Skip to content

MALICIOUS (1) campaign cataloged at 2026-03-08(2).

  1. The campaign has clearly malicious intent, like infostealers.
  2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-03-aioutil3

This is a malicious clone of legitimate python-utils. The modified code introduces a function that silently exfiltrates given data to a hardcoded location. What is interesting, during the analysis the remote domain did not exist and the malicious code was not called in the package, suggesting preparation for the further attack.

Abuse categories

basic_exfiltration

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

clones_real_package

The package is a clone of a legitimate package or library, but with malicious code added.

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

  • hxxps://aioutil3.tech/api/info/faq/

  • aioutil3.tech

Packages in the campaign

campaign:2026-03-aioutil3