MALICIOUS (1) campaign cataloged at 2026-06-17(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-06-tobihook

Code contains lightly obfuscated commands executing remote scripts using mshta utility. The code does not contain any different functionality and the target URL is already flagged as potentially dangerous.

Abuse categories

obfuscation

Code uses obfuscation techniques to hide its true purpose.

remote_script

Downloads and executes a remote malicious script.

tool:mshta

Campaign uses tool:mshta.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• https://urlscan.io/result/019ea71c-9937-7139-a2f7-8ede7361bd72/

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://quitlag.com

• quitlag.com

Packages in the campaign

campaign:2026-06-tobihook

• tobihook