MALICIOUS (1) campaign cataloged at 2025-04-25(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-04-qtpv

Importing the module starts exfiltration of ".session" files, which appear to be used at least by one Telegram library (https://docs.telethon.dev/en/stable/concepts/sessions.html#what-are-sessions) to store credentials

Abuse categories

files_exfiltration

Campaign uses files_exfiltration.

target:telegram

Campaign uses target:telegram.

Packages in the campaign

campaign:2025-04-qtpv

• neov
• pytzv
• qtpv