Skip to content

MALICIOUS (1) campaign cataloged at 2025-02-25(2).

  1. The campaign has clearly malicious intent, like infostealers.
  2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-02-alicloud-client

This campaign is built from two parts: 1) packages named like time-check-server, snapshot-photo contain an innocent-looking code that sends "date" to a remote server, 2) packages named like alicloud-client are clones of legit aliyun-python-sdk-core package, with a small change in the client.py code, where it imports the time-check-server and calls it, but instead of a date, the credentials to the cloud are exfiltrated. There are also variations with AWS clients

Apparently, the campaign started at least 2 years ago with the snapshot-photo package containing the same functionality as the newer time-check-server (see https://github.com/pypi-data/pypi-mirror-238/blob/code/packages/snapshot-photo/snapshot_photo-0.0.3-py3-none-any.whl/snapshot_photo/date_format.py).

Abuse categories

action-hidden-in-lib-usage

Campaign uses action-hidden-in-lib-usage.

clons_real_package

The package is a clone of a real package, but with malicious code added.

exfiltration_cloud_tokens

Campaign uses exfiltration_cloud_tokens.

through_dependency

The malicious code is intentionally included in a dependency of the package

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

  • hxxps://api.checktimeserver.org/

  • checktimeserver.org

  • hxxps://api.aliyun-sdk-requests.xyz/

  • aliyun-sdk-requests.xyz

Packages in the campaign

campaign:2025-02-alicloud-client