HIGHLY_SUSPICIOUS (1) campaign cataloged at 2025-01-07(2).

1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-01-Sajode

A series of obfuscated packages with a hidden binary code (Python compiled to ARM). Hard to determine, what exactly their purpose is. Importing the package starts the code (L4+) that saves the embedded ZIP and runs it through Python. The main file in the ZIP is also obfuscated attempts to run the compiled ARM-code.

Abuse categories

obfuscation

Code uses obfuscation techniques to hide its true purpose.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• VirusTotal results

Packages in the campaign

campaign:2025-01-Sajode

• newencsajad
• sajadnewenc
• sajadnewninja
• sajadninja-sajad
• sajodecrypto