MALICIOUS (1) campaign cataloged at 2025-03-17(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-03-httpx-client

Importing the module starts downloading and executing first a script, and then a widely identified malware

Packages are used as dependencies in a GitHub project https://github.com/ToolParadiseDrako/Nuker-Tool-Paradise

Abuse categories

malware

Campaign uses malware.

remote_executable

Downloads and executes a remote executable.

remote_script

Downloads and executes a remote malicious script.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• VirusTotal results

• https://tria.ge/250316-s2sj2sxmx7

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://zetolacs-cloud.top/Stb/Retev.php?bl=Uic2YYQdDhtfiKAZnULCW012.txt

• zetolacs-cloud.top

• hxxps://raw.githubusercontent.com/mrunknown12321/1234/refs/heads/main/1234

• # from sandboxes

• # this has a current C2 domain

• hxxps://raw.githubusercontent.com/VinieClara/FN-Manfiestes/main/SdkVersion.txt

• contorosa.space

Packages in the campaign

campaign:2025-03-httpx-client

• asynchttpx
• httpx-client
• xcepthttp