uses typosquatting.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxp://114.132.245.217:40081

Packages in the campaign

campaign:2024-08-old-cobo-sectest

• cobo-custdoy
• cobo-custdy
• cobo-python