MALICIOUS (1) campaign cataloged at 2026-07-14(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2026-07-tennacity¶
The typosquatted package installs a Mythic/Poseidon C2 framework beacon and ensures persistence. After installation, the beacon communicates with C2 on wegoexchange[.]site for further commands.
Abuse categories¶
malware
Package contains or installs known malware.
persistence
Campaign uses persistence.
remote_executable
Downloads and executes a remote executable.
sandbox-detection
The package contains code to detect if it is running in a sandbox environment.
typosquatting
The package name is an typosquatting variant of a popular package.
References¶
Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
-
wegoexchange.site -
easyswapnow.pro -
hxxps://easyswapnow.pro/downloads/lix_amd.bin -
hxxps://easyswapnow.pro/downloads/lix_arm.bin -
hxxps://easyswapnow.pro/downloads/mac_amd.bin -
hxxps://easyswapnow.pro/downloads/mac_arm.bin -
hxxps://drive.google.com/uc?export=download&id=1d4zF8lnDaYCgzRrEx3WCyLTFZXVD2QBF&confirm=t -
hxxp://wegoexchange.site/data