MALICIOUS (1) campaign cataloged at 2025-07-05(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-07-imad213tools

Encrypted code offering massive sending Instagram followers.

1) besides of using some shady services to achieve the goal, it also exfiltrates saved Instagram credentials to a remote server; 2) the project page offers selling an "exploit" for Instagram servers

Abuse categories

exfiltration_credentials

The package attempts to steal credentials, like passwords or API keys.

obfuscation

Code uses obfuscation techniques to hide its true purpose.

other

Campaign uses other.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://imad213-py-rsa.ct.ws/imad.txt

• hxxps://imad213-py-rsa.ct.ws/fuck.txt

• imad213-py-rsa.ct.ws

Packages in the campaign

campaign:2025-07-imad213tools

• imad213tools