Skip to content

MALICIOUS (1) campaign cataloged at 2026-05-16(2).

  1. The campaign has clearly malicious intent, like infostealers.
  2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-05-netping

The package silently downloads and installs an autostart script that then monitors clipboards and replaces copied cryptowallet adresses.

Abuse categories

clipboard_modify

Campaign uses clipboard_modify.

crypto-related

Malicious activity is related to cryptocurrencies or blockchain, e.g. stealing crypto wallets.

persistence

Campaign uses persistence.

remote_script

Downloads and executes a remote malicious script.

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

  • hxxps://pastebin.com/raw/dFvWM5Tj

Packages in the campaign

campaign:2026-05-netping