MALICIOUS (1) campaign cataloged at 2026-07-15(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2026-07-northstart-sdk¶
The package contains encrypted and obfuscated code that starts a custom reverse shell/command execution during module import.
Abuse categories¶
obfuscation
Code uses obfuscation techniques to hide its true purpose.
revshell
The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.
targetted-attack
Campaign uses targetted-attack.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
-
hxxps://cdn.nlark.com/yuque/0/2026/png/12727464/1778740736364-99396a4c-917b-45a7-badd-0370f3adb537.png -
hxxps://cdn.nlark.com/yuque/0/2026/png/12727464/ -
120.26.37.185:4443 -
120.26.37.185