MALICIOUS (1) campaign cataloged at 2026-03-23(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2026-03-license-utils-kit¶
Malicious clone of a legitimate package. When using it, the code attempts to download and execute remote code. In on of the incarnations, the malicious code was embeded in the strongly obfuscated file, which at least collected data from cryptowallets and password managers and exfiltrated them to a hardcoded remote location.
The downloaded next stage varies depending on the running platform. On Windows, it's extream obfuscated script. On Linux and MacOS they are binaries, named "systemd-resolved" and "com.apple.systemevents" with clear signs of stealing browsers and cryptocurrency data.
Abuse categories¶
action-hidden-in-lib-usage
The malicious action is hidden in the code and starts when user interacts with it (e.g. during class initialization or by exfiltrating given credentials).
clones_real_package
The package is a clone of a legitimate package or library, but with malicious code added.
crypto-related
Malicious activity is related to cryptocurrencies or blockchain, e.g. stealing crypto wallets.
exfiltration_credentials
The package attempts to steal credentials, like passwords or API keys.
infostealer
Activity is typical for information stealers, i.e. by exfiltrate various sensitive data from the victim's environment.
obfuscation
Code uses obfuscation techniques to hide its true purpose.
References¶
Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
-
66.45.225.94 -
apachelicense.vercel.app