MALICIOUS (1) campaign cataloged at 2026-02-13(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-02-magichat

The package is prepared to download a hardcoded executable and save it in %LOCALAPPDATA% under a very generic name, clearly aiming to hide its existence. Code is also prepared to alter MarkOfTheWeb, start as admin and run the executable, but in analyzed versions this behavior was not triggered in any existing code path. The downloading will happen e.g. on starting the declared command line.

Remote executables are standalone applications or installators, including ClickOnce installators. However, in the analysis attempts, none of them showed clear malicious behavior, in most cases crashing during the analysis.

Abuse categories

other

Campaign uses other.

remote_executable

Downloads and executes a remote executable.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• tria.ge report

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://www.dropbox.com/scl/fi/8g8j2g6ceuj12loonrxpu/Installer.exe?rlkey=9pi7bsdb31jlgxmntwde4j54h&st=3t69etqf&dl=1

• doc-sendapplication.com

• hxxps://www.dropbox.com/scl/fi/itjqck6r0eivh655ijau9/DocSend.application?rlkey=gmbotpa64r8gqtbwiyo4wlfys&st=k0zrfnxe&dl=1

Packages in the campaign

campaign:2026-02-magichat

• magichat