MALICIOUS (1) campaign cataloged at 2024-09-08(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2024-08-old-coffins-tunnel

So far, it looks like a legit tunneling software, but in tcp.py there is an attempt to send a strange email using gmail. Update: Identified as malicious by socket.dev team

Abuse categories

crypto-related

Campaign uses crypto-related.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-mechanism

Packages in the campaign

campaign:2024-08-old-coffins-tunnel

• coffin-codes-2022
• coffin-codes-net
• coffin-codes-net2
• coffin-codes-pro
• coffin-grave
• coffin2022