MALICIOUS (1) campaign cataloged at 2026-07-09(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2026-07-qlinforge¶
During installation, the package downloads and executes suspicious executables as well as establishes persistence using PTH files.
Abuse categories¶
abuses-pth
The package uses .pth files, sitecustomize or usercustomize modules to execute malicious code during Python startup, even without importing the package code manually.
override_install
The package overrides the install command in setup.py to execute malicious code during installation.
persistence
Campaign uses persistence.
remote_executable
Downloads and executes a remote executable.
References¶
Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
-
hxxp://115.190.124.243:9090/payload_windows_amd64.exe -
hxxp://115.190.124.243:9090/payload_linux_amd64 -
hxxps://115.190.124.243:8443