MALICIOUS (1) campaign cataloged at 2025-09-06(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2025-08-xenlib¶
Package is prepared to exfiltrate sensitive files. Different packages use different places for the malicious code: it runs during importing the module, is placed in a native binary, or in the setup.py script
Abuse categories¶
files_exfiltration
Campaign uses files_exfiltration.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
-
xenx.lol
-
hxxp://api.xenx.lol:14880/ssteal
-
hxxp://api.xenx.lol:1337/check
-
hxxp://apis.xenx.lol:1337/check