MALICIOUS (1) campaign cataloged at 2025-07-30(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2025-07-maxload¶
Running the module downloads, configure its startup and starts a remote executable. The exe is capable of sending files to a hardcoded Telegram channel, but this behavior seems not to be triggered during analysis
Abuse categories¶
peristence_autorun
Campaign uses peristence_autorun.
remote_executable
Downloads and executes a remote executable.
webhook:telegram
A Telegram webhook is used to send collected data.
References¶
Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
hxxps://raw.githubusercontent.com/RootHarpy/RootHarpy/refs/heads/main/T.exe