MALICIOUS (1) campaign cataloged at 2026-07-03(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2026-07-haproxy-config-client¶
During installation the obfuscated code downloads a malicious executable from a remote location. Code is designed to survive different blocks: first, there is an attempt to download the executable from one of five Cloudflare Workers. If it's not successful, the code falls back to download using DNS: first, it gets a TXT record from c.lin.dl.wel1[.]ru. This record returns a number, which is then used to iterate over domains in the form <0...n>.lin.dl.wel1[.]r and reconstruct the encoded executable from their TXT records. The executable is finally saved under a partially random name, executed, and removed after execution. The Linux executable contacts a few domains, but there is no more detailed information about its behavior available.
Abuse categories¶
covering-tracks
The package contains code to cover its tracks, e.g. by deleting malicious code after execution.
dependency-confusion
An attempt to exploit dependency confusion
malware
Package contains or installs known malware.
obfuscation
Code uses obfuscation techniques to hide its true purpose.
other
Campaign uses other.
override_install
The package overrides the install command in setup.py to execute malicious code during installation.
remote_executable
Downloads and executes a remote executable.
targetted-attack
Campaign uses targetted-attack.
References¶
Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
-
package-proxy.cf5oobworker.workers.dev -
package-proxy.cf8oobworker.workers.dev -
package-proxy.cf12oobworker.workers.dev -
package-proxy.cf17-ddb.workers.dev -
package-proxy.cf25-6eb.workers.dev -
hxxps://package-proxy.cf5oobworker.workers.dev/pkg/package -
hxxps://package-proxy.cf8oobworker.workers.dev/pkg/package -
hxxps://package-proxy.cf12oobworker.workers.dev/pkg/package -
hxxps://package-proxy.cf17-ddb.workers.dev/pkg/package -
hxxps://package-proxy.cf25-6eb.workers.dev/pkg/package -
c.lin.dl.wel1.ru