MALICIOUS (1) campaign cataloged at 2025-08-01(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-07-loquru

It's a clone of "loguru" package which on import loads a second-stage script from loguru[.]guru. This makes a few checks and downloads the next stage, which is a code obfuscated with PyArmor with unclear behaviour.

The way the malicious code has been embedded could be called a "sophisticated" threat. The code is in the _logger.py in two places: the payload in L2242 as a long string constraint of only whitespaces, which are then transformed into bits and bytes, and later compiled and executed using "types.FunctionType" during initialisation of Core class.

Abuse categories

clons_real_package

The package is a clone of a real package, but with malicious code added.

obfuscation

Campaign uses obfuscation.

remote_script

Downloads and executes a remote malicious script.

typosquatting

Campaign uses typosquatting.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• https://github.com/Delgan/loguru/issues/1363

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://loguru.guru/version/is_match_revision

• hxxps://loguru.guru/version/code

• loguru.guru

Packages in the campaign

campaign:2025-07-loquru

• flashsimplelogger
• loggerex
• loquru