HIGHLY_SUSPICIOUS (1) campaign cataloged at 2025-04-07(2).

1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-04-blackspammerbd-vx1

The code is designed to exfiltrate files from Android devices to a Telegream channel.

Previous similarly named packages used obfuscation and didn't contain automated triggers nor hardcoded Telegram credentials. In this campaign are also grouped other packages created by the same author, usually containing suspicious content or intended for abusing activity.

Abuse categories

files_exfiltration

Campaign uses files_exfiltration.

obfuscation

Code uses obfuscation techniques to hide its true purpose.

peristence_autorun

Campaign uses peristence_autorun.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• https://github.com/Shawpon2/

Packages in the campaign

campaign:2025-04-blackspammerbd-vx1

• blackspammerbd-termux
• blackspammerbd-vx1
• blackspammerbd-workout
• blackspammerbd-xd
• bsb-2025
• bsb-attack
• bsb-doom