MALICIOUS (1) campaign cataloged at 2026-04-24(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2026-04-swampo¶
Multi-stage dropper. The "analytics" functionality fetches fake updates information that should contain the next URL. From it, a yet another URL is downloaded, and then used to perform TXT DNS queries holding the encoded next URL. From this URL, a remote script is fetched and executed. During analysis, retrieving the final payload was not successful.
Abuse categories¶
action-hidden-in-lib-usage
The malicious action is hidden in the code and starts when user interacts with it (e.g. during class initialization or by exfiltrating given credentials).
remote_script
Downloads and executes a remote malicious script.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
-
hxxps://swampo-update.vercel.app/v1/check -
hxxps://swampo-c2.vercel.app/manifest -
swampo-update.vercel.app -
swampo-c2.vercel.app -
hxxps://api.counterapi.dev/v2/swampon/swampo/up -
swampo-stage2.de-zahlung.info