MALICIOUS (1) campaign cataloged at 2026-02-13(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-02-magichat

The package is prepared to download a hardcoded executable and save it in %LOCALAPPDATA% under a very generic name, clearly aiming to hide its existence. Code is also prepared to alter MarkOfTheWeb, start as admin and run the executable, but in analyzed versions this behavior was not triggered in any existing code path. The downloading will happen e.g. on starting the declared command line.

Remote executables are standalone applications or installators, including ClickOnce installators. However, in the analysis attempts, none of them showed clear malicious behavior, in most cases crashing during the analysis. Captured network traffic shows communication with the remote server and likely expects the URL of the next stage, which was not delivered from the server. Additionally, the code embeds a separate path for execution on non-Windows machines. It attempts to execute a remote script, but in analyzed versions, the domain used is already suspended and not reachable.

In newer packages the remote code is another downloader, which then downloads a PyInstaller-packed executable that just calls back home but has no more functionality.

Abuse categories

other

Campaign uses other.

remote_executable

Downloads and executes a remote executable.

typosquatting

The package name is an typosquatting variant of a popular package.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• tria.ge report

• VirusTotal results

• ANY.RUN report

• tria.ge report

• https://www.getsafety.com/blog-posts/magicwolf

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://www.dropbox.com/scl/fi/8g8j2g6ceuj12loonrxpu/Installer.exe?rlkey=9pi7bsdb31jlgxmntwde4j54h&st=3t69etqf&dl=1

• doc-sendapplication.com

• hxxps://www.dropbox.com/scl/fi/itjqck6r0eivh655ijau9/DocSend.application?rlkey=gmbotpa64r8gqtbwiyo4wlfys&st=k0zrfnxe&dl=1

• hxxp://myghibligenerator.com/curl/bb4b22014136fa4bd8b47449b7d6032780033e7cbfb104c1f7f61214c602987c

• hxxps://updatedappython.com/api/rest.php

• updatedappython.com

• hxxp://45.150.34.209/api/

• hxxp://45.150.34.209/vbs/

• 45.150.34.209

• hxxps://updatedappython.com/Inst.exe

Packages in the campaign

campaign:2026-02-magichat

• clawdest
• clawdist
• magichat
• magicwolf
• polyclawd
• polyutil