Skip to content

MALICIOUS (1) campaign cataloged at 2026-02-10(2).

  1. The campaign has clearly malicious intent, like infostealers.
  2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-02-lyroxpy

The package contains an embedded archive with an executable. When importing the module, the embedded archive is run as a module. Code inside extracts the executable and saves it to a temporary file. Further the code keeps an open file handler and removes the original file, effectively making the impression the file no longer exists. Using the file handler the executable (which is either a native Python module or was created from Python code) is run. Further behavior is not known.

Abuse categories

covering-tracks

The package contains code to cover its tracks, e.g. by deleting malicious code after execution.

obfuscation

Code uses obfuscation techniques to hide its true purpose.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

Packages in the campaign

campaign:2026-02-lyroxpy