MALICIOUS (1) campaign cataloged at 2024-10-02(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2024-09-discord-token-lib

osint packages promise to be OSINT tool, however, when providing the username to search for, the package attempts to exfiltrate Discord tokens from the user.

The original package suggests being a library for Discord exfiltration, what is suspicious on its own, but in addition, the entry point located in main.py exfiltrate local Discord tokens to a hardcoded webhook.

Abuse categories

action-hidden-in-lib-usage

Campaign uses action-hidden-in-lib-usage.

exfiltration_generic

Campaign uses exfiltration_generic.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://discord.com/api/webhooks/1271645951026659339/wWCSAlPG3TuhycH7ex6h9O48nKdFn4G55WUk4-lgay4RQTpCbbt-DYuo9jLIHYEReQKj

Packages in the campaign

campaign:2024-09-discord-token-lib

• discord-token-lib
• osint-tool
• titan-osint