MALICIOUS (1) campaign cataloged at 2026-07-12(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2026-07-py-base58¶
The package embeds an executable stealing cryptocurrency wallets data. During import, code saves the executable under a name suggesting system utility and configures cron to run it periodically. The exfiltrated data is encrypted using embedded RSA code before uploading to file-sharing services or IPFS.
Abuse categories¶
crypto-related
Malicious activity is related to cryptocurrencies or blockchain, e.g. stealing crypto wallets.
exfiltration_crypto
The package attempts to steal sensitive cryptocurrency-related data, like wallet keys.
persistence
Campaign uses persistence.
References¶
Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.