HIGHLY_SUSPICIOUS (1) campaign cataloged at 2024-12-30(2).

1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2024-12-tonki

Package suggest assisting by smart contracts, but the only feature is asking for a secure phrase and sending it to the author. The package itself looks not attractive enough to be malicious alone, but at the moment the full scenario isn't known.

However, creating a few similar packages and the random users name looks enough suspicious to assume the malicious intention.

Abuse categories

exfiltration_crypto

Campaign uses exfiltration_crypto.

webhook:telegram

A Telegram webhook is used to send collected data.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://t.me/pozozal

Packages in the campaign

campaign:2024-12-tonki

• fgh
• toneo
• tonki
• tonvia