MALICIOUS (1) campaign cataloged at 2025-08-02(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-07-web3dummycti

If the method from the module is called, it attempts to download a malicious code (identified as msf payload) and save it locally. In the analysed version, the code starting the malicious code was commented out.

Abuse categories

action-hidden-in-lib-usage

Campaign uses action-hidden-in-lib-usage.

remote_script

Downloads and executes a remote malicious script.

revshell

The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://github.com/brojafox/hehe/raw/refs/heads/main/hehe.txt

Packages in the campaign

campaign:2025-07-web3dummycti

• web3dummycti