MALICIOUS (1) campaign cataloged at 2025-04-20(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-04-zscaner

Campaign is split into multiple packages that altogether exfiltrates data from desktop Telegram application.

1. "pyapiepo" is a cover package that provides some useless features BUT also imports "zscaner"
2. "zscaner", when imported, automatically runs a function that is an entry point to the whole process; it uses the "scan" from "reqinstall" to walk through directories. The package also provides main logic: filtering files, triggering archiving directories and exfiltrating them.
3. "reqinstall" ensures "requests" are installed and provides a directory tree scanning function.
4. "zmaker" provides functions to build archives from collected files.
5. "zsender" provides functions to exfiltrate data, the remote URL and a function to deobfuscate configuration in other packages.

Altogether, they look for "Telegram Desktop" folder, archive user data stored there and exfiltrate to a remote location.

Abuse categories

exfiltration_generic

Campaign uses exfiltration_generic.

target:telegram

Campaign uses target:telegram.

through_dependency

The malicious code is intentionally included in a dependency of the package

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxp://77.91.76.45:100/OPEN

• 77.91.76.45

Packages in the campaign

campaign:2025-04-zscaner

• pyapiepo
• reqinstall
• zmaker
• zscaner
• zsender