MALICIOUS (1) campaign cataloged at 2025-07-05(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-07-imad213tools

Encrypted code offering massive sending Instagram followers.

1) besides of using some shady services to achieve the goal, it also exfiltrates saved Instagram credentials to a remote server; 2) the project page offers selling an "exploit" for Instagram servers

Abuse categories

exfiltration_credentials

Campaign uses exfiltration_credentials.

obfuscation

Campaign uses obfuscation.

other

Campaign uses other.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://imad213-py-rsa.ct.ws/imad.txt

• hxxps://imad213-py-rsa.ct.ws/fuck.txt

• imad213-py-rsa.ct.ws

Packages in the campaign

campaign:2025-07-imad213tools

• imad213tools