HIGHLY_SUSPICIOUS (1) campaign cataloged at 2025-07-14(2).

1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-07-cas-base

Package has code to install a executables that are identified as suspicious but multiple AVs, however the AV labels have high FP-possibility. Sandboxes are not clear about

Abuse categories

remote_executable

Downloads and executes a remote executable.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• tria.ge report

• VirusTotal results

• VirusTotal results

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Kaylew.zip

Packages in the campaign

campaign:2025-07-cas-base

• cas-base