MALICIOUS (1) campaign cataloged at 2025-12-21(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-12-ai-cypher

The compiled native extension hides the code that during import exfiltrates sensitive Telegram files.

Abuse categories

exfiltration_credentials

The package attempts to steal credentials, like passwords or API keys.

native-extension

Campaign uses native-extension.

target:telegram

Campaign uses target:telegram.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• tria.ge report

Packages in the campaign

campaign:2025-12-ai-cypher

• ai-cypher