HIGHLY_SUSPICIOUS (1) campaign cataloged at 2025-11-12(2).

1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-11-closelove

Suspicious package allowing manipulating data on an Android devices and with hardcoded exfiltration targets, but it does not activate automatically

Abuse categories

files_exfiltration

Campaign uses files_exfiltration.

target:android

Campaign uses target:android.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxp://172.86.88.118:9847

Packages in the campaign

campaign:2025-11-closelove

• closelove
• loveclose