MALICIOUS (1) campaign cataloged at 2026-07-17(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2026-07-govpkg¶
When using the provided functionality, the package silently downloads a malicious executable and ensures its persistence disguised as a system service. The binary connects with telegra[.]ph.
Abuse categories¶
action-hidden-in-lib-usage
The malicious action is hidden in the code and starts when user interacts with it (e.g. during class initialization or by exfiltrating given credentials).
persistence
Campaign uses persistence.
remote_executable
Downloads and executes a remote executable.
References¶
Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
hxxps://temp.sh/NBZzm/client