HIGHLY_SUSPICIOUS (1) campaign cataloged at 2026-02-20(2).

1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-02-iploop

Package uses obfuscation to hide its actions.

Additionally, the whole service seems extream shady: 1) they claim to have millions of IPs, yet the domain was registered on 2025-11-12, around three months ago 2) they claim to source IPs thorugh ProxyClaw, which has first commit on Github https://github.com/Iploop/proxyclaw three days ago (2026-02-17) and the domain proxyclaw.ai (linked on the iploop.io) has not been even registered 3) many links on the iploop.io website, e.g. to blog posts, do not work 4) the "live request" speed on the iploop.io main page is a random number generated in JavaScript 5) the related Github account has multiple cryptic repositories hosting likely malicious executables, like https://github.com/Furhworld/Zi1zlumOvCiI 6) The related LinkedIn profile https://www.linkedin.com/in/mika-furhman-7ba110324/ hosts nothing more than the IPLoop ad

Abuse categories

obfuscation

Code uses obfuscation techniques to hide its true purpose.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• https://web.archive.org/web/20260000000000*/https://iploop.io/

• # from https://github.com/Furhworld/Zi1zlumOvCiI

• https://www.virustotal.com/gui/file-analysis/ZjhiMjFhM2Q5MjA4ZWY2YmU0MjQ1ODgxZWI1MmZhNTQ6MTc3MTYxNzI2NA==

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://github.com/Furhworld

• hxxps://github.com/Iploop

• hxxps://iploop.io/

• iploop.io

Packages in the campaign

campaign:2026-02-iploop

• iploop